Keeping IT safe in the cloud

Say “outage” to a retail IT department, and they’ll likely talk about lost revenue, salvaging brand reputation, and restoring consumer trust. Mention “breach” to an e-commerce IT team, and the conversation might shift to avoiding PCI fines. But bring up either term with healthcare IT staff, and the response will be vastly different—focused on saving lives.

Disasters, outages, and breaches are detrimental to any organization. However, in healthcare, cloud security isn’t just about protecting sensitive personal information; it’s about ensuring the availability of critical medical data that could mean the difference between life and death. Imagine a consultant who suffers an accident or heart attack while traveling and becomes unresponsive. Access to his medical history could enable hospital staff to save his life. While this might seem like an extreme scenario, the impact of an outage on patient care can be severe. Missing test results, allergy information, or even patient identity mix-ups and conflicting medications can all lead to tragic outcomes.

This underscores the fact that while high performance is essential for all healthcare cloud systems, disaster preparedness is even more crucial. Meeting HIPAA compliance standards and FDA regulations is just one aspect of cloud security for healthcare providers. Critical systems must remain operational and accessible, even during a large-scale failure. Given that major brands like Amazon, Microsoft, and Google have all experienced outages this year, it’s clear that every organization must ensure their business continuity and disaster recovery (BCDR) plans are robust.

The silver lining is that the cloud’s virtualized infrastructure can actually help maintain uptime and reliability—if you follow these three steps:

Assess Your Risk

Risk assessments are mandatory for protecting electronic health information, yet a 2012 Office of Civil Rights audit revealed that many healthcare organizations and their vendors fail to conduct them. If you’re not regularly performing these evaluations, start by identifying potential threats to your information systems. Consider not only malicious human attacks but also natural disasters like floods or earthquakes and power outages.

After evaluating the likelihood of these threats and their potential impact on your cloud environment, implement any necessary corrective actions. Be thorough in your assessment, analyzing all security policies and architectural vulnerabilities related to storage and backup, encryption, and data authentication and transmission. This proactive approach can go a long way in preventing service disruptions.

Be a Detective

One harsh reality of breaches is that many go undetected for months, giving hackers ample time to penetrate systems and collect data. Cybercriminals are unpredictable, using various methods like malware, stolen credentials, or misused privileges. That’s why a strong detection system is crucial—to stop attacks before they escalate from bad to catastrophic.

To achieve this, set up alerts for anomalies such as brute force attempts, abnormal web application requests, or unusual spikes in traffic. Proactive monitoring, scanning, and remediation can strengthen your security posture, along with automatic countermeasures that stop further attacks while engineers investigate the alert. Third-party security data on malicious domains, advanced persistent threats, and similar concerns can also enhance your security model. Additionally, collecting and analyzing data trends at a macro level can help identify breaches early on.

Protect Business Continuity

Maintaining uptime is the cornerstone of any healthcare disaster prevention plan. Whether your organization faces an external incident or an internal crisis, your cloud infrastructure must be configured to ensure continuity, keeping healthcare data accessible while safeguarding other personal information like insurance or identification data.

Evaluate your organization’s tolerance for downtime (recovery time objective or RTO) and data loss (recovery point objective or RPO), and ensure that your BCDR plan meets these requirements.

There are various ways to safeguard against disaster, from basic data replication to warm failover sites or fully redundant, load-balanced environments. Balancing your RTO and RPO against the costs associated with these options will help you find the optimal solution for your organization. For systems handling the most critical healthcare information, maximum failure resiliency is essential to keep the system and data available. This requires two or more geographically dispersed production environments, with real-time or near-real-time data replication. DNS Traffic Management or Advanced Traffic Management platforms can provide the necessary load balancing, ensuring that a failed environment doesn’t continue to serve traffic.

Finally, don’t overlook the importance of including any vendors handling protected health information in your disaster prevention plan. Just as you would verify their compliance efforts and cloud performance, ensure your vendor has a BCDR plan that will keep your systems available and reliable. Preparation and foresight are at the heart of all effective disaster prevention strategies, and laying this groundwork now will protect both your cloud infrastructure and your patients’ lives.