By Trisha Paine, Head of Cloud Marketing Programs, Check Point Software Technologies
The healthcare industry has always been more cautious when it comes to new deployment mechanisms, especially when they involve the cloud. While one appreciates all of the benefits the cloud offers, their first priority is safeguarding patient private data and records. However, this is balanced with the need for expedited, consolidated and always available patient care data, and the easiest way to do this is by leveraging the cloud. What compounds this and makes the transition more challenging is the rules and regulatory fines that are imposed by HIPAA – in some cases, amounting to over US$1million per incident. This leaves healthcare organisations and medical technologist in a quandary. The secret is to evolve the security approach, and better yet, automate the security protocol to ensure patient protection, application security, and compliance.
Healthcare Migration to the Modern Cloud
The rapid proliferation of medical and health technologies that consumers can interact with is quickly driving healthcare and medical technology providers into the public cloud, and specifically to new application workloads, including serverless and container architectures. For many healthcare and medical technology use cases, modern workload architectures are an excellent architecture choice, for several reasons:
Healthcare and medical applications often require large scale and high-availability. Serverless and container workloads make building and operating large-scale, highly-available applications much easier and less costly. For instance, pharmacies have mobile or online applications to process prescription requests that require on-demand scalability. On the other hand, EMR software applications used within the hospitals network can be broken out into containers for greater efficiency and security.
Compliance and data privacy protection are often critical to healthcare technology solutions. Moving to workload architectures can help application developers create even greater robust designs with nano-requirements to enhance security and privacy restrictions.
Workload Security in Healthcare
The move to modern workloads, like serverless, and containers, creates new challenges and opportunities for healthcare and medical solutions — and as mentioned, they must be HIPAA compliant. Medical technology providers need to understand the various nuances in order to address security and compliance requirements, including:
Medical applications deployed on a public cloud leveraging serverless or container services have stringent compliance requirements, such as HIPAA and GDPR. Healthcare organisations need to meet these compliance regulations in accordance to the design of the workload deployed, and enable proper certification and auditing calls for clear security controls across the entire lifecycle of the application, from development to production.
Healthcare cloud services can comprise hundreds of serverless functions or several containers in a micro-services architecture, each handling some specific transaction of users’ medical data. For each function or container component, it is imperative that the cloud workload protection solution implemented ensure least privilege execution. This is crucial to minimising the risk of data leakage and privacy violations.
Cloud workload protection solutions necessitates protecting the application from both known and unknown threats, commonly known as “zero-day” attacks. Because serverless functions used in medical technology solutions are usually small and single-purpose, a serverless security solution should employ self-learning behavioural defence to detect and block undesirable behaviours that stem from cyber-attacks.
How to Automate Workload Security for Healthcare
Modern cloud-native application security, like those in cloud workloads, needs to be built from the ground-up with the inner workings of the application in mind. Traditional application security protocols simply do not work in these modern architectures as the mechanic of the application has fundamentally changed. Healthcare organisations and medical technologist need to reimagine the way AppSec is done without negatively affecting the operational benefits of these modern workloads like efficiency, cost savings, etc.
There are several features that help make Cloud Workload application for Healthcare, far more secure than traditional applications. Some of these include:
Centralised visibility across cloud-native environments.
Behavioural intelligence to prevent known and unknown attacks.
Active protection, and automated security.
Check Point CloudGuard provides a comprehensive cloud workload protection solution for healthcare, and has evolved its solution to address the unique needs healthcare organisations and medical technologist face with modern cloud workloads, including:
Check Point CloudGuard Dome9 enables deployment of customisable policies (using GSL) across the account that enables assurance of compliance to HIPAA and GDPR. The policies are applied during development, inside the CI/CD pipeline, during staging and testing, and during deployment in the cloud.
For serverless applications, Check Point CloudGuard automates the process of applying least-privilege to all serverless function in the healthcare application while still empowering application developers to move at the speed of serverless. It then applies a behavioural defence solution that seamlessly and automatically protects serverless functions, with nearly no overhead in function performance. This automatically protects functions from known and unknown attacks.
For container workloads, Check Point CloudGuard secures Kubernetes computing services and ensures configurations comply with standards such as CIS Kubernetes Benchmarks or NIST 800-190. CloudGuard continuously scans the deployed container assets to identify misconfiguration issues that could jeopardise the healthcare applications security posture and compliance. From there, technologists can leverage auto-remediation technology through CloudBots to ensure security and continuous compliance.