|By Gilad Parann-Nissany||
|September 16, 2012 10:00 AM EDT||
Healthcare “as a Service” providers are coming up strong in the market right now. It’s a growing segment, attracting a lot of interest from businesses and investors, but as expected, cloud security, and more specifically cloud encryption and HIPAA requirements, is critical customers considering a healthcare application as a service. In this article I’ll review some aspects as well as relate to data security solutions such as split-key management.
Common aspects of Healthcare SaaS solutions
Our recent conversations with Healthcare SaaS providers have highlighted several common aspects, across many solutions.
Obviously, they all need to be “cloudy” (else they would not be SaaS providers). Their customer will access them through the web and their business model includes a pay-as-you-go component. They need their underlying infrastructure to support this model.
Healthcare SaaS providers want to use IaaS and PaaS (Infrastructure as a Service and Platform as a Service). This is helpful for their business model. If your solution is offered pay-as-you-go, it really helps if your infrastructure cost is also pay-as-you-go.
Healthcare SaaS providers have serious security needs. The data they hold is invariably of a sensitive and private nature, therefore cloud encryption and cloud security must be part of the architecture. To this end, they are focused on complying with measures such as HIPAA.
One obvious need is for secure infrastructure. A growing number of cloud providers offer infrastructure that can be secured and made compliant. This does not by itself mean the solution is secure and compliant, it means that the infrastructure can be secured; but the SaaS provider must use it correctly.
Another necessary set of security measures is cloud encryption and cloud key management. This is required for compliance, and even more important: it is the one strong way to achieve strong protection even when breaches occur. If a data store is breached yet the data is encrypted, the attacker cannot get their hands on the sensitive data.
Data Ownership and Healthcare SaaS
A more subtle requirement relates to Data Ownership. Many Healthcare SaaS providers want to promise their customers that even the SaaS provider itself – cannot read their data. Let’s take a look at some business cases that illustrate this:
- A Healthcare “Big Data” provider wants to analyze the information from multiple health case studies, and provide analytics on top of them. Their typical customer can be a health organization gathering clinical data on thousands of people. The SaaS provider wants to promise the customer that they will provide the service, yet their own SaaS staff will not be able to read the data they analyze.
- A Health Benefits provider wants to provide a tool so end-users (individuals) can manage their health benefits. They want to promise the end-user that only she sees her personal data; the staff of the SaaS provider cannot
These Data Ownership issues can be tricky. The SaaS provider offers a fully managed environment (“as a Service”) yet should not be able to read the data in its own environment.
Emerging solutions for Healthcare Data Ownership, Cloud Encryption and Cloud Key Management
Such issues are at the cutting edge of Cloud Security technology. Fortunately we are seeing some work in these areas emerging, which allows some critical aspects to be addressed. One example is split-key management, which allows a SaaS provider to offer a “master key” to their customers and users (read more about it on this whitepaper). This can be combined with additional measures, protecting access to memory and permissions, to ensure SaaS providers can do their work with the data, but the customer (or end user) owns it.
These breakthroughs enable an emerging business model. Healthcare SaaS providers can achieve secure, compliant solutions.
The post Cloud Encryption and Healthcare “as a Service” solutions appeared first on Porticor Cloud Security.