Figure 2: Controls planned to mitigate IoT risks
Healthcare technologies must adopt the cloud to manage the massive scale of devices and healthcare technology improvements. It is imperative that providing a secure and compliant cloud environment forms the baseline for this adoption to be faster and successful.
Leveraging cloud for healthcare requires adherence to Health IT Standards such as C-CDA, HL7, FHIR, DICOM in addition to the standard set of cloud security controls and HIPAA compliance.
Consolidated-Clinical Document Architecture (C-CDA) is a framework for creating clinical documents that contain both human-readable text and machine-readable XML.
Fast Healthcare Interoperability Resource (FHIR) is a specification for exchanging clinical and administrative health care data. The standard is based on REST and OAuth.
Health Level 7 (HL7) v2 messaging is a commonly used data interchange standard. This standard includes messaging specifications for patient administration, orders, results, scheduling, claims management, document management, and many others.
DICOM® is the international standard to transmit, store, retrieve, print, process, and display medical imaging information
Public cloud provides several capabilities to make compliance easier for customers. For example, collaboration tools such as Microsoft Teams, Google Workspace used for telehealth support HIPAA compliance. Customers who are subject to HIPAA must sign a Business Associate Agreement (BAA) with the cloud service provider.
Amazon HealthLake, Amazon Comprehend Medical, Google Cloud Healthcare Data Engine, Healthcare API, and Azure Health Bot are a few examples of purpose-built solutions for the healthcare industry. Leveraging these solutions would significantly enhance the pace of the cloud journey. Readily available tools and templates can be used to build customized healthcare compliant solutions. The cloud environment undergoes multiple independent third-party audits that provide assurance that the implemented controls are validated. For example, adherence to disposal policy and use of techniques described in NIST SP 800-88 Revision 1 “Guidelines for Media Sanitization” is validated during the third-party audit and report on compliance is published.
If tools developed in-house are to be hosted in the public cloud, customers should have the flexibility to access and review logs of action taken by the cloud service provider engineers / administrators. Also, de-identification of data must be done to protect patient privacy. Native security controls should be augmented with cloud security posture management, cloud native security analytics and container security solutions for enhanced protection.
The greatest wealth is health. Health is personal and privacy is key. Privacy by design and privacy by default must be an integral part of every solution. Technologists who develop and implement secure, compliant digital health systems in partnership with health professionals will create enormous value and cybersecurists have a significant role to play.