Is it Possible to Secure PHI Stored in the Cloud?

There is a common misconception that it is not possible to properly secure PHI stored in the cloud. The cloud is seen to be a huge security risk – which it can be – but it is possible to secure PHI stored in the cloud, and that data may even be better protected by cloud service providers than it is when stored in-house.

New research appears to suggest that security fears about the cloud, while not unfounded, are being overstated by CIOs and CISOs, while the risks of in-house storage are being underestimated.

Alert Logic’s fall 2012 ‘State of the Cloud Security’ Report suggests that the location of stored data is largely irrelevant; attacks are likely to take place no matter where the data is located. There also appears to be an equal probability of a data breach occurring in the cloud as with locally stored data. The report says attacks are opportunistic; if a security flaw is allowed to exist, it will be exploited if hackers discover it.

Web application-based attacks occur in service provider and in-house environments, with the cloud appearing to be more vulnerable. However, analyses of recent data suggest the reverse may be true. According to the report, 53% of organizations reported attacks in a cloud environment compared to 44% suffering on-premises security incidents. However, the number of attacks suffered by the average user of the cloud is 27.8%, compared to 61.4% affecting on-premises environment users; the latter also being more susceptible to brute force attacks.

Many of the fears appear to stem from the thought that cloud-stored data is totally outside the control of an organization, while in-house data storage is much easier to safeguard. It is, after all, harder to control data stored on a server that is owned and controlled by someone else. It would appear that this is something of a myth. It may be easier to control data, but that does not mean it is easier to secure.

Fewer incidents occur in the cloud, not because it is inherently more secure, but because greater planning and technology is used to keep cloud-stored data secure. The cloud is viewed as being an insecure storage medium, so greater efforts are made to protect stored data. The same diligence and attention to detail is not applied to in-house systems as a general rule. As a direct result of this lack of attention, in-house data storage systems are more likely to have security vulnerabilities, making a successful attack more likely to be suffered.

How to Secure PHI Stored in the Cloud

It is vital that security and governance requirements are understood for each data storage system, wherever it is located. For healthcare providers and other HIPAA-covered entities, it is essential that all the requirements of HIPAA are understood. Consider segregating stored data, and applying controls appropriate to its sensitivity.

Data access must also be carefully controlled. Who is given access to data, and how data is accessed, is much more important than where data is located. Find vulnerabilities and address them, or else a hacker is likely to find them and exploit them.

In order to identify vulnerabilities, a data storage system must be subjected to a rigorous risk assessment. Internal audits can be conducted, but often vulnerabilities are missed. If you want to make sure that no stones are left unturned, it is best to call in the experts. Consider employing outside contractors specializing in cloud security.

The cloud may appear insecure, but the reality is it is not; provided the appropriate security controls are used. It is possible to secure PHI stored in the cloud, and make data even more secure than it on in-house systems.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of