February 17th 2017 1

Research cloud computing in relation to health care. What are the major security and
privacy challenges? Please choose three and describe them in detail.

The National Institute of Standards and Technology defines cloud computing as a model for

enabling convenient, on demand network access to a shared pool of configurable computing

resources (e.g., networks, servers, storage, applications, and services) that can be rapidly

provisioned and released with minimal management effort or service provider interaction.1

According to MarketsandMarkets, the global adoption for cloud services in healthcare will grow

form $3.73 billion in 2015 to nearly $9.5 billion by 2020.2 This is hardly surprising as there are

numerous advantages for adopting cloud integrations such as faster deployment of EHR

technology with the capability of enhanced data sharing and collaboration. Other advantages

include reduced costs with scalable computing resources available on demand.

However, cloud computing integration does have security and privacy challenges. Some of the

challenges include system complexity issues where many components comprise a cloud

environment, resulting in a large attack surface; Shared Multi-tenant environment where

components and resources are shared with users that may be unknown; Loss of Control where

there is a potential for mismanagement of organizational assets over the cloud; the ability to meet

established regulations and laws in a cloud computing environment; under the cloud computing

paradigm an organization relinquishes direct control and hence confers an unprecedented level of

trust onto the cloud provider; the security of data in the cloud may be an issue as it may be stored

in a shared environment and the location of where the data is stored is also an issue; Availability

of cloud services is also important as stored information needs to be obtainable on demand.

The three concerns I am going to focus on are availability, data location and trust.
February 17th 2017 2

Availability – this is the extent to which an organizations full set of computational resources are

accessible and usable. Availability can be temporary or permanent and a loss can be partial or

complete. Access to critical healthcare information may be interrupted by power outages,

equipment outages, denial of Service (DoS) attacks and natural disasters. It is hence important

for healthcare organizations to have a contingence plan to address disruptions. Organizations

should not rely on employing cloud services without sufficient recourse. A denial of service

attack involves saturating the target with bogus request to prevent it from responding to

legitimate requests in a timely manner. These kings of attacks are becoming more common. If

the data is stored in a location that experiences a natural disaster this may result in a more

prolonged disruption of services.

Data Location – this is a common compliance issue facing organizations as it is important to

consider where the data will be stored. A characteristic of many cloud computing services is that

data is stored redundantly in multiple physical locations and detailed information about the

location is often not disclosed. This makes it difficult to confirm whether sufficient safeguards

are in place or whether legal and regulatory requirements are being met. For example, National

Archives and Records Administration (NARA) regulation 36 CFR 1234 includes facility

requirements for the storage of records and stipulate a minimum height above and distance away

from a flood plain. When information crosses border it may be more difficult to regulate to

certain standards.

Trust – under the cloud computing paradigm an organization relinquishes direct control over

many aspects of security and privacy and in doing so confers a high level of trust onto the cloud

provider. Insider security threats can stem from current and former employees and can included

contractors, organizational affiliates and other parties that have received access to the
February 17th 2017 3

organizations network. Incidents can involve types of fraud and sabotage. There can also be a

lack of transparency of the cloud provider’s security and privacy measures and status as this

information is often proprietary and might be used to devise an avenue of attack. Another aspect

that encompasses trust is data ownership. The organization’s ownership rights over the data must

be firmly established in the service contract to enable a basis for trust and privacy of data.

1 http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

2 http://www.healthcareitnews.com/blog/cloud-today-and-tomorrow-why-hospitals-are-tripling-

use-cloud-services

3 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf

4 http://s3.amazonaws.com/rdcms-

himss/files/production/public/CS0405_Cloud_Security_Top10_Questions.pdf