The European Union Agency for Cybersecurity (ENISA) has published its latest report called 'Cloud Security for Healthcare Services' which provides a set of tips and good practices on data security and protection when using services in the cloud in the healthcare field.
The COVID-19 pandemic has promoted the increased use of cloud-based technology in the healthcare industry, especially in telemedicine, medical consultations and artificial intelligence for triage purposes. The integration of these cloud computing services into the industry increases operational efficiency but also raises security and data protection concerns. The purpose of this report is to help ensure the security (both in the field of cybersecurity and in the field of data protection) of cloud solutions for health services.
Cloud solutions in the healthcare field
There are different types of cloud services: IaaS or infrastructure as a service, where the provider provides online computing resources, PaaS or platform as a service, where servers are provided ready to run client applications, SaaS or software as a service, where the provider delivers web applications directly to clients. Meanwhile, the deployment model for these solutions can be classified according to whether the cloud is private, public, hybrid or governmental.
Specifically in the healthcare field, there are more and more types of solutions in the cloud, which can be deployed in the different types of services and models described. The most important ones are indicated below with a brief description of their features:
Cybersecurity and data protection considerations
- Enterprise resource planning (ERP) systems: these systems help manage patients, inventory, health insurance, human resources and other non-clinical data.
- Health Information Systems (HIS): used to manage patient health data (records, images, videos, etc.). Related cloud services: electronic health records, image archiving and communication systems, radiological information systems, laboratory information systems, clinical decision support, or remote patient monitoring.
- Health data analysis: both artificial intelligence and machine learning are used in health to support medical research, for diagnosis, data analysis, treatment recommendations, or commitments to patients.
- Medical devices: these enable patients to measure their heart rate or insulin levels, among other things, from home while the data is sent directly to healthcare professionals allowing them to track treatment or schedule an appointment.
- Telemedicine services: a health service provided through telecommunications technology. Areas of application include teleconsultation and telephone support through videoconferencing tools.
The main challenges and barriers related to cybersecurity and data protection of the aforementioned cloud-based health services are detailed below; these include the lack of trust in cloud solutions, the lack of security and technical knowledge, the current low investment in cybersecurity, the lack of both European and national legislation in this area, the difficulty of suppliers to identify legal requirements and the complicated integration of the cloud with legacy systems.
These are the most common data protection challenges when deploying these types of services:
- Privacy by design and default: there exists a legal requirement, established by the GDPR, to follow a privacy by design and by default approach when developing and deploying the service. Techniques such as minimization, pseudonymization, transparency, control of personal data by subjects, etc. are recommended to meet this requirement. They include the mandatory performance of the Data Protection Impact Assessments (DPIA).
- Data management: depending on the type of cloud service, input information can come from a variety of sources, so legitimacy should always be established in terms of processing and controls to ensure accuracy. Organizations need to establish their own data governance framework to understand what type of data is most sensitive and then apply the required controls.
- Data erasure: the erasure of data must be possible after the expiration of the retention period, but also at the request of the data subject without undue delay, if for example the data is no longer necessary for the initial purposes or if the subject withdraws consent.
- Data portability: transferring data from one provider to another without loss is one of the most common challenges when it comes to cloud computing. In our case, health care, there are certain rules (such as HL7) to ensure interoperability.
- Encryption: it is important to ensure the confidentiality and integrity of data across all different transfer and storage channels. Encryption measures must be applied at both the client and server level, as well as to the channel that connects them.
Meanwhile, the most common threats to cybersecurity are: natural phenomena, supply chain failures (cloud service providers, network), human error (unauthorized access to data, disregard for the rules, unintentional changes, errors by service administrators), malicious actions (malware, hijacking, phishing, denial of service, abuse of cloud computing resources, interception of data in transit, attacks on mobile applications, internal threats, insecure interfaces), crashes of the system (hardware, software, configuration, maintenance, network).
Cloud security measures in health services
This section provides a set of guidelines and measures to ensure cybersecurity and data protection for customers of cloud services in the healthcare industry:
- Involve the necessary stakeholders (DPO, legal department, ICT, risk, etc.) in the procurement process. The request for requirements must lead to compliance with the regulations.
- Conduct a risk assessment in accordance with national guidelines or following a known methodology to identify cybersecurity and data protection threats and risks (DPIA) for new cloud services and assess the impact on the overall security risk.
- Select suppliers who offer sufficient guarantees that they will apply the appropriate technical and organizational measures, so that the processing complies with the requirements of the data protection regulations and guarantees the protection of the rights of the data subject, including:
- Ensuring there is a response plan to define the actions to be taken in the event the service provider experiences a security incident (the latter must have a process in place to manage security incidents in accordance with European or national legislation).
- Ensuring that the service provider notifies in advance any scheduled downtime (e.g. for maintenance).
- Deletion of the data from the cloud service provider (and a return of the data if necessary), immediately after the end of the contractual agreement or if the limitation of the data retention period is reached.
- Defining requirements for logs and verifying whether the cloud service provider meets them.
- Identifying the scope of responsibility for managing technical vulnerabilities and the management of patches. Determining and configuring processes for management of vulnerabilities.
- Including information and assets stored in the cloud environment in the asset inventory. Indicating where data is stored and monitoring and recording any changes to the assets.
- Ensuring that data at the cloud service provider's location is encrypted throughout the data lifecycle (creation, storage, use, sharing, archiving, and deletion).
- Defining security requirements and procedures for the management of passwords.
- Ensuring that all data is provided in a standard format at the request of the cloud service provider.
- Identifying all the devices such as laptops, mobile devices, medical devices, etc. used by staff connecting to the cloud service.
- Ensuring that access policies specify security requirements for data access, application interfaces, systems, and the network for each cloud service.
- Establishing an awareness and training programme aimed at regular recipient groups for all actors dealing with sensitive data such as electronic health records or medical diagnoses.
- Ensuring that traffic between unreliable and untrusted connections in network environments and virtual instances is restricted and monitored.
- Ensuring that the provider applies appropriate segmentation for: data, applications (physical and virtual), infrastructure and network between different tenants to restrict access to each other's resources.
Data protection risks
The Spanish Data Protection Agency (AEPD), in its 'Technologies and Data Protection in Public Administration’ guide, analyses a set of technologies indicating the data protection risks that public administrations, as data controllers, must take this into account when incorporating them in support of the processing they carry out.
Specifically, on cloud computing, it emphasizes the following points:
For more information:
- The contracting of a cloud service does not imply a total shift of the security management obligations to the data controller, but it is always up to the data controller to make decisions on data protection requirements that must comply with those set out in Article 32 of the GDPR.
- In order to avoid a breach of data protection regulations, the controller must choose a processor who offers guarantees, contractually providing the instructions and ways to proceed when carrying out personal data processing.
- The public administration must also manage the risks in the event that the cloud provider decides to discontinue the service or change the conditions under which it is provided, as well as the legal risk involved through potential regulatory changes or others that prevent the use of the services. In this regard, measures and contingency plans for the migration of services to other systems must be drawn up.
- In the event of a security breach, the controller must implement a series of mechanisms as a matter of urgency, and notify the Data Protection Agency within 72 hours with the information they have in this regard. The Agency may order the controller to notify users that they have been affected so that they can take security and protection measures.
- When planning the processing, the controller must evaluate the incorporation and application of data minimization mechanisms according to the risk involved, limit the distribution of the data, only upload anonymized or pseudonymized data to the cloud, and use homomorphic encryption, etc.
- It is also important that they formally analyse and rigorously assess the risks of re-identification, as well as the level of maturity of the anonymization processes used by the organization.