Experts urge caution when putting health data in the cloud

Healthcare has become a favorite target for criminals, and some medical organizations are reacting by looking at outside providers to keep their data secure.But jumping to the cloud without first taking some precautions can be a mistake, experts say.


Last month, Salesforce introduced its Salesforce Health Cloud service, a cloud-based patient relationship management solution that integrates data from health records, wearables, and other sources and allows healthcare providers to access this information any time, any where.

The health care system requires that many different organizations have some degree of access to patient data, meaning that the security of the entire system depends on its weakest link. Moving to a provider like Salesforce will, in most cases, provide a higher level of security than organizations can typically manage on their own.

"Salesforce can invest much more in security than any one hospital can," said Rajiv Gupta, CEO at cloud security vendor Skyhigh Networks. "They are patching their systems constantly."
Many security professionals are uncomfortable when data is out of their control, he said, but the mind shift is already happening.

"I think the Salesforce Health Cloud was inevitable," he said. "And the timing is perfect."

One immediate benefit is that it can help move healthcare industry employees off of insecure cloud services, he said.

"An average healthcare employee uses 26 cloud services," he said -- and 5.6 percent of them are classified as "high risk" by Skyhigh.

"Most employees are not aware that some services are high-risk, and doctors like to collaborate," he said. "They find IT restrictions to be too constraining."

Healthcare organizations need to get to a place where they can allow doctors to use the best technology, while still meeting security, governance and compliance requirements, he said.

"Salesforce is one of the most enterprise-ready, lowest-risk cloud service providers out there," he said.

The platform is already being used by a number of large healthcare organizations.

Nashville-based MissionPoint Health Partners, which serves a quarter million patients in six states, manages its entire provider network through Salesforce.

Michigan Health Information Network uses Salesforce to address the problem of $6.3 billion worth of medications dispensed in Michigan each year that have unintended consequences, hurting patients and wasting money.

Other Salesforce customers include Colorado-based healthcare system Centura Health, California-based medical device manufacturer DJO Global, Netherlands' Radboud University Medical Center and the University of California, San Francisco, a center of health sciences research.
He added that Salesforce complies with its obligations under HIPAA's "business associate" classification. In addition, it offers customers a number of security and compliance tools, including event monitoring, audit trails, and encryption.

"These features make it easier for customers to achieve HIPAA-compliant use of the Salesforce Platform and Salesforce Health Cloud," he said.

But even with the most secure cloud service, there are still potential vulnerabilities. For example, if a doctor is accessing cloud-based records on their laptop or tablet using automatic logins -- or leaves the device in a public area already logged into the system -- then the records become vulnerable.

Ebba Blitz, president of US operations at security vendor Alertsec, said that she uses Salesforce. If she ticks the box that says "remember my password," all she has to do is open her laptop and she is up and running.

"This means that if I lose my laptop, and someone gets my login, they have full access to my Salesforce cloud," she said.

She suggests that healthcare organizations also look at two-factor authentication to lock devices and restrict access to sensitive data.

Mobile devices in particular offer a number of quick authentication methods -- everything from fingerprint scans to voice activation to swipe gestures -- that easily become automatic for users and don't get in the way of using the device.

Organizations also need to watch out for local caching of patient information. This may be useful if, say, a medical professional needs to review records on a long plane trip. But it also means that the data is locally available on the device if the device is lost or stolen.

"That's why its so important to have encryption," said Blitz.

Salesforce's Newman said that there are a number of best practices that Salesforce recommends to its customers.

In addition to two-factor authentication, for example, customers are advised to limit logins to particular IP addresses and using SMS identity confirmation when users log in from unknown devices or IP addresses.

Customers should also strengthen password policies, mandate that all sessions be encrypted, and decrease session timeout thresholds.