In the Patient’s Interest: Data Privacy and Security in the Cloud
Cloud computing in the healthcare sector offers completely new possibilities and brings many advantages for healthcare providers, as well as for patients. It is known that the healthcare sector is a very data-intensive industry with increasing amounts of data every year. Real-time access and analysis of this data is becoming more important due to the increasing complexity and interdisciplinarity of medical treatments. Proper and secure data processing and administration require considerable efforts for healthcare providers without losing focus of their core competencies.
Cloud providers offering a secure organizational and technical framework for data processing and specializing in managing and structuring large amounts of data promise two main benefits of Software-as-a-Service (SaaS) delivered via a public cloud: reliable and secure data handling on the one side, but also an indispensable source of information and intelligence which can improve the decision-making process and outcomes.
Hospital IT staff have a hard time ensuring the professional operation and maintenance of IT resources 24 hours a day, 365 days a year, especially when considering the ever-increasing complexity and cyber crime. On top of that, health data are among the special types of personal data that are subject to the highest level of data protection worldwide, e.g. as defined by the EU-General Data Protection Regulation (EU-GDPR). In addition, they are also subject to medical secrecy laws in many jurisdictions. Because this category of data is particularly sensitive, data security and medical confidentiality play an important role in addition to data protection, for whoever processes this data.
Key Security Requirements in the Cloud
The protection of personal data during its use, storage or transmission over a network is of paramount importance not only, but above all, in the healthcare sector. In several countries, efforts to introduce electronic health records nationwide have clearly shown the challenge to balance data protection and the effective use and availability of patient data. But how can cloud providers optimally protect such sensitive data to effectively prevent unauthorized processing and unauthorized disclosure?
In this respect, measures must be taken at both the technical and organizational level. This includes securing the servers and databases with up-to-date (‘patched’) systems, where those updates are promptly installed and where firewalls and virus and scanners are installed to prevent access to systems and data. On the other hand, a clear authorization concept defining e.g. who has the authorization for administrative activities on the servers or who may enter the server room is required.
One of the most important aspects of data security is the encryption of data. It intends to ensure that unauthorized persons can’t read any data during the transmission process and, if someone does gain unauthorized access to the data, to ensure that no one can use the data or draw conclusions from it, e.g. identify certain patients and become aware of their illnesses or treatments. For that reason, data should be transmitted from the customer to the server in a fully encrypted manner using encrypted channels. This includes medical data as well as data used, for example, to authenticate users. In addition to that, the data stored by a service provider must also be encrypted.
Redundant server infrastructures in distributed data centers ensure that both stored data and services are available to customers, even if one data center fails. Especially in the medical sector it is important to be able to access necessary – possibly life-saving – data of a patient or of a treatment at any time. Another advantage of a redundant infrastructure is the possibility of updating services with zero down time of the systems so that the end user is usually not affected.
On-premise systems mostly used in hospitals today are often a historically grown mix of older and more modern technologies. Older infrastructures are more susceptible to external attacks because the current protection measures have not yet been incorporated into the architecture. Cloud solutions usually offer coordinated solution architectures that are based on state of the art security technologies and are professionally secured and maintained, which professional cloud providers prove through regular certifications (such as ISO 27001, SAS 70, SOC 1 and SOC 2. Please refer to SAP Trust Center for additional information).
Please also see this blog post by Cerner, SAP’s strategic partner in healthcare, outlining their perspective on Data Privacy in the Cloud.