The European Union Agency for Cybersecurity (ENISA) has published its latest report called ‘Cloud Security for Healthcare Services’ which provides a set of tips and good practices on data security and protection when using services in the cloud in the healthcare field.
Introduction
The COVID-19 pandemic has promoted the increased use of cloud-based technology in the healthcare industry, especially in telemedicine, medical consultations and artificial intelligence for triage purposes. The integration of these cloud computing services into the industry increases operational efficiency but also raises security and data protection concerns. The purpose of this report is to help ensure the security (both in the field of cybersecurity and in the field of data protection) of cloud solutions for health services.
Cloud solutions in the healthcare field
There are different types of cloud services: IaaS or infrastructure as a service, where the provider provides online computing resources, PaaS or platform as a service, where servers are provided ready to run client applications, SaaS or software as a service, where the provider delivers web applications directly to clients. Meanwhile, the deployment model for these solutions can be classified according to whether the cloud is private, public, hybrid or governmental.
Specifically in the healthcare field, there are more and more types of solutions in the cloud, which can be deployed in the different types of services and models described. The most important ones are indicated below with a brief description of their features:
Cybersecurity and data protection considerations
The main challenges and barriers related to cybersecurity and data protection of the aforementioned cloud-based health services are detailed below; these include the lack of trust in cloud solutions, the lack of security and technical knowledge, the current low investment in cybersecurity, the lack of both European and national legislation in this area, the difficulty of suppliers to identify legal requirements and the complicated integration of the cloud with legacy systems.
These are the most common data protection challenges when deploying these types of services:
Meanwhile, the most common threats to cybersecurity are: natural phenomena, supply chain failures (cloud service providers, network), human error (unauthorized access to data, disregard for the rules, unintentional changes, errors by service administrators), malicious actions (malware, hijacking, phishing, denial of service, abuse of cloud computing resources, interception of data in transit, attacks on mobile applications, internal threats, insecure interfaces), crashes of the system (hardware, software, configuration, maintenance, network).
Cloud security measures in health services
This section provides a set of guidelines and measures to ensure cybersecurity and data protection for customers of cloud services in the healthcare industry:
– Ensuring there is a response plan to define the actions to be taken in the event the service provider experiences a security incident (the latter must have a process in place to manage security incidents in accordance with European or national legislation).
– Ensuring that the service provider notifies in advance any scheduled downtime (e.g. for maintenance).
– Deletion of the data from the cloud service provider (and a return of the data if necessary), immediately after the end of the contractual agreement or if the limitation of the data retention period is reached.
– Defining requirements for logs and verifying whether the cloud service provider meets them.
– Identifying the scope of responsibility for managing technical vulnerabilities and the management of patches. Determining and configuring processes for management of vulnerabilities.
– Including information and assets stored in the cloud environment in the asset inventory. Indicating where data is stored and monitoring and recording any changes to the assets.
– Ensuring that data at the cloud service provider’s location is encrypted throughout the data lifecycle (creation, storage, use, sharing, archiving, and deletion).
– Defining security requirements and procedures for the management of passwords.
– Ensuring that all data is provided in a standard format at the request of the cloud service provider.
– Identifying all the devices such as laptops, mobile devices, medical devices, etc. used by staff connecting to the cloud service.
– Ensuring that access policies specify security requirements for data access, application interfaces, systems, and the network for each cloud service.
– Establishing an awareness and training programme aimed at regular recipient groups for all actors dealing with sensitive data such as electronic health records or medical diagnoses.
– Ensuring that traffic between unreliable and untrusted connections in network environments and virtual instances is restricted and monitored.
– Ensuring that the provider applies appropriate segmentation for: data, applications (physical and virtual), infrastructure and network between different tenants to restrict access to each other’s resources.
Data protection risks
The Spanish Data Protection Agency (AEPD), in its ‘Technologies and Data Protection in Public Administration’ guide, analyses a set of technologies indicating the data protection risks that public administrations, as data controllers, must take this into account when incorporating them in support of the processing they carry out.
Specifically, on cloud computing, it emphasizes the following points:
For more information:
– https://www.enisa.europa.eu/publications/cloud-security-for-healthcare-services
– https://ticsalutsocial.cat/dpd-salut/avaluacio-dimpacte-relativa-a-la-proteccio-de-dades-aipd-en-salut/
– https://www.aepd.es/es/media/guias/guia-tecnologias-admin-digital.pdf
Subscriu-te i rep cada mes novetats i notícies al teu email