Is Encryption The Answer To Cloud Security?
By Katie Wike, contributing writer
As healthcare communication migrates to the cloud, is there confidence that the information is secure?
iPads and smartphones are in the hands of virtually every doctor and patient in the United States these days. A recent blog post from the Huffington Post asks us to, “Imagine empowering a person living with diabetes to track their blood-sugar levels throughout the day, report on how they feel at various points (e.g., after meals or exercise) and record how much insulin they took - all from a phone in the palm of their hand. Then, with the simple touch of a button on that same phone, they send all of that valuable data to their doctor, who can provide immediate feedback or make adjustments to their treatment regimen.
“This is the ideal mobile health story, one in which mobile technology makes it easier and more efficient to achieve better health outcomes - and these are the type of apps, if deployed in developing countries, that can help deliver better care than the current healthcare and communications infrastructure allow.”
While it may be the “ideal mobile health story,” the authors note it doesn’t come without risk that this health data could be compromised. “Our challenges and questions ahead form a lengthy list when it comes to securing mobile health:
- How do we enable patient control over the data they provide while using a mobile app?
- How do the smartphone device manufacturers, operating system, and app developers meet their obligation to respect a person's privacy interests and keep the data confidential?
- How do we understand the security posture of the popular smart phone and computing devices, communications mechanisms, and user apps?”
A similar sentiment is expressed by April Sage, writing for mHealth News. “With so many care providers using mobile devices at the point of care and with so many patients using the web for aspects of their medical care, there are an awful lot of mobile devices floating around that have access to confidential patient information,” she writes. “That's a recipe for disaster.”
The solution to this, according to Sage, is encryption.
“For a scenario like this, encryption is the natural answer because it ensures the security of the data regardless of whether the device is lost or whether the app lives in the cloud. Encryption not only prevents security breaches, but also mitigates risk in the event of a security breach by reducing or eliminating fines, loss of credibility and a whirlwind of other negatives,” explains Sage. “As an example, if lost/breached healthcare data has been encrypted and the keys remain safe, the responsible organization is not required to report the incident publicly. Think of it as an inoculation against the common data breach.”
Sage admits encryption is not easy, writing, "An effective encryption strategy requires a defense-in-depth approach, which may include:
- Encryption in transit via Mobile VPN (Virtual Private Network) and/or Secure Socket Layer (SSL) certificates to create a private, secured tunnel for internet traffic to flow through;
- Encryption at rest in the primary data storage environment;
- Encryption in backup in disaster recovery environments;
- Encryption within the applications themselves;
- Encryption within the database."
Sage concludes, “Encryption should be built in, not bolted on, and it should be cloud providers who are taking the lead. It should be the responsibility of every cloud provider to address this issue, and they can with technology that exists today.”
Want to publish your opinion?