PHOENIX -- Migrating health IT systems to the cloud may cause migraines, but the benefits of cloud-based security outweigh the challenges, according to Cleveland Clinic's executive director and deputy CISO Julian Mihai.
Mihai, a speaker at the 2019 CHIME Fall CIO Forum, said moving systems to the cloud moves the security perimeter, a transition that can provide a flexible way to protect growing organizations and an increasingly mobile workforce.
Angela Diop, vice president of information systems at Unity Health Care in Washington, D.C., has firsthand experience with a cloud migration. Unity Health Care recently moved its eClinicalWorks EHR to the cloud, a process Diop said was no walk in the park.
The migration has been hampered by unexpected costs, security gaps and data silos. Unity Health Care opted against using the eClinicalWorks cloud product and instead chose to use a public-private cloud setup, partnering with AWS as its cloud provider.
But Diop believes the struggles will be worth it in the end.
"My goal is that people have the information they need at the point of care, or where they need it," she said. "In order to do that, I don't feel like my organization, long term, has the resources to keep up with the performance and security that is needed to be able to provide that. You just can't build what AWS can build in terms of security."
Angela DiopVice president of information systems, Unity Health Care
Diop attended Mihai's talk on cloud-based security and was drawn to his comments on moving an organization's security perimeter to the cloud, something she's currently tackling, to enable a mobile workforce and give providers access to data when and where they need it.
"We're grappling with this shifting of the perimeter right now," she said. "It's kind of hybrid now because we still have things on prem. Our EHR is all the way up there now, but we still have the personal drives that people have. Our goal is to get everything in the cloud."
A growing security perimeter
A security perimeter is the area around a healthcare organization's systems, infrastructure and data that a security team is asked to protect.
According to Mihai, a healthcare organization's growth through acquisitions and mergers can present a challenge for cybersecurity programs. Security teams may struggle to establish consistency due to a shifting perimeter and the amount of protection needed in different locations.
Additionally, the healthcare workforce is becoming increasingly mobile, meaning they're no longer accessing patient data solely through a health system's hardware on premises. Providers work in multiple hospitals or may need to access data from remote locations, and a cybersecurity program needs to ensure that access is secure, Mihai said.
"We have to deal with a constantly expanding security perimeter and the growing number of locations that we need to protect, which comes with its own challenges," he said. "It also means you have to safeguard an increasingly mobile workforce."
Traditional security practices have "generally failed at growth" because older security measures can't keep pace with changing technology or how clinicians use that technology, Mihai said. As an organization grows, healthcare security teams also have to deal with high security costs from duplicate infrastructure, nonstandard cybersecurity and nonstandard computing in different locations.
Migrating systems to the cloud can dynamically secure a healthcare organization's perimeter, Mihai argued.
"What I'm talking about is enabling a mobile workforce by taking this security perimeter, this complex technology, this blob of technologies, and moving it to a security cloud so that you can free your workforce to be anywhere they need to be and have the same instantaneous protection no matter if they're on a different continent, no matter if they're in a remote location, or in a different part of your state," he said.
Benefits of cloud-based security
Healthcare organizations are increasingly experiencing growth through consolidation, acquisitions and mergers, which puts a strain on often overlooked cybersecurity programs, Mihai said.
A typical acquisition of a small hospital will funnel money into programs that directly benefit clinical care -- not into cybersecurity efforts, he said.
And healthcare executives are often faced with a tough choice: Limit growth and take longer to advance care for patients or wait for a multiyear integration so a smaller hospital can benefit from the cybersecurity protection a larger organization has, Mihai said.
"We believe that challenge can be completely removed with a cloud security platform," he said.
Healthcare CIOs could also benefit financially. Cloud-based security is scalable and can be a lower-cost option for providing cybersecurity to remote locations. CIOs will also be able to provide insight into the cybersecurity costs for growth.
"Having a properly designed set of cloud security platforms allows you to sit at the strategic and investments table together with the business and be able to provide an accurate estimate immediately, and provide insights," he said.
Lessons learned from implementation
Mihai said when migrating to the cloud, it's key to get infrastructure buy-in well in advance because everything on premises can be tightly coupled.
One of the issues the Cleveland Clinic experienced was how legacy systems and services critical to patient care that were backed up and secure on premises might be affected by a cloud outage during the transition. The Cleveland Clinic decided to migrate to the cloud incrementally so that those systems could continue to be backed up on premises, Mihai said.
"You need a smaller, on-premises presence that ... gives you time to work with all the solution providers and gives you time to work on discovering your own organization to identify all those critical services and transition them safely," he said.
Using a mix of on premises and cloud can be expensive since the organization is securing systems both on premises and in the cloud. Mihai said the key is getting the healthcare organization, the cloud provider, as well as on-premises service and systems vendors on the same page.
Ultimately, healthcare organizations will want to migrate completely to the cloud and leave the on-premises infrastructure behind, Mihai said.