Posted: 20 Jul. 2023 5 min. read

Cloud cybersecurity in health care

Part one: Data risk management and increased multi-cloud security

A blog post by Justin Rowe, Managing Director, Cloud Security and Data Risk, Deloitte & Touche LLP; Shubhangi Garg, Manager, Cyber and Strategic Risk, Deloitte AERS India Pvt L and Anurag Mishra, Senior Consultant, Supply Chain and Network Operations, Deloitte CON India Pvt Lt


As with other industries, health care organizations have been rapidly migrating to cloud computing, largely because of cloud’s ability to help them modernize their information technology (IT) infrastructure. Cloud computing also brings new opportunities for health care organizations to adapt their security capabilities to mitigate risk presented by advanced threats while meeting the needs of a distributed workforce and customer base.

In this two-part blog series we’ll discuss several cloud cybersecurity topics. In this first part, we’ll talk about management of data risk in cloud and increased security visibility across multi-cloud architectures. In part two we’ll cover enabling policy automation to manage cloud configurations and shifting left to secure the cloud architecture.

Management of data risk in cloud 

Health care organizations moving data to cloud sometimes struggle to gain visibility into which data they have migrated, who and what systems have access to that data, whether that data is secured at rest and in motion via encryption capabilities, and the volume of data that is proliferated within cloud (which leads to an ever-expanding attack surface).

Therefore, it’s essential to perform a data risk assessment within the early stages of a cloud migration and/or when a new application is being built. Without a risk assessment, it’s difficult to estimate the likelihood of a security incident. Because secure data is critical to the effective performance of enabling effective health outcomes, risks need to be identified, assessed, and quantified, and controls should be implemented to manage data risk.

To maximize the effectiveness of data risk management in cloud, determining what data risks the organization faces is crucial from the outset of migration. These risks could include regulatory compliance requirements, classification and criticality of data, the data life cycle, access management of data, as well as internal and/or third-party usage of the data. To this end, having a clear understanding of the “shared responsibility model” with cloud providers (i.e., knowing what each party is responsible for, specific to data in cloud) is one of the many critical components of managing a cloud implementation.

Further, via measurement and quantification of data risk, organizations should design and implement risk controls—leveraging either native cloud or third-party capabilities. Cybersecurity controls for data will vary based on use of detective, preventive, and corrective features and functionality. Data discovery and classification are also foundational controls that should be in place to sustain visibility into what data is in cloud, the sensitivity/criticality of that data, and the view of data flows and lineage of systems and users accessing the data.

Additional controls can also be applied while data is in motion and at rest. These controls include data encryption—including tokenization, masking, etc.—as well as data loss-prevention controls to monitor for data exfiltrating the organization against policies that dictate authorized versus unauthorized business processes. Bottom line: Continuous visibility and implementation of data risk controls will help enable health care organizations to better focus on protecting their business and their patients’ and members’ safety, health, and wellness.

Increased security visibility across a multi-cloud architecture

The adoption of multi-cloud architecture is steadily growing in the health care sector. To remain competitive and operationally efficient while minimizing security and privacy risks, a large majority of health care providers are electing to modernize their data centers and IT operations using hybrid and multi-cloud platforms. However, challenges remain as organizations deal with the complexity of securely managing interoperability and integration across technical borders in a highly regulated landscape.

Further, the lack of a well-thought-out, secure implementation strategy, fueled by the inherent complexity of a multi-cloud environment and technical debts, can make it difficult for organizations to create and secure hybrid cloud operations (such as building a hybrid cloud DevOps pipeline). Platform-specific, inconsistent approaches to monitoring and reporting security risks and vulnerabilities using disparate cloud-native tools and processes can also hobble the ability of security leadership and management teams to derive meaningful insights into critical risks and security priorities.

Integrating data across clouds as well as application mobility and interoperability also increase cost management and governance complexity, and it can also make security management more difficult. What’s more, with the lack of key cybersecurity skills across the health care sector, it is becoming increasingly difficult to provide consistent, secure, and efficient operations across a hybrid infrastructure.

One part of the solution to these issues is to develop and implement a set of common security requirements, processes, and monitoring and reporting tools that can be implemented across cloud platforms. Such a single-pane view of operating platforms and workloads across multiple clouds is essential for detecting, investigating, and responding to cyber threats. As an example, organizations could develop cloud-agnostic operating models that abstract cloud-specific authentication models and centralize user accounts, roles, and policy definitions. 

Organizations could also simplify management by establishing a single cloud security function to manage and secure operations across cloud platforms, as well as leverage standardized templates to operate, manage, and track compliance. Along with the security function, it’s essential to build a collaborative culture to simplify governance, reporting, and knowledge sharing through platform-engineering teams.

Health care organizations could also upgrade their IT processes and tools by identifying automation and abstraction opportunities and move toward self-servicing and consolidation of native tools. Further, they could update existing pipelines to accommodate cloud-native applications and containers, perform automatic software upgrades and continuous testing, and add security checkpoints to promptly report compliance violations and security failures.

Looking forward

Cloud migrations are rarely simple, and security issues can make them more difficult. Therefore, it’s essential to manage risk—especially data risk—and establish security visibility, particularly over multi-cloud architectures. In part two of this blog series, we’ll look at two more security issues—enabling policy automation to manage cloud service configurations and shifting left to secure the cloud architecture.

Interested in exploring more on cloud?

Get in touch

David Linthicum

David Linthicum

Managing Director | Chief Cloud Strategy Officer

As the chief cloud strategy officer for Deloitte Consulting LLP, David is responsible for building innovative technologies that help clients operate more efficiently while delivering strategies that enable them to disrupt their markets. David is widely respected as a visionary in cloud computing—he was recently named the number one cloud influencer in a report by Apollo Research. For more than 20 years, he has inspired corporations and start-ups to innovate and use resources more productively. As the author of more than 13 books and 5,000 articles, David’s thought leadership has appeared in InfoWorld, Wall Street Journal, Forbes, NPR, Gigaom, and Prior to joining Deloitte, David served as senior vice president at Cloud Technology Partners, where he grew the practice into a major force in the cloud computing market. Previously, he led Blue Mountain Labs, helping organizations find value in cloud and other emerging technologies. He is a graduate of George Mason University.

Justin Rowe

Justin Rowe

Managing Director | Cloud Security and Data Risk

Focused on serving the Life Sciences and Health Care industry, Justin is currently leading teams to bring cybersecurity expertise to our clients to build cyber risk management program on-premises and in the cloud through various native and third-party capabilities. He leads a professional services team to secure cloud deployments within Amazon Web Services, Microsoft Azure, and the Google Cloud. In addition, Justin leads teams to build cloud data risk program strategies and architectural designs as well as implementation and operationalization of Cloud Security Posture Management, Data Loss Prevention, Cloud Access Security Broker, Data Discovery, and Data Classification capabilities. As a U.S. Air Force veteran, Justin is a strong advocate of our Hire our Heroes Fellowship program within Deloitte Risk and Financial Advisory.