Like a lot of hospitals and healthcare organizations lately, Christiana Care Health System has been embracing cloud computing in earnest these past few years.
The gains in speed, agility and convenience have been hard to argue with. But the move requires careful deliberation and close attention to an array of unique security requirements, said Anahi Santiago, chief information security officer at Christiana Care.
"We have a data center here, and had traditionally been a shop where almost everything was on-premise," said Santiago.
During the two years in which Santiago has been CISO at Christiana Care, however, she's seen a slow but steady increase in the appetite for cloud-based applications. "The new technologies that we want to implement, the requests from our customers" – the clinicians across the health system's two hospitals and various outpatient facilities – "are mainly from cloud providers."
So much so, in fact, that Christiana has essentially shifted to what Santiago described as a cloud-first strategy.
"That means that if there is an application that can run on our data center, or it can run on the vendor's data center, we would prefer to run it out there,” she said.
Right now, about 10 percent of Christiana Care's applications are in the cloud, but Santiago said that number is set to increase considerably based on the amount of contractual activity underway. And in the next ten years it could skyrocket to 75 percent of its applications being hosted in the cloud.
Learn more at the Cloud Computing Forum HIMSS17. Register here.
⇒ University of Mississippi Medical Center finds big analytics gains in the cloud
⇒ Intermountain exec: Cloud changes breadth and depth of innovation
"We recognize that our core function shouldn't be to manage hardware and gear," she said. “These vendors, many of them have large dedicated security personnel that can probably do security even better than we can just based on economies of scale.”
Santiago added that she and Christiana Care's CIO Randall Gaboriault agree that to deliver faster and better care at a lower cost, "we need to do it in the cloud where we can be more nimble and flexible and move at a faster rate than if we were to be managing things on-premise. Being in the cloud affords us the ability to be more innovative, strategic and to move at a faster pace."
Due diligence gives 'comfort level' in the cloud
Especially as a security professional, Santiago was not always bullish on remote hosting.
"Years ago, I was very concerned about the cloud," said Santiago. "And there are still cloud vendors out there with whom I would be very concerned about partnering."
Which is why Christiana instituted a regimented third-party assessment process for vetting vendors, including a series of questionnaires.
"We require things like ISO certification or HITRUST certification, a review of their SOC II reports, a review of their policies and procedures, summaries of penetration and vulnerability assessment reports,” she explained. “We have them give us written evidence of disaster recovery on an annual basis."
Those rigorous requirements "give us a comfort level when we're going to the cloud, we're doing it with partners that have met a level of security that we're comfortable with," she said.
As Christiana Care moves further and further into a cloud-first environment, that does make for extra – or at least different – work for Santiago in her capacity as CISO.
"It's certainly a lot more work than we would do if it were on-premise because then we could closely monitor the controls," she explained. "And it's going to be even more work as we continue to go more and more into the cloud. Because we have to figure out a way now to regularly monitor all of these vendors that we really have no control over. And that's going to put additional requirements on my team from a time and assessment perspective and from a risk management perspective."
In fact, she said, "we might have to, ironically, rely on some other third parties to help manage these vendors. Because we just don't have the resources to go and audit every single one of our cloud vendors physically. We might in the future look at partners to help us do that for the vendors we deem highest-risk or most critical."
'Don't lose sight of the fact that security is still our job'
Even with just 10 percent of its clinical apps hosted remotely, Christiana Care has already seen some useful gains in innovation and productivity.
"A lot of the initiatives we have put out in the cloud have enabled physicians to be more mobile, enabled them to do things like population health management much more effectively and in ways that we probably couldn't have done if everything was on premise,” she said.
The cloud model is key to Christiana Care's ACO participation, for instance.
"Being in the cloud enables fast collaboration, and faster change when the healthcare delivery models change and it just enables the clinicians to do things better, which is the ultimate goal," she added.
As other health systems explore similar cloud-based strategies, Santiago has some simple security advice: "A SOC 2 report is not the end-all be-all," she said. "Make sure you understand the scope in which that report was written."
Additionally, "as you're assessing these vendors, take into account the security controls that you have implemented on premise – such as data loss prevention, identity and access management, log management and encryption," she said. "There are a lot of cloud providers that don't implement those controls and you will have to look for complementary security controls in the cloud."
That sort of due diligence is essential for any responsible embrace of remote hosting, said Santiago.
"The cloud is not evil," she said. "You can really help improve healthcare delivery by adopting the cloud. But don't lose sight of the fact that security is still our job. You may be transferring some risk, but you will never transfer reputational risk. Have dialogues with your customers – your clinicians – to make sure that the organization understands that as you're moving to the cloud there are risks that come with it. They need to be addressed."
HIMSS17 runs from Feb. 19-23, 2017 at the Orange County Convention Center.
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.