Moving Your Healthcare Organization to the Cloud? Here’s What You Need to Know First

4 min read

While the last two years accelerated digital transformation across a wide range of industries, this has been a long time coming for healthcare. Healthcare has been undergoing a massive shift to improve security, streamline operations, and enhance the patient experience—and much of that shift centers around the movement to the cloud. Cloud-native ostensibly offers a better, more accessible user experience marked by enhanced uptime, reliability, and efficiency.  Here are just a few of the elements impacted by the movement to the cloud:

Telemedicine. Once a niche offering, telemedicine exploded in popularity during the pandemic and has all the signs of becoming a mainstay. The security concern: every app and every connection needs to be secure and HIPAA-compliant.

Fast Healthcare Interoperability Resources (FHIR). The healthcare industry has been gradually shifting to electronic healthcare records, along with the digital storage and sharing of those records. The upside of electronic health care records is that healthcare professionals can access critical information about patients almost instantly. The security concern: how do you guarantee that only the right people get access to sensitive records when needed? The industry is trying to standardize APIs to mitigate risks while facilitating necessary access.

Regulations. Compliance and regulations vary widely by state. For example, in California, parents no longer have access to their child’s healthcare records once that child turns 12. How do you standardize processes across non-standard regulatory environments?

The common theme in all of these: ensuring security without compromising standards of care or the patient experience. That’s a tall order, to say the least. And it’s one that the movement to the cloud is designed to accommodate.

And yet, moving to the cloud comes with inherent security risks. In the cloud, not only do apps need to be secure, but all platforms those apps run on top of need to be secure as well. A perfectly secure application doesn’t help if an attacker can change the source code that makes up the application. Securing a cloud application means moving beyond firewalls and the assumption that the application is running on a local network; it means embedding security controls into each and every piece of software.

If your healthcare organization is accustomed to having everything stored and processed locally, the cloud can feel overwhelming. Modern cloud-native applications may now be composed of dozens or hundreds of microservices, housed in containers and hosted on immutable, dynamically scaling platforms like Kubernetes. If all of that sounded like another language to you, that’s because it is another language—and the language of cloud-native has a steep learning curve. The key takeaway: modern applications and the platforms they run on are built out of possibly hundreds of individual components, each of which must be secured.

Does that mean you should avoid the cloud? Not at all. When navigated appropriately, the benefits of moving to the cloud (flexibility, scaling, iterative capability, user interface, functionality with the decentralized workforce, operations that don’t break down if you have a local issue, etc.) far outweigh the risks. But it does mean you should plan ahead. Here’s how.

Embed security

The best way to optimize security and functionality when moving to the cloud is to build security into your people processes and software. Specifically, that entails addressing the authorization side of security: the rules that decide who can update information when using your software, e.g. which healthcare records a doctor can read.  

When it comes to policy, a key to success is to fully embrace a policy-as-code approach.

Adopting policy-as-code means decoupling policy from your application code and using a dedicated, declarative language to define the conditions and rules that make up that policy.

Can application X access information Y at Z time from location Q? The policy code decides. No human intervention required. No need to implement it repeatedly throughout your application.

Can Bob in patient services access Maria’s file and send it to Acme Insurance Company via an encrypted email? The policy code decides. No human intervention required.

Adopting policy-as-code means developer teams can focus on creating features that help customers; security and compliance teams can audit policies without digging through reams of application code written in different languages; operations teams can enforce the rules that make the cloud platforms themselves safe. In short, policy as code helps each team focus on their strengths, working together to deliver secure software to customers as quickly as possible.  

If healthcare organizations adopt a policy-as-code approach from the beginning of their move to the cloud, productivity increases and risks are reduced. This sounds great in theory, but how do you actually do it? Here are some best practices:

Best practices for adopting policy-as-code in healthcare

A policy as code approach enhances security and productivity 

A healthy move to the cloud is one that is done securely and without inhibiting productivity. In fact, doing it right means drastically enhancing security and productivity. Again, the best results come from starting early and adopting a policy-as-code solution from the get-go, but if you’re already wandering around the cloud, it’s not too late. With solutions like OPA, the future of cloud-native is flexible, fast, and far less burdensome on IT resources.

This article originally appeared in the HelpNetSecurity “Healthcare CyberSecurity Report” on February 23, 2022.

Interested in learning more about OPA? Sign up for the Styra Academy! It’s a free online portal that provides exclusive Open Policy Agent, Rego and Styra DAS training from the founders of Styra and OPA!

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.