Tech & Innovation in Healthcare

Question: I know several healthcare practices that use the cloud to back up important data in the event of a cyberattack. How important are adequate security measures for cloud use in healthcare?

Minnesota Subscriber

Answer: Regardless of whether your healthcare organization is storing data on a computer, tablet, local server, or the cloud, you need to be deploying the strongest security measures possible to ensure the data is protected from breaches and other cyberattacks. In fact, the Department of Health and Human Services Office of Inspector General (HHS-OIG) recently issued its findings of an HHS cybersecurity audit.

In July 2024, the HHS-OIG performed the audit to examine if HHS and its operating divisions have deployed effective cloud information systems cybersecurity controls that comply with Federal security requirements. The OIG analyzed the configuration settings of the HHS Office of the Secretary’s (HHS OS) cloud environment, performed penetration testing of certain cloud systems between June and July 2022, and initiated two email phishing campaigns with a sample of HHS OS personnel and cloud users.

The HHS OS correctly identified the assessed cloud systems components, but they were unable to identify and inventory all of the cloud systems per HHS security requirements. Also, several crucial controls weren’t implemented, which violate Federal requirements.

In the published audit, HHS OIG recommended implementing cloud security assessment tools to identify misconfigurations and other vulnerabilities within the cloud services. The OIG also recommended creating and deploying policies and processes that ensure System Security Officers for the cloud systems have the qualifications to fulfill the role.