This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Thanks for joining us on this week in Health It Influence. My name is Bill Russell, former Healthcare, CIO for 16 hospital system and creator of this week in health. It. A channel dedicated to keeping health IT staff current and engaged. Our topic for today is consistent security model for cloud, hybrid and local data centers.
Our sponsor for today's segment is Checkpoint, but we're also happy to be joined by our guest today, Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event straight through to the end. We wanna invite you to a special event that we have coming up Thursday, October 7th.
At:They're the community connect partner for Sky Lakes, and they're gonna recount the events. And the effects that it had on the interconnected health systems, some of the things that they did that, uh, they believed worked pretty well and some of the things that they think could have prepared them better for the event.
Uh, we're also happy to be joined by Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event straight through to the end, and I believe with his insights. And the CIO's experience. This discussion is gonna provide valuable insights into the best practices that are being adopted across the industry and maybe that you can adopt.
th at:Our topic for today is consistent security model for cloud, hybrid and local data centers. Our sponsor for today's segment is Checkpoint. Let's get to it with Matt. This is an interesting topic. As I look at this one, the title almost answers the question, consistent security model for cloud, hybrid and local data centers.
Frame this up for us a little bit and let's just talk about what, what is the challenge we're trying to address here? , right? So we would love to think that healthcare can actually participate in cloud in the similar and same manner as all other industry. We know that's not the case. There are other industries, uh, such as financial investment that can't go down the path of being completely cloud either.
So as we're starting to see the blend of technologies go from our on-premise in the local data center. Go completely into the cloud or that blend of a hybrid nature. And from a hybrid cloud nature, we know that there are some components that live in the cloud, some that live on premise, defining the hybrid nature.
Those are gonna be some of the biggest challenges that we have over time. We need to make sure that it's consistent. And as you're moving these workloads into cloud, there is a good admission criteria. How are you actually accepting the data in there? We've all heard ancillary information around how that.
Unsecured storage buckets have left information vulnerable That has been a breach unquote Well, the lack of configuration and the lack of consistency in a cloud workload may actually be worse on premise. So as we're starting to blend these two together, we rely on our standard control sets that are in healthcare, in the local data center to protect all of those assets.
The minute you push your data into a cloud workload, you either have to recreate all those controls or you have to send the data back through your control plane to be effective. So if we look at a baseline problem statement of how do we cons. Consistently secure, cloud and local. What you have to do is now start to blend those together.
The policy, the standard, all of the taxonomy you use has to be consistent. So if you're building something for the cloud, it doesn't have to be vendor matched to vendor match. It doesn't have to be solution for solution. It has to be capability by capability. I, I've talked to a lot of health systems on this week in health IT about their cloud strategy, and almost all of them now have a cloud strategy.
If you rewound eight years or so, that wasn't necessarily the case. So now as we're looking at this from a security standpoint, you talk about. Consistent security model across these things, but they're, they're very different. We can't just assume that the, the cloud is secure and it's baseline format, and if we put our stuff on there, it's secure.
We actually, I, I would assume as health systems, we have to create frameworks for the cloud and a framework for hybrid and a framework for our local data center that's appropriate for that modality. Does that make sense? Is that accurate or am I missing something? No, you're spot on. So think about it.
When we get a cloud instance, we have to either use their contractual language to validate that the dim data or information is going to be secure. We have to do a review of their controls and or we need to make sure that there's a consistent methodology. So once you take over the ownership of a workspace in the cloud, you are going to assume that it is controlled and secure.
The minute you start putting your data in there and making major change, that's when we start to drift. The configuration. Drift in a cloud environment is one of the most critical path items. We have learned to deal with that on premise over time, but there's a brand new lexicon. We have skills uplift, lift that needs to occur in all industry, not just healthcare.
So if we move data to the cloud, if we move information to the cloud and then we change a configuration, there has to be a validation. We work very closely on standards that have been produced by the Cloud Security Alliance. I. It then references NIST and iso hipaa. Other methodologies, we do like cloud security frameworks for the reason that it gives us consistency, and if we follow a lot of the rubrics of success of how we get to cloud workload, we need to make sure that we're not putting an undue burden on those remote resources.
We're not just guessing that the effective security controls have been validated by that third party. So now think about the controls that have to be put in place. Not only effective controls in cloud, not only the consistency of those controls on premise, but then a validation that both of them are working together well.
At a minimum that's two times the level of effort, possibly higher. So that's where we're starting to see a lot more focus is before you deploy workloads to the cloud, make sure that your policies are either updated or consistent with securing a new mode, a new mode of data storage. Do the tools. The controls, is it the same kind of tool sets across cloud, hybrid and, and local data centers?
Are we seeing like a common set of tools that we can apply across the entire enterprise, or are we looking at a mishmash of tools to manage that environment securely? There are single pane of glass solutions that are very available. They're very effective and they're very expensive. Uh, so we see a lot of that.
You know, pushing things together. We see a lot of homegrown solution and we try and get there on our own. That's gonna have to be the biggest shift. We need more tool choices that work across the lines from cloud workload back into the currency of our environment. We need to make sure that also, that there are some healthcare specific tool sets for this.
We need to have reporting that is . Always going to give similar or same sets of data, but as we see more and more data move to the cloud, there's also a security risk and a control that a lot don't think about, and that is the cost of moving information from on-premise out to the cloud. And then back again, we have organizations, healthcare organizations, all verticals suffer from this when they go cloud first and they have their first
Year of billing, they see where that they were trying to do the same old mode of validation through security and their cost just for moving the data back and forth was exorbitant. So now they have to redesign those systems. So we also want to look very carefully that a security risk to the organization could be an unexpected cost for the data transfer, the data processing, or the data storage.
So talk to me about secure healthcare data. So one of. Those kind of things when we're moving that data around, yes, it can be expensive, but there's also a regulatory framework around securing that data. How does that, how does that change as it moves from the local data center to hybrid to cloud into that cloud environment?
Are we able to move the security controls with it to make sure that that data is secure? Or when we move it to the cloud environment, do we just naturally open it up?
That can be access by, I don't know, maybe a third party cloud worker or those kind of things. How do we secure that data? Just knowing that, uh, it's no longer in our physical realm, right? We can rely on a lot of the controls to be able to encrypt the data so that if a physical disc is lost, uh, it's gonna be meaningless.
There won't be any recoverable information. Just as we do data destruction policies for local data centers. There are data destruction from cloud, so let's throw that concept out right now that if we put it in the cloud, others have access to it. No, it's going to be secure. As long as you have the framework around securing and encrypting that data, however, you can still move that data.
We have to make sure that the policies can be ephemeral and they can follow around where you're going. Our policy decision and our policy enforcement in the cloud is much more granular. Role-based access control, where you're coming from, what permissions you have access to are all going to determine what systems that you get.
Now, these are native and inherent controls that are built into most of the public cloud platforms. You don't have to go and buy a huge suite of solutions. So we can see why it's enticing to move to the cloud because a lot of these controls are built in and effective. As we get larger and larger, we have to layer on a lot of those third party or marketplace controls in a cloud workload.
But from the baseline cloud systems have been designed to be very secure. There are good success models and there's good levels of how to put those controls in place, and more importantly, how to validate that the controls are being effective. When we have a firewall on premise, we always use that as our baseline.
Now we get to follow the person and the data. Talk to me about what a mature system, a mature health system would look like in terms of their model across cloud, hybrid, and local data centers. What would a mature framework look like from a health system like that? Sure. So we have to make sure that the data of record and the data ownership has good performance.
The very first thing that we have to look at is how do we put effective security and we can put controls in place without impacting the performance. So if we move a workload to the cloud, will it perform? That is one of the most mature organizational questions that can be asked. So if you're asking about performance instead of security.
And you have a security plan already. The performance is a very mature statement of what can we get to, will we be able to have access if there is an event? So let's take a ransomware event, let's layer it on top of an organization. Let's say that they have their data for their E-H-R-E-M-R in a hybrid state, they have an air gap backup and a clean room that they can put their systems in.
Instead of seeing 30 plus days of recovery, a mature organization can see four hours for recovery, a real return to operations, a downtime that is reasonable and meaningful for the organization, and something that's also manageable. That would be the maturity curve that we want to see. We want to see an organization that is not just self-healing, but is also healable with minimal intervention.
So what's next? So I'm a health system. I'm a health system leader, and I'm looking at this going, yeah, I'm not sure we have the frameworks in place. I'm not sure we are at a good maturity framework across our various environments. How do we get there? What, what are some steps? What's the next steps I should take?
The baseline of what you have today is one of the most critical path items if you know what systems you're using. Where the data is moving into cloud platforms, whether it is infrastructure as a service, platform as as a service, or software as a service, knowing exactly how you're communicating. The currency of what cloud is.
Taking that baseline of what you're exchanging now, take a look at what the goals are for the architecture. Will you be able to effectively put that workload into a cloud? Will you be able to bridge that with your local data center for a hybrid approach? So the baseline of what you have today, where your security controls are effective, and most importantly, how you can shift that from the traditional access model to that role-based access control, that granular access, that's going to be one of the most effective starting points.
And once you get the baseline of how secure are you, how are people accessing the data, and where is data going? You can start to just lay out those large building blocks and come up with goals near term, midterm, and long term. That is going to be the success story that most organizations has is taking an honest look at themself today and where they want to be in 12 months and develop a plan to get there and get there effectively within budget and within timeline.
Fantastic. Thanks Matt. Appreciate your time. That really sets up our next conversation. Well, thanks again. Hey, thanks, bill. What a phenomenal conversation. We want to thank our sponsors, Sirius Healthcare and Checkpoint, who are investing in our mission to develop the next generation of health leaders.
Thanks for listening. That's all for now.