With the proliferation of new healthcare cloud applications, IT security professionals are challenged with unique security and compliance requirements. Read how healthcare organizations are securing their modern cloud application workloads while maintaining control over their compliance posture.
This article includes:
- Strategies for securing modern application workloads
- Considerations for maintaining compliance
- Methodologies for automating security
The cloud has advanced patient care tremendously, optimizing healthcare information exchanges to connect inter and intra healthcare networks. The security and availability of these exchanges become even more critical with increased mergers taking place in the healthcare industry, creating a mass expansion in geography and demand, and the need for real-time data and continuous security. Furthermore, with the increased costs of healthcare IT infrastructure, newer cloud models create cost-effective means to scale operations through a connected cloud to reduce expenses and improve efficiency.
Securing Modern Cloud Workloads in Healthcare
The healthcare industry has always been more cautious when it comes to new deployment mechanisms, especially when they involve the cloud. While one appreciates all of the benefits the cloud offers, its priority is safeguarding patient private data and records. However, this is balanced with the need for expedited, consolidated, and always available patient care data, and the easiest way to do this is by leveraging the cloud. What compounds this and makes the transition more challenging is the rules and regulatory fines that are imposed by HIPAA—in some cases, amounting to over $1 Million per incident. This leaves healthcare organizations and medical technologists in a quandary. The secret is to evolve the security approach, and better yet, automate the security protocol to ensure patient protection, application security, and compliance.
Healthcare Migration to the Modern Cloud
The rapid proliferation of medical and health technologies that consumers can interact with is quickly driving healthcare and medical technology providers into the public cloud, and specifically to new application workloads, including serverless and container architectures. For many healthcare and medical technology use cases, modern workload architectures are an excellent architecture choice, for several reasons:
- Healthcare and medical applications often require large scale and high-availability. Serverless and container workloads make building and operating large-scale, highly-available applications much easier and less costly. For instance, pharmacies have mobile or online applications to process prescription requests that require on-demand scalability. On the other hand, EMR software applications used within the hospitals’ network can be broken out into containers for greater efficiency and security.
- Compliance and data privacy protection are often critical to healthcare technology solutions. Moving to workload architectures can help application developers create even greater robust designs with nano-requirements to enhance security and privacy restrictions.
However, the migration to modern workloads creates new challenges and opportunities for healthcare and medical solutions—and as mentioned, they must be HIPAA compliant. Medical technology providers need to understand the various nuances to address security and compliance requirements, including:
- Medical applications deployed on a public cloud leveraging serverless or container services have stringent compliance requirements, such as HIPAA and GDPR. Healthcare organizations need to meet these compliance regulations following the design of the workload deployed and enable proper certification and auditing calls for clear security controls across the entire lifecycle of the application, from development to production.
- Healthcare cloud services can comprise hundreds of serverless functions or several containers in a micro-services architecture, each handling some specific transaction of users’ medical data. For each function or container component, it is imperative that the cloud workload protection solution implemented ensure least privilege execution. This is crucial to minimizing the risk of data leakage and privacy violations.
- Cloud workload protection solutions necessitate protecting the application from both known and unknown threats, commonly known as “zero-day” attacks. Because serverless functions used in medical technology solutions are usually small and single-purpose, a serverless security solution should employ self-learning behavioral defense to detect and block undesirable behaviors that stem from cyber-attacks.
Based on the unique requirements and attributes modern cloud-native application security, needs to be built from the ground-up with the inner workings of the application in mind. Traditional application security protocols simply do not work in these modern architectures as the mechanic of the application has fundamentally changed. Healthcare organizations and medical technologists need to reimagine the way AppSec is done without negatively affecting the operational benefits of these modern workloads like efficiency, cost savings, etc.
The security implemented for these modern cloud workload applications must provide healthcare providers and medical technologists:
- Centralized visibility across cloud-native environments.
- Behavioral intelligence to prevent known and unknown attacks.
- Active protection and automated security.
Maintaining Compliance of Healthcare Cloud Workloads
In healthcare, patient care is of the utmost importance, and this goes beyond clinical care. The care of patients extends not only to their physical care but to the policies and procedures placed around their privacy, both digital identity and personal information. This is where Cloud Security Posture Management is critical to regain control of your application workloads and ensure healthcare compliance, specifically with HIPAA and other regional privacy mandates. True Cloud Secure Posture Management is a holistic approach, which requires the following components applied to the micro-level:
With expansive interconnected healthcare networks, accessing cloud assets is becoming impossible for compliance teams to manually aggregate and test findings. The lack of control and visibility is a huge compliance and security risk. Leading healthcare compliance and security teams are leveraging tooling to central the view of their cloud networks, with continuous compliance tracking and enforcement, and the added ability to automatically remediate security issues, in real-time. These real-time notifications and views help offset risks that could jeopardize compliance posture and helps them maintain HIPAA guidelines.
Cloud-Native Security Controls
With so many workloads created at scale, network security policies need to be in place across your cloud provider security groups to segment traffic and control access to servers. Sadly, developers and operations teams usually just accept the default security policies, which are overly permissive, allowing any connection from anywhere to any port on the new virtual server. It’s easy to restrict access to one IP or several, but many administrators cannot predict which IP addresses they will be logging in from—which means they fail to restrict critical access. This is a huge compliance violation.
By microsegments the network using built-in security group policies in cloud environments with automated behavioral analysis, access can be controlled and compliant. This means that breaches in one part of the application cannot spill over into other instances or services, and healthcare providers are not left with hefty fines for violations.
Elasticity and flexibility are primary reasons healthcare organizations are moving their infrastructure to the cloud. However, tracking and maintaining control of security policies is where elasticity and flexibility can lead to issues. While your application may change from one instance to another, your policies may not follow, leading to inadvertent exposure of backend servers to everyone. The security operations team is responsible for monitoring such changes to ensure that elasticity does not create misconfigurations or open back doors to sensitive data. However, with the number of applications and microservices running in the cloud, manually tracking this is nearly impossible. This is where visualization tools are critical, making mistakes like misconfiguration immediately apparent, combined with the ability to fix discovered issues in real-time and prevent them from recurring in the future.
Only give the minimum required access levels necessary to perform the required task. Maintaining control over the keys to your network and healthcare infrastructure is the single most critical requirement for protecting cloud deployments. A security platform that allows a resource owner to assign access rights on an as-needed basis, on-the-fly, or for a limited amount of time, can help prevent such incidents. For example, a contractor or employee can be granted access for a particular window of time. After the time allotted expires there is no need to manually revoke access—it’s automatic. This allows organizations to maintain a closed-by-default security posture by keeping the good guys in for just the right amount of time.
Logging and Independent Audit
Even with every policy and file integrity management system in place for your cloud deployment, things may still go wrong. A malicious visitor may go to your healthcare website and cause a denial of service by repeatedly refreshing a page that requires compute-intensive backend processes. How do you find the problem? Monitoring and logging every packet that passes across the cloud environment makes it possible to detect anomalous behavior and demonstrate that the security controls are in place as designed, but this is not something you should do manually. Ensuring your security controls are in place as intended could be indispensable during an audit, when it is necessary to prove that controls are working- even better if it is automated.
How to Automate Security and Maintain Compliance for Healthcare Application Workloads
Check Point CloudGuard provides a comprehensive cloud workload protection solution for healthcare and has evolved its solution to address the unique needs of healthcare organizations and medical technologist face with modern cloud workloads, including:
- Check Point CloudGuard Dome9 enables the deployment of customizable policies (using GSL) across the account that enables assurance of compliance to HIPAA and GDPR. The policies are applied during development, inside the CI/CD pipeline, during staging and testing, and during deployment in the cloud. CloudGuard Dome9 provides end-to-end compliance management with automated data aggregation and in-place remediation for public cloud environments—simplifying the public cloud compliance process and cutting the time to comply with up to 80%. The HIPAA compliance engine in particular in CloudGuard Dome9 offers continuous compliance with allows healthcare organizations to automate and continuously run compliance assessment reports against HIPAA. Furthermore, the compliance engine will run automatic compliance checks and will alert you if any changes in your environment threaten its adherence to HIPAA and immediately report findings.
- For serverless applications, Check Point CloudGuard Workload automates the process of applying least-privilege to all serverless function in the healthcare application while still empowering application developers to move at the speed of serverless. It then applies a behavioral defense solution that seamlessly and automatically protects serverless functions, with nearly no overhead in function performance. This automatically protects functions from known and unknown attacks.
- For container workloads, Check Point CloudGuard secures Kubernetes computing services and ensures configurations comply with standards such as CIS Kubernetes Benchmarks or NIST 800-190. CloudGuard continuously scans the deployed container assets to identify misconfiguration issues that could jeopardize the healthcare applications’ security posture and compliance. From there, technologists can leverage auto-remediation technology through CloudBots to ensure security and continuous compliance.
- For further active protection, CloudGuard LOG.IC delivers advanced security intelligence, with cloud security monitoring and analytics. Its object-mapping algorithms combine cloud inventory and configuration information with real-time data monitoring from a variety of sources from Amazon AWS, Microsoft Azure, and Google Cloud native log, packet capture appliance, and alert tools. The outcome is rich contextualized information, enhanced and simplified visualization, deep event correlation, querying, intrusion alerts, and notifications of policy violation, enhancing Security Operation Centers (SOC) with relevant cloud security intelligence for faster and more efficient incident response.
With modern cloud workloads, healthcare organizations can now adopt the cloud and take advantage of all of its benefits without jeopardizing security or compliance.
Source: Check Point