Feature | October 25, 2012 | Cristine Kao

Security in The Cloud

How to evaluate the data security capabilities of cloud-based services

As many healthcare systems consider the advantages of moving patient data to a cloud-based service, radiology and IT managers are understandably concerned about data security. The good news is that healthcare facilities of all sizes can achieve more comprehensive data security from healthcare cloud service suppliers due to their expertise and investment in advanced technologies, infrastructures and processes. 

If you are considering cloud services, it’s important to evaluate each supplier’s ability to deliver all three components of data security: availability, integrity and privacy. Data availability delivers continuous access to data even in the event of a natural or man-made disaster or event, such as fires or power outages. Data integrity ensures that the data is maintained in its original state and has not been intentionally or accidentally altered. And privacy refers to successfully restricting access to authorized persons. 

To maintain continuous security in the cloud, all three forms of data security should be maintained within the physical infrastructure of the supplier’s data center, the hosted application that manages data and the policies and procedures.

Ensuring availability involves physical security features, such as redundant power supply and air conditioning systems, protection against fire and specially equipped ventilating and air conditioning systems. The cloud services provider should maintain at least two copies of ingested data, thus reducing the risk of data loss. The second copy, active or passively synchronized, should be stored at another location in case a disaster impacts the primary data center. Databases and data must be stored on architectures that provide high availability and performance.

Data Security and Integrity 

This is a key area where cloud services excel. Access to the data center must be tightly monitored through the use of security guards, a scheduling process for any visitors, a single entrance to the most sensitive area of the data center, and surveillance cameras around the building and at each entrance. Employee access should be monitored, and extra authentication should be required to access sensitive areas within the building where patient data is stored. You should also ask to see the supplier’s security policy and find out how employees’ online access to data is monitored.

Data integrity involves a validation process to ensure each copy of the data maintains its integrity. Damaged files must be able to be detected and reconstructed. Application-level signatures should be computed for every document and kept in the database. The encryption mechanism used to ensure the confidentiality during the transmission includes an integrity check that prevents the risk of data corruption during its transmission over TCP/IP.

The key used to encrypt the data should be encrypted with the data itself. If data has been modified intentionally, or accidentally, data decryption would then fail. This protection also prevents the sending of corrupted data to clinicians and other users. 

Ensuring Privacy 

Privacy protection is required at both the application and network level. Communication between healthcare sites and the data center is performed with SSL-based encryption at the application level to ensure end-to-end protection between the service access point and the data center. This encryption ensures that none of the employees of the network provider can access data and prevents data from being viewed while it is being carried over the Internet to an end user’s viewing software. 

SSL can implement several encryption algorithms. Site-level access control defines which originating sites can access data, and a user profile defines access to features and data. Access rights for a given user can be defined for patients and types of studies. Secure access requires each data center to equip its Internet connection with the following: 

• Firewalls to control network transmissions based on a set of rules that protect networks from unauthorized access;

• a physical or logical subnetwork (known as a demilitarized zone) that contains and exposes an organization’s external services to a larger untrusted network, providing security from external attacks; and  

• permanent updates to anti-virus software with the latest virus signature databases. 

To guarantee secure data exchange, the connection between the data center and a customer site is usually made through an SSL-encrypted tunnel.

Policies and Procedures 

Beyond physical and application level design, proper policies and procedures are required to maintain ongoing security for cloud-based services. These involve establishing an audit trail that tracks all patient health information (PHI)-related activities, warnings and failures that occur in the system. This information can be used to trace the source of selected changes to information in the system, as well as to detect unusual system activity.

Proactive monitoring combines technology with experienced personnel to enable early detection of potential incidents, ideally before they impact users. A dedicated tool permanently watches each node of the cloud infrastructure, along with access points at each customer’s location and platforms at data centers. Monitoring controls key application processes, systems and wide area network between the service access point and the data center. 

A remote monitoring system infrastructure collects metrics from each device and automatically triggers alerts when a faulty condition is detected. Conditions that trigger an alert range from data that is not being backed up to unauthorized attempts to access data. Depending on the severity of the incident detected, an e-mail may be sent to the support team or a visible alarm may be displayed at the dashboard to initiate follow-up action. 

In addition to protecting data, monitoring activities also ensure that the systems achieve specified performance and uptime guarantees. Monitoring is conducted 24/7/365, and trained personnel investigate each incident.    

It’s often cost-prohibitive for individual healthcare systems to invest and provide ongoing support for equipment, technology, personnel and training that’s required to deliver the highest level of data security across all physical locations and communication methods. Providers may want to consider working with a cloud services provider that can provide a higher level of data protection.   itn

Related Content

M*Modal and Community Health Network Partner on AI-powered Clinical Documentation
News | PACS Accessories | June 13, 2019
M*Modal announced that the company and Community Health Network (CHNw) are collaborating to transform the patient-...
A static image drawn from a stack of brain MR images may illustrate the results of a study. But a GIF (or MP4 movie), created by the Cinebot plug-in, can scroll through that stack, providing teaching moments for residents and fellows at Georgetown University

A static image drawn from a stack of brain MR images may illustrate the results of a study. But a GIF (or MP4 movie), created by the Cinebot plug-in, can scroll through that stack, providing teaching moments for residents and fellows at Georgetown University. Image courtesy of MedStar Georgetown University Hospital

Feature | Information Technology | June 13, 2019 | By Greg Freiherr
Editor’s note: This article is the third in a content series by Greg Freiherr covering the Society for Imaging In
Studycast PACS Adds Two-factor Authentication to Improve Data Privacy and Security
News | Cybersecurity | June 12, 2019
Core Sound Imaging announced the addition of two-factor authentication (2FA) to the security measures available for the...
The Current Direction of Healthcare Reform Explained by CMS Administrator Seema Verma
News | Radiology Business | June 11, 2019
June 11, 2019 — Centers for Medicare and Medicaid Services (CMS) Administrator Seema Verma addressed the American Med
Medivis SurgicalAR Gets FDA Clearance
Technology | Virtual and Augmented Reality | June 10, 2019
Medivis announced that its augmented reality (AR) technology platform for surgical applications, SurgicalAR, has...
Glassbeam Announces New Clinsights Application Suite for Healthcare Provider Market
Technology | Analytics Software | June 10, 2019
Glassbeam launched Clinsights, a new revitalized application suite powered by artificial intelligence/machine learning...
The DeepAAA algorithm, developed at the MGH & BWH Center for Clinical Data Science, accurately detected and measured an abdominal aortic aneurysm (AAA) in a CT image even though appearance of the AAA was complicated by a blood clot

The DeepAAA algorithm, developed at the MGH & BWH Center for Clinical Data Science, accurately detected and measured an abdominal aortic aneurysm (AAA) in a CT image even though appearance of the AAA was complicated by a blood clot. (The algorithm drew a green circle around the aneurysm.) Image courtesy of Varun Buch, MGH & BWH Center for Clinical Data Science

Feature | Artificial Intelligence | June 10, 2019 | By Greg Freiherr
Editor’s note: This article is the second in a content series by Greg Freiherr covering the ...
Client Outlook's eUnity Smartviewer Selected by Duke University Health System
News | Remote Viewing Systems | June 04, 2019
Client Outlook Inc. announced that Duke University Health System has implemented eUnity for enterprise viewing...
Sponsored Content | Whitepapers | Vendor Neutral Archive (VNA) | June 04, 2019
The evolution from standalone PACS to extensive Enterprise Imagining Solutions created the need to archive informatio
SIIM and ACR Host Machine Learning Challenge for Pneumothorax Detection and Localization
News | Artificial Intelligence | June 03, 2019
The Society for Imaging Informatics in Medicine (SIIM) and the American College of Radiology (ACR) are collaborating...