"Hey you - get off my cloud!"
Cloud computing is advancing faster in healthcare than anyone could have dreamed. Provider intrigue with the cloud’s capabilities, adaptability and cost-effectiveness is driving a rapid transformation in healthcare IT systems. Yet security with the cloud remains a concern as providers search for answers about how their data is protected, its effectiveness in identity protection and ease of workforce accessibility. Patrick Harding, chief technology officer for Ping Identity, a global identity security company, wants to reassure providers that using the cloud is not only safe, but provides cost reduction and performance benefits as well. He recently spoke with Healthcare IT News contributing editor John Andrews about cloud security.
What are the current trends in cloud use for healthcare and how are these complicating secure cloud access?
For hospitals, it can be broken down into three areas: cloud, mobility and social. The cloud itself, it is horizontal in nature, across all enterprises and increasing in popularity with the adoption of workforce-oriented apps. For example, we see web-based email, collaboration and talent management and payroll applications increasing in popularity. Small and middle-market providers are adopting cloud-based clinical services. The mobility segment is tied to the cloud with apps geared toward services. With social, you have hospitals that look to interact with patients as the consumerization of healthcare continues. With access to the hospital portal, consumers can use Google or Facebook to login and avoid the whole registration process. Once they are in the hospital portal, consumers might want to create a local account for their sensitive information. But the initial interaction has a more social flavor. All of this is starting to emerge and increase in use across all of those areas. It’s a business and consumer enabler and it’s cost-effective.
What are the greatest security challenges for healthcare providers that you see when it comes to cloud security?
At the highest level, it’s data loss prevention – how to assure you won’t lose data either inadvertently or maliciously. One challenge is the data security problem around keeping data encrypted in the cloud and then there’s the access control problem preventing unauthorized access to that data. From Ping Identity’s point of view, we focus on the access and identity problem, how to ensure that the data in the cloud is being accessed securely and by the right people. The first thing that comes up in some of the larger hospitals is that they have already made significant investments in their identity management infrastructures and with the cloud they haven’t necessarily been able to leverage that infrastructure out of the box. They have separate silos and log-ins and have to provision those users into the apps manually. There is also the question of how to handle “transient” users who need to be provisioned in temporarily. You end up with all the access control that is siloed and separate because you can’t tie it back to existing controls and infrastructure. It’s a question of how to leverage the cloud while meeting all your access control requirements. That’s where we have focused – on open standards as the interfaces and protocols used to bridge the existing identity management infrastructure with cloud apps and the new technology that providers have installed. An identity bridge allows you to take advantage of the directory or access management and bridge them through open standards to the cloud apps. Our customers are using this to address their workforce access issues.
What are the advantages of using an identity bridge for cloud identity and access?
At the most basic level, it eliminates passwords and that makes accessing Cloud apps easier and more secure. Doctors can click a cloud app link within the physician portal and get seamless access into that cloud app. They don’t need another account with another password. If it is all being managed out of an active directory, administrators can set up user lists with access permissions so that when users are added, they can get access to the cloud apps they need, and when they’re removed from the list, they lose that access. The key is that the communication mechanisms, the protocols used between hospitals and cloud apps, are standards like SAML (Security Assertion Markup Language) and SCIM (System for Cross-domain Identity Management). Eliminating passwords not only mitigates data and identity security risks, it is a ‘big win’ for the users.
How do you see cloud computing evolving in the future?
When it comes to looking at what is emerging next, I’ll refer to what we’re seeing outside of healthcare and that is the ability to share data among apps that may or may not be in the cloud – exposing your data externally via a REST-based programming interface. This is an example of what we should be able to do with the breaking down of the silos that exist today. In healthcare, there is focus on public HIEs, yet there is a frustration among patients when they get an x-ray taken, and there is no way for a specialist in another hospital to have access to it. The patient needs to be able to delegate access to that specialist, who can retrieve it electronically from the hospital. That doesn’t widely exist today. We need to be able to allow that data to break apart from the silos – that is the next evolution of what needs to occur. We have the technology, and protocols to do it, we just need the app.