An excerpt from the recent "Cloud Computing for ASCs" panel discussion featuring Dr. Paul Alcock and Ryan Burg. Here, we highlight three of the top questions around cybersecurity and their responses.
Dr. Paul Alcock, Director of Information Security, and Ryan Burg, Manager of DevOps, for Surgical Information Systems (SIS), recently participated in a panel discussion focused on "Cloud Computing for ASCs." The program covered some of the most common questions about cloud computing, how it works, and how it's used by ambulatory surgery centers (ASCs). Registrants came away from the discussion with a wealth of information that will help them make more educated decisions about selecting cloud solutions and leveraging cloud computing in their surgery centers.
The following is an excerpt from the webinar that provides the panelists' responses to three questions about one of the hottest topics concerning the cloud: cybersecurity. The responses have been edited for length and clarity. To watch the entire webinar, please visit the SIS Resource Library.
Q: You can't miss the news about all the ransomware attacks in healthcare. How will being in the cloud better protect my ASC?
Dr. Paul Alcock (PA): At some point, every organization is going to be impacted to some degree by a security event. While ransomware is in the national news, it's a lot closer to home than you might think. I personally know of at least six ASCs that have been the victim of a ransomware attack in the past two months.
Ransomware is so prevalent right now, and the numbers are staggering. Ransomware operators continue to exploit the aftereffects of COVID. A lot of companies had to move to a remote workforce in the early days of the pandemic, so you have many people working from home networks that lack the appropriate controls to identify and prevent bad actors from exploiting these insecure networks and using them to pivot into corporate or production networks.
Ransomware attacks can be devastating to an ASC, and your ability to resume business operations is largely dependent on whether you have a plan in place to recover your data after the event. If you don't, what does that mean for your business? What does that mean for you being able to get your business back on track and resume surgeries? Considering you've lost that patient data and everything in your systems is gone, it's going to be a huge uphill battle.
How does the cloud help you with such a scenario? One way is offloading some of that security responsibility to a cloud provider that has invested in the appropriate people, processes, and technologies to help reduce the possibility of a ransomware attack and, more importantly, be able to quickly and effectively respond to such an attack. In addition, I think one of the biggest benefits you get from leveraging a cloud-based application is the segregation of your protected health information (PHI) from your internal environment. With your sensitive data being up in the cloud and protected by your cloud provider as opposed to having the data live in your environment, you have transferred some of that risk. A lot of ASCs lack the resources to fully implement the appropriate security controls and technologies to effectively protect their environment. We have seen over and over that even the most basic of security awareness and training for employees is often missing from the ASC security strategy.
This is important because the number one way that ransomware operators get into a system is through phishing emails. They phish your staff and your ASC, but they're not targeting you specifically. Rather, they send mass emails out thousands at a time. At a very high level, as soon as somebody clicks a phishing link or opens an attachment, perhaps provides their credentials or something gets installed on their system, the ransomware operator gets to work in the internal environment. They start moving around, seeing what information you have, and then kicking off the ransomware.
This can be devastating. It's happening everywhere, which is why the ability to transfer some of that risk to a cloud provider with those controls in place is one of the reasons cloud computing has grown in popularity. You're segregating your environment, so you know that if your internal systems were impacted through ransomware, your PHI is safe. You can still access the software as a service (SaaS) application and your data that's stored within it.
There are a number of different models to choose from and differing levels of responsibility when you move to the cloud. I think one of the most important things to remember is that if you make a decision to move some of your processes, applications, or data to the cloud, you must understand your level of responsibility. That means identifying where that delineation is between you and the cloud provider, so you have no gaps in your security posture.
My big point here: Don't believe that ransomware attacks are for other healthcare providers that you see on the news because they are a lot closer to home. If you don't take security seriously and implement the appropriate controls — regardless of whether you move to the cloud — you are at increased risk.
Ryan Burg (RB): On one hand, it's scary, because you need to think about how you would respond if such an incident happened to you and your ASC. That's why you need a plan in place beforehand. That way, if or when it does happen, you have a plan you will follow. The last thing you want is to have a ransomware attack happen and you find yourself caught totally off guard. But that's usually what ends up happening.
Piggybacking on a couple of the things Paul said, cloud providers invest enormous amounts of capital in security. I'll give you a few examples. Microsoft, on one of their recent investor calls, reported that they had invested more than $1 billion in security and compliance on its Azure platform. That's not something most businesses can afford to do. What's great is that any company can leverage the security of a large cloud provider because you pay for what you use on the cloud.
Another example is that cloud providers invest in things like red teams and penetration testing. That's something we do at SIS. My team, along with Paul, has worked on many penetration tests. Most businesses are not paying companies to hack away at their products all day long or trying to find vulnerabilities in their infrastructure, platform, and services. When you partner with a cloud provider, you are leveraging someone else with this expertise.
One of the advantages is the cloud allows you to focus on your core business model while offloading some of those things you're not an expert in. Same thing with security. You want to leverage companies that have the expertise and have invested in this because we can't all be Paul when it comes to security. I know I'm not. Just like I leverage his expertise when it comes to security, we, as businesses, can leverage the security and expertise of the cloud.
Finally, the cloud gives us the ability to replicate our data, services, and applications in multiple geographic regions. Even if I had a breach at one site, I should easily be able to recover the data from a secondary safe site.
Some people have long thought that being on the cloud would make them less secure. The reality that's becoming clearer is that it's actually the cloud that makes us more secure because cloud providers are providing the security and recoverability that would be nearly impossible to do ourselves.
Q: How secure is the cloud?
PA: The cloud is essentially no more or less secure than an ASC's internal environment. It can be as insecure as an on-premise server stack or whatever technologies you're running in your ASC. What makes a cloud secure is the investment that the cloud provider is putting into that environment to make it more secure. There are cloud providers investing in the time, manpower, and technological resources to ensure the cloud is a secure environment.
RB: To build on what Paul says, almost all security incidents are associated with people using the cloud platform. Let's go back to the example of Microsoft. It has invested heavily in the security of its platforms. But if I get an email that has a link I shouldn't click but I click it, which then triggers a security event, is it the platform that was insecure? No, it's me. I'm the weak point.
How people use cloud services still matters, and some of the responsibility for ensuring proper, safe usage falls to the cloud provider. At SIS, we provide our employees with ongoing training, and we invest in training our users to make sure that they're using our services appropriately. With all of that said, it's worth repeating that, in terms of the services themselves, they still provide a level of security that an ASC can't do on its own. The amount of resources you would need to invest in to achieve a similar level are astronomical.
Q: When I'm evaluating cloud vendors, what should I look for from a security standpoint?
PA: This goes back to responsibilities, as Ryan noted. As a SaaS provider, we spend a lot of time and resources securing the environment and bringing in cutting-edge technologies that will help protect us and our users from emerging threats that we are seeing. But you, as a consumer of that cloud service, have a certain level of responsibility too. There are responsibilities that fall to the consumer that the cloud provider really has no ability to manage — things like protecting your username and password. That's why implementing advanced identity and access management features that a provider may offer you is going to be hugely beneficial to improving your overall cyber resilience.
With that said, number one, identify your responsibilities. As you're evaluating cloud vendors, understand your responsibilities and their responsibilities. Make sure you have no gaps in that security posture. You need to validate security controls implemented by the cloud provider. It's well and good to say things like, "Our cloud environment is 100% secure (which it never is), and we've invested this in it, and we've done that to it." You still need some validation, such as an accreditation report like a SOC 2 Type II report where a third party has come in and evaluated that cloud platform and said, "Yes, this cloud provider has met X level of security across their environment." That's level of assurance is important to have.
Then, you want to identify how your data is being protected when it's up in the cloud. Again, don't just take the cloud provider's word for it. Ask for details. How are they protecting the data? Is your data encrypted? How is it segregated? Is it being commingled with any other customer? Where is your data being stored? If the provider has a backup solution, what are the recovery times and points? If there was an issue in the cloud, how long would it take for you to get the application and your data back up and available?
Finally, going to back identity and access management — that's hugely important because I guarantee that's going to be one of your responsibilities as a cloud consumer. Understand what's available to you. Take advantage of those security controls, and make sure that you are doing your part to protect that environment.
RB: I think reputation and external evaluation are really important in these areas. If somebody's not willing to share security incident reports or third-party evaluations of the platform, why is that? Do I trust my data to a company that won't be transparent? Other important questions to ask: Are they willing to sign a business associate agreement (BAA)? Are they a HIPAA HITRUST compliant platform? Like Paul said, there should be some way to validate a company's reputation and performance, such as the SOC 2 audits.
PA: As Ryan noted earlier, testing is huge. Everybody should be testing their application from a security standpoint. That means getting a third party to look for security vulnerabilities in the cloud application and service. A company should be willing to share those reports with you, or at least an executive summary to give you an understanding of what testing was carried out and, at a high level, the findings.
Moreover, what were the recommendations that came from the third-party tester? Getting those testing reports and the SOC 2 Type II audit results — that third-party validation and not just taking the cloud provider's word for it — are going to be pretty important in the evaluation process.