The American healthcare industry is currently undergoing a massive transition, which in part is motivated by the transfer of digital medical records and healthcare computing needs to cloud service providers rather than isolated in-house infrastructures built by each institution. This kind of change comes with its own set of concerns since cloud computing and cloud service providers have often been targeted due to inadequate data privacy and security on such platforms and the many possible avenues for misuse of this data. This essay will, therefore, discuss the situation of the effectiveness of cloud service providers for safekeeping American healthcare records and protected health information (PHI). The essay will start by discussing the characteristics of cloud computing delivery, including IaaS, SaaS, and PaaS, as well as the characteristics of cloud deployment platforms such as private, public, and hybrid. It will then discuss the impact of cloud computing on data security in general and PHI in specific. It will finally conclude with a discussion on how to resolve these issues moving forward.
Characteristics and Benefits of Cloud Computing, Cloud Computing Delivery (SaaS, PaaS, and IaaS) and Deployment (Private, Public, Hybrid) Models
Infrastructure as a Service (IaaS) is a cloud computing service that connects users to servers and networking so that users do not have to purchase hardware and can instead use IaaS infrastructure on demand, which provides platforms and applications (Asija & Nallusamy, 2016). This IaaS can be scaled in terms of processing and storage depending on the need of the user, and there is no risk of failure because the stored data is all on the cloud rather than being in the form of physical hardware (Asija & Nallusamy, 2016). Another advantage of IaaS is that administrative tasks are taken care of by the cloud service, which frees up organizational time (Asija & Nallusamy, 2016). Examples of IaaS are Amazon Web Service and Microsoft Azure (Asija & Nallusamy, 2016). Platform as a Service (PaaS) is a cloud computing service that allows users to develop and create applications in the environment, which provides organizations with the advantage of being able to avoid infrastructure and focus entirely on development (Asija & Nallusamy, 2016). The backup, operating system, and security are managed by the provider, and the team can focus on development and collaboration, which is possible even if teams are remote (Asija & Nallusamy, 2016). Examples of PaaS include Windows Azure, Google App Engine, and Amazon Web Service Elastic Beanstalk (Asija & Nallusamy, 2016). Software as a Service (SaaS) is a platform where users do not have any applications on their own hardware but are instead accessing the software through a subscription model on the web where they can store their own data or build new projects (Asija & Nallusamy, 2016). A huge advantage of this is scalability, the fact that infrastructure or software does not have to be managed or updated, and the fact that the applications needed can be accessed globally from anywhere in the world (Asija & Nallusamy, 2016). Examples of SaaS include Google Apps, Dropbox, Cisco WebEx, and GoToMeeting (Asija & Nallusamy, 2016).
A cloud model is called a public cloud when it is being offered for public use by a third-party provider due to which all the users have the same software and network devices and, in many cases, even the same hardware (Esposito et al., 2018). In a public cloud system, the client does not need infrastructure or hardware as they are renting a portion of the provider’s system, and the latter is managing the updates and responsibilities (Esposito et al., 2018). Therefore, public clouds provide the benefit of cost-effectiveness, time-saving and easy scalability but the drawbacks of lack of customization, security risk, and exposure to vulnerabilities (Esposito et al., 2018). Amazon Web Services and Google offer public cloud services. A private cloud is a model that is created for one organization and is usually physically located in the data center of that company (Esposito et al., 2018). Instead of third party management, the company is in itself responsible for the updating, management, and maintenance of that model, providing the advantages of customization, better security, and more control but the disadvantages of added cost and operating expenses as well as the inconvenience of not being able to remotely access data (Esposito et al., 2018). Examples of private cloud include Microsoft and Apache (Esposito et al., 2018). A hybrid cloud is a model that combines public and private cloud models where the organization can decide which data and applications to keep private and which to make public (Esposito et al., 2018). This kind of model provides the benefits of flexibility, cost-effectiveness, and the ability of an organization to profit from the model by putting in-demand applications public, but it also creates disadvantages due to higher maintenance requirements, more costs, and technical difficulties in managing this system (Esposito et al., 2018). Examples of hybrid cloud models include Amazon Web Services and RackSpace (Esposito et al., 2018).
Impact of Cloud Computing Environment on Privacy and Security in General
There are many aspects of data security and privacy risks in the cloud computing environment, starting from data integrity and data confidentiality in terms of software and data availability and data privacy in terms of hardware. Data integrity refers to random deletion or misuse of data and entails protecting access to data and is usually managed by the third-party provider or in-house manager of the cloud platform (Kocabas & Soyata, 2020). The more the users of the system, the more vulnerable it is to breaches. Data confidentiality is the idea of encryption and access control so that users can trust in the platform where they are storing and sharing sensitive and personal information (Kocabas & Soyata, 2020). Again, third party providers carry the onus of managing this issue. Data availability is an issue faced by private cloud networks as it impacts hardware and relates to the failure of hard disks, which can leave people unable to recover their data (Kocabas & Soyata, 2020). Finally, data privacy is the ability of a network to allow people to keep their information secure and private from others, and this also relates to the hardware of a cloud computing system (Kocabas & Soyata, 2020).
Potential Privacy and Security Risks in Healthcare Industries/Institutions Handling Digital Medical Records in the Cloud Computing Environment
There are a number of potential security and privacy risks when it comes to the use of cloud computing networks for healthcare purposes and digital medical records safekeeping. The first of these is that cloud computing software has been known to be breached by hackers and other non-related users in the past, and when it comes to healthcare, this becomes an especially big concern due to the very private nature of health-related information (Ermakova et al., 2020). Data can be stolen, altered, or misused as a result of the breach, identity theft, or hacking, and when it comes to a healthcare environment, this has very serious consequences on customer health, customer safety, and customer trust in the system they are engaging in. Cloud computing is essentially introducing shadow IT in healthcare where the actual organization is not the one managing the computer needs and requirements, and this makes unauthorized use much more difficult to detect and intercept, increases chances of malware infections, data extraction, or even data misuse as the healthcare system will itself not know who is using the data at what time (Ermakova et al., 2020). Another important fact to keep in mind for public cloud platforms, in particular, is that data deletion is not a process that can be verified and secured as can be done in physical hardware that resides in the organization itself (Ermakova et al., 2020). As cloud computing removes the hardware from the company, the users cannot know where the data is stored and thus cannot ensure that it has been deleted. This increases the threat of data misuse for the organization as once healthcare or personal information has been uploaded to the cloud, it stays at risk for potential misuse forever (Ermakova et al., 2020).
Other types of data security and privacy risks are posed by the hardware or on-premise aspect of cloud computing, which can typically be associated with private or hybrid cloud networks. One major issue, for example, is the fact that when a healthcare system is using IaaS, it cannot provide forensic detection as would be possible in a very traditional data storage setup (Sharma, Chen & Sheth, 2018). The lack of forensics detection allows people inside the organization who have the authorization to use health data to misuse the data, delete it, alter it or breach its confidentiality to avoid detection (Sharma, Chen & Sheth, 2018). Yet another issue is that sometimes, the cloud service platform is in itself outsourcing certain aspects of the supply chain such as operations or maintenance, and if these third party contractors are not complying with data privacy and security guidelines, this opens yet another loophole of individuals who can misuse their access to data and create data privacy concerns for the organization (Sharma, Chen & Sheth, 2018). Finally, it is also important to mention the issues with data storage and data recovery as a consequence of accidents rather than malicious attacks. For example, if data has been lost due by the cloud service provider for whatever reason, the provider does not carry the onus of data recovery under standard terms and conditions, especially if the customer has encrypted data but has lost the key (Sharma, Chen & Sheth, 2018). This can also create data access issues for the organization.
How to Cope with Issues
Due to the expansion of the American healthcare industry and the lack of capacity of traditional systems, it is inevitable that healthcare systems will have to adopt cloud computing. The question of how to cope with issues has to be answered by placing the onus for action on both the healthcare industry and the cloud service providers. For the former, it is important to highlight that due diligence before moving systems online is extremely important as cloud service providers are aware of the conversation around data security and have plans in place depending on the requirement of the client (Sajid & Abbas, 2016). However, it is important to ask and do a thorough analysis of the situation before shifting information online so that the cloud service provider can meet the stated needs. The healthcare system should also keep in mind that the cloud computing platform will have more budget to spend on data security than the organization alone as the marginal cost is lower for cloud platforms (Sajid & Abbas, 2016). Given this, if the clients put pressure on this facet collectively and showcase their strong interest in secure data, the cloud platforms will meet the need for security. As for cloud service providers, it is important to invest in security scalability in the same way as the capacity, and network scalability is focused on (Sajid & Abbas, 2016). It is vital for a cloud platform to be able to match defense as the healthcare portfolio increases. Another potential solution is to not replicate healthcare data in particular across multiple locations as this increases the risk of a breach as well as loading down the system (Sajid & Abbas, 2016). While this is done in other avenues to allow for data recovery in case of loss, a different system can be created for healthcare to avoid potential breach while also reallocating security measures to heighten defense for all secured data.
The loss of healthcare data in the aftermath of Hurricane Katrina and other such natural disasters showcases the importance of cloud platforms for taking the healthcare industry forward. However, in doing so, the cloud service providers have to commit to data security more than ever before, come up with data security plans specific to healthcare data, and allocate a large budget to security scalability and effectiveness as PHI is too sensitive for risks.
- Asija, R., & Nallusamy, R. (2016). Healthcare SaaS based on a data model with built-in security and privacy. International Journal of Cloud Applications and Computing (IJCAC), 6(3), 1-14.
- Ermakova, T., Fabian, B., Kornacka, M., Thiebes, S., & Sunyaev, A. (2020). Security and Privacy Requirements for Cloud Computing in Healthcare: Elicitation and Prioritization from a Patient Perspective. ACM Transactions on Management Information Systems (TMIS), 11(2), 1-29.
- Esposito, C., De Santis, A., Tortora, G., Chang, H., & Choo, K. K. R. (2018). Blockchain: A panacea for healthcare cloud-based data security and privacy?. IEEE Cloud Computing, 5(1), 31-37.
- Kocabas, O., & Soyata, T. (2020). Towards privacy-preserving medical cloud computing using homomorphic encryption. In Virtual and Mobile Healthcare: Breakthroughs in Research and Practice (pp. 93-125). IGI Global.
- Sajid, A., & Abbas, H. (2016). Data privacy in cloud-assisted healthcare systems: state of the art and future challenges. Journal of medical systems, 40(6), 155.
- Sharma, S., Chen, K., & Sheth, A. (2018). Toward practical privacy-preserving analytics for IoT and cloud-based healthcare systems. IEEE Internet Computing, 22(2), 42-51.