A Health-ISAC Navigator White Paper by Clearwater


Pdf version:

Clearwater-Keeping Patient Data Secure in the Cloud


Text version:

In the past three decades, cloud computing as we now know it has undergone many changes. Long gone are the days where large corporations had a single off-site server parsing data. Today, businesses of all sizes are embracing the cloud for storage to services and beyond.


While we’ve seen increased cloud adoption in the last three or four years, cloud usage—and a rapid acceleration into cloud services—has increased across many industries, including healthcare.


In fact, Microsoft CEO Satya Nadella is quoted in a January 2021 Forbes article that within just a few months of the pandemic, the company had seen the equivalent of two years of digital transformation as a growing number of its customers adopted cloud solutions. Likewise, in late 2021, Gartner estimated that global cloud revenue is likely to reach $474 billion in 2022, up from $408 billion the previous year. That same report goes on to estimate that more than 85% of organizations will embrace a cloud-first principle by 2025.


For healthcare specifically, the Healthcare Cloud Computing – Global Market Trajectory & Analytics report estimates the industry’s global cloud computing market is expected to reach almost $77 billion by 2026.



When it comes to cloud migration, there has long been a misconception that your organization must take an all-or-nothing approach. There’s long been a traditional view that to even begin this journey, your organization must develop a detailed plan that encompasses the entire migration process (think all of your systems, data, applications and services across your entire organization, regardless of criticality or dependencies). This has often looked like a stepped approach, often in this order:


  • • – Waterfall process (complete all design before starting migrations)
  • • – Sequential delivery (hand-offs) of infrastructure build, middleware configuration, code deployment, network configuration and testing
  • • – Architecture teams operate separately from engineering, test, networking and security


In this traditional approach, teams often get so overwhelmed by the details, costs and timeframes, that they just give up and choose to do nothing instead of tackling it all. But, as we’ve seen the pandemic force healthcare organizations to think about services and delivery models in a new way, cloud adoption no longer has to be an all-or-nothing strategy.


Instead, more controlled, incremental migration to the cloud can help your organization achieve efficiencies while meeting goals and delighting customers. Instead of focusing on the “all,” a more modern approach takes into consideration the capabilities and productivity of your teams and then empowers them to make digital transformation decisions that flywheel your organization to success.


There are a number of benefits to this more controlled approach. It enables your teams to:
  • • – Tackle the volume of change your teams can handle
  • • – Prioritize migration projects that unlock the most value for your organization
  • • – Make decisions
  • • – Embrace a mindset of data-driven, continuous improvement
  • • – Focus on incremental change
  • • – Use performance data and feedback to inform modernization and optimization decisions


Think of it like this: Your teams are smaller cogs that help turn the larger cloud transformation wheel. As each smaller cog functions at optimized levels, you can model that success and expand it into larger environments. From there, you can continuously scale up, starting first with your most critical and important services and data and moving upward from there.

So, how would you scale your cloud transformation program once you’ve set this pace? Consider:

  •   – Launching detailed on-premises discovery to collect baseline dependency, sizing and performance dates for the entire environment
  • • – Establishing program, governance and factory operating modes
  • • – Assigning core teams and launching sprint planning for the first one or two portfolio groups to move next, and begin planning for portfolio segment migration sequencing over the course of the full program
  • • – Beginning detailed design on complex applications (“big rocks”) for initial portfolio move groups
  • • – Set up an SME team to assess entire portfolio for systems with tight coupling to mainframe and midrange systems
  • • – Begin development of a plan to decouple, resolve or remove these dependencies



While the pandemic may have accelerated cloud usage and changed our views on the all-ornothing migration approach, many healthcare organizations have been working on a full or hybrid cloud model for years. That’s because using the cloud brings a lot of advantages to organizations, from cost-savings to scalability, often with less resources required to manage onsite architecture.

As more and more organizations migrate data to the cloud, there is a growing sense of (false) security that data in the cloud is always safe. While that may be true in some instances, when we’re talking about patient data and all of the requirements and regulations that surround security and privacy, the reality is there are increasing chances your sensitive data could be exposed to the public. This is especially true in a public cloud model, for example, Amazon Web Service (AWS) or Microsoft Azure. As you increase your cloud usage, so increase your risks.

To add an additional layer of complexity, some healthcare organizations don’t have a good understanding of who is responsible—the healthcare organization or the cloud provider—for ensuring that data is protected and secure. In many instances, it’s a shared responsibility model. That means depending on the agreement, both the organization and the cloud services provider have responsibilities. In an example with a public cloud model, your healthcare organization may be responsible for security in the cloud, such as:


  • • – Customer data: How it’s stored, shared and accessed
  • • – Platform, applications, identity and access management
  • • – Operating systems, networks and firewall configuration
  • • – Client-side data including encryption and data integrity, as well as authentication
  • • – Service-side encryption, such as file systems and data
  • • – Network traffic protection such as encryption and data integrity


While each organization’s needs are specific, in general, your healthcare organization should retain ownership and control of:

  •   – Data hosted on the cloud
  • • – Who accesses content and services
  • • – Which level of security is appropriate for the data
  • • – Which services are employed
  • • – Configuring the environment in a way that conforms with applicable regulatory requirements


See full white paper in Pdf above.


Translate »