Feature | October 25, 2012 | Cristine Kao

Security in The Cloud

How to evaluate the data security capabilities of cloud-based services

As many healthcare systems consider the advantages of moving patient data to a cloud-based service, radiology and IT managers are understandably concerned about data security. The good news is that healthcare facilities of all sizes can achieve more comprehensive data security from healthcare cloud service suppliers due to their expertise and investment in advanced technologies, infrastructures and processes. 

If you are considering cloud services, it’s important to evaluate each supplier’s ability to deliver all three components of data security: availability, integrity and privacy. Data availability delivers continuous access to data even in the event of a natural or man-made disaster or event, such as fires or power outages. Data integrity ensures that the data is maintained in its original state and has not been intentionally or accidentally altered. And privacy refers to successfully restricting access to authorized persons. 

To maintain continuous security in the cloud, all three forms of data security should be maintained within the physical infrastructure of the supplier’s data center, the hosted application that manages data and the policies and procedures.

Ensuring availability involves physical security features, such as redundant power supply and air conditioning systems, protection against fire and specially equipped ventilating and air conditioning systems. The cloud services provider should maintain at least two copies of ingested data, thus reducing the risk of data loss. The second copy, active or passively synchronized, should be stored at another location in case a disaster impacts the primary data center. Databases and data must be stored on architectures that provide high availability and performance.

Data Security and Integrity 

This is a key area where cloud services excel. Access to the data center must be tightly monitored through the use of security guards, a scheduling process for any visitors, a single entrance to the most sensitive area of the data center, and surveillance cameras around the building and at each entrance. Employee access should be monitored, and extra authentication should be required to access sensitive areas within the building where patient data is stored. You should also ask to see the supplier’s security policy and find out how employees’ online access to data is monitored.

Data integrity involves a validation process to ensure each copy of the data maintains its integrity. Damaged files must be able to be detected and reconstructed. Application-level signatures should be computed for every document and kept in the database. The encryption mechanism used to ensure the confidentiality during the transmission includes an integrity check that prevents the risk of data corruption during its transmission over TCP/IP.

The key used to encrypt the data should be encrypted with the data itself. If data has been modified intentionally, or accidentally, data decryption would then fail. This protection also prevents the sending of corrupted data to clinicians and other users. 

Ensuring Privacy 

Privacy protection is required at both the application and network level. Communication between healthcare sites and the data center is performed with SSL-based encryption at the application level to ensure end-to-end protection between the service access point and the data center. This encryption ensures that none of the employees of the network provider can access data and prevents data from being viewed while it is being carried over the Internet to an end user’s viewing software. 

SSL can implement several encryption algorithms. Site-level access control defines which originating sites can access data, and a user profile defines access to features and data. Access rights for a given user can be defined for patients and types of studies. Secure access requires each data center to equip its Internet connection with the following: 

• Firewalls to control network transmissions based on a set of rules that protect networks from unauthorized access;

• a physical or logical subnetwork (known as a demilitarized zone) that contains and exposes an organization’s external services to a larger untrusted network, providing security from external attacks; and  

• permanent updates to anti-virus software with the latest virus signature databases. 

To guarantee secure data exchange, the connection between the data center and a customer site is usually made through an SSL-encrypted tunnel.

Policies and Procedures 

Beyond physical and application level design, proper policies and procedures are required to maintain ongoing security for cloud-based services. These involve establishing an audit trail that tracks all patient health information (PHI)-related activities, warnings and failures that occur in the system. This information can be used to trace the source of selected changes to information in the system, as well as to detect unusual system activity.

Proactive monitoring combines technology with experienced personnel to enable early detection of potential incidents, ideally before they impact users. A dedicated tool permanently watches each node of the cloud infrastructure, along with access points at each customer’s location and platforms at data centers. Monitoring controls key application processes, systems and wide area network between the service access point and the data center. 

A remote monitoring system infrastructure collects metrics from each device and automatically triggers alerts when a faulty condition is detected. Conditions that trigger an alert range from data that is not being backed up to unauthorized attempts to access data. Depending on the severity of the incident detected, an e-mail may be sent to the support team or a visible alarm may be displayed at the dashboard to initiate follow-up action. 

In addition to protecting data, monitoring activities also ensure that the systems achieve specified performance and uptime guarantees. Monitoring is conducted 24/7/365, and trained personnel investigate each incident.    

It’s often cost-prohibitive for individual healthcare systems to invest and provide ongoing support for equipment, technology, personnel and training that’s required to deliver the highest level of data security across all physical locations and communication methods. Providers may want to consider working with a cloud services provider that can provide a higher level of data protection.   itn

Related Content

DR 800 multi-purpose digital imaging system with Dynamic Musica
News | Digital Radiography (DR) | July 20, 2018
Agfa displayed the new DR 800 multi-purpose digital imaging system with Dynamic ...
Fujifilm to Host Pediatric Imaging Best Practices Symposium at AHRA 2018
News | Pediatric Imaging | July 18, 2018
Fujifilm Medical Systems U.S.A. Inc. announced that it will offer educational opportunities and exhibit its latest...
Study Points to Need for Performance Standards for EHR Usability and Safety
News | Electronic Medical Records (EMR) | July 18, 2018
A novel new study provides compelling evidence that the design, development and implementation of electronic health...
Guerbet, IBM Watson Health Partner on Artificial Intelligence for Liver Imaging
News | Clinical Decision Support | July 10, 2018
Guerbet announced it has signed an exclusive joint development agreement with IBM Watson Health to develop an...
FDA Clears Bay Labs' EchoMD AutoEF Software for AI Echo Analysis
Technology | Cardiovascular Ultrasound | June 19, 2018
Cardiovascular imaging artificial intelligence (AI) company Bay Labs announced its EchoMD AutoEF software received 510(...
News | Remote Viewing Systems | June 14, 2018
International Medical Solutions (IMS) recently announced that the American College of Radiology (ACR) added IMS'...
Wake Radiology Launches First Installation of EnvoyAI Platform
News | Artificial Intelligence | June 13, 2018
Artificial intelligence (AI) platform provider EnvoyAI recently completed their first successful customer installation...
How AI and Deep Learning Will Enable Cancer Diagnosis Via Ultrasound

The red outline shows the manually segmented boundary of a carcinoma, while the deep learning-predicted boundaries are shown in blue, green and cyan. Copyright 2018 Kumar et al. under Creative Commons Attribution License.

News | Ultrasound Imaging | June 12, 2018 | Tony Kontzer
June 12, 2018 — Viksit Kumar didn’t know his mother had...
Zebra Medical Vision Unveils AI-Based Chest X-ray Research
News | Artificial Intelligence | June 08, 2018
June 8, 2018 — Zebra Medical Vision unveiled its Textray chest X-ray research, which will form the basis for a future
Konica Minolta Launches AeroRemote Insights for Digital Radiography
Technology | Analytics Software | June 07, 2018
Konica Minolta Healthcare Americas Inc. announced the release of AeroRemote Insights, a cloud-based, business...
Overlay Init