The Case for CASB: Healthcare


This post was originally published here by Rich Campagna.

Over the past couple of years, Cloud Access Security Brokers (CASBs) have gone from a nascent, barely known technology to the de facto standard for secure public cloud enablement in every enterprise vertical. Early on, it’s tough to draw patterns across industries, but once you have a few hundred enterprise deployments under your belt, it becomes quite interesting to observe how organizations in one industry use the same technology (CASBs) in an entirely different way than organizations in another industry. 

With that in mind, I’m creating a series of blog posts to cover some of the key differences in CASB usage that we see across industries. First up? Healthcare.

Like most industries, healthcare organizations are adopting cloud applications at a very rapid clip. Most start with major SaaS applications (like Office 365), but once they get a handling on security and compliance, start expanding their cloud footprint, with even applications like Electronic Medical Record (EMR) systems moving to the cloud. Across this massive change, the organization must still comply with HIPAA – no small feat. 

So what are the big security and compliance drivers that lead healthcare organizations to adopt a CASB?

  • Protecting PHI and Complying with HIPAA
    This one is quite obvious, but this post wouldn’t be complete without mentioning it. Protected Health Information (PHI) makes its way to cloud applications, and not just EMR and other clinical systems designed to store PHI. Email and files, via productivity suites like Office 365, typically contain PHI as well. The organization’s cloud footprint must have mechanisms in place to identify PHI, to eliminate access by unauthorized individuals, and to control the flow of PHI out of cloud applications. Healthcare organizations use either keyword and regular expression based DLP policies, or increasingly, exact data match capabilities where EHR data is exported from an application like Epic, tokenized, and uploaded to a CASB DLP engine to provide matching on patient data with much less risk of false positives.
  • Protecting Data that Leaves the Cloud
    Healthcare organizations have gotten comfortable with the fact that major cloud vendors are investing heavily in security, and doing a pretty good job of protecting data-at-rest, so their primary objective is to protect data once it leaves the cloud, via mechanisms such as BYOD and external sharing. 
    Note that this is in contrast to other industries, like financial services, where a big driver is to keep sensitive data from getting to the cloud.
  • Protecting Data on BYO Devices
    Most healthcare workers are mobile, requiring access from both home and from the bedside alike. Complicating matters is the fact that clinical staff are not typically employees of the organization. This means that IT’s ability to force management control over personal mobile devices is even more difficult than with employees. It’s impossible if that user’s device is already controlled by another organization’s EMM/MDM solution. 
    Regardless of these challenges, the organization must continue to protect PHI and other sensitive data that is synchronized or downloaded to both managed and unmanaged devices.

In summary, healthcare organizations are adopting cloud applications, and their leading objective is to protect patient data as it leaves the cloud – with the top concerns being BYOD and external sharing.


No posts to display