By Ian Apperley
There is enough fear, uncertainty, and doubt (FUD) to sink an armada when it comes to Cloud. At the top of that list is Privacy and its ugly twin Security. These are often cited as reasons for not using Cloud and retaining old and increasingly archaic infrastructure when the reality is that Cloud is more secure than the bulk of businesses ICT services in New Zealand already.
I’m going to use the National Health IT Board in New Zealand as a case in point where an organisation has taken this FUD up without actually appearing to qualify the risk.
“Unless an exemption is granted by the National Health IT Board, all personally identifiable health information and core operational data must be fully domiciled in New Zealand.”
The NHITB considered the following risks when making its decision to retain personally identifiable health information within New Zealand:
trust in data security and privacy in the Cloud, loss of control, and uncertainty over Cloud providers’ (and the jurisdiction’s) alignment with New Zealand’s health information security and privacy requirements
uncertainty and unpredictability regarding performance, reliability and support
unauthorised access or use of health information about New Zealanders by the Cloud provider or third parties
The message here is plain. All health data must be stored within New Zealand because Cloud providers are less secure, privacy breaches are more likely, loss of control over ICT Services is possible, Cloud providers may not be around, performance is at risk as is reliability, and unauthorised access to information is a likelihood.
This unsubstantiated and lengthy risk statement couldn’t be further from the truth.
Here are some facts about Health Information breaches in general. Now, these stats are from a pre Cloud world, granted they are US based, but given that the US is well ahead of us we can safely assume our stats are worse.
- 94% of healthcare organisations have suffered a data breach in the last two years.
- Nearly 20 million patient records have been compromised in the past two years.
- The cost of those breaches is $7B per annum.
- 45% of organisations have been breached more than five times in the past two years.
Cloud is secure as you want to make it. At the end of the day though, it is still your business responsibility to ensure that that security is maintained and privacy ensured as a consequence. Once again, it is not the fault nor role of ICT to ensure Privacy of information.
So. Let’s imagine that I am going to store my Health Data in Amazon.I pick Amazon because its the easiest example, you could pick any other large global provider or local provider for that matter.
Health Data is less secure in the Cloud
You can encrypt your data at source to whatever level you like. Personally, I use 256 bit encryption. Then, you can encrypt your tunnel to Amazon as well. So your data is not only encrypted, it is then sent encrypted as well.
That may not be enough for you, so you should know that Amazon is certified SOC 1 Type 2, ISO270001, supports PCI, has FISMA Moderate Compliant controls, and has HIPAA & ITAR compliant architecture.
Still not enough?
The data centres are in discrete locations and physical access is strictly controlled. Anyone who wants access has to pass two factor authentication, twice.
There is a level of uncertainty and unpredictability regarding performance, reliability and support of Cloud Services.
Amazon is the largest Cloud provider on the planet. It has around 70% of the market share. Its not going anywhere in a hurry.
Amazon is in Sydney with at least three data centres well away from each other, so latency is quite good, as is failover.
They will offer you 99.999999999 availability on certain services. Yes, eleven nines.
As for performance, you can scale out to the size of well, Amazon.
Unauthorised access or use of health information about New Zealanders by the Cloud provider or third parties
Unless those parties have a super computer or you didn’t encrypt your data then this is pretty much impossible.
It’s not in New Zealand
So. If it bothers you that much, keep a copy of the data in New Zealand as well, its cheap enough.
Loss of control
Ah. The real reason for the parochialism. Loss of control.
There is this unfounded suspicion that if we put services into Cloud we’ll lose control. It’s a ridiculous argument at the end of a number of arguments that are without basis.
You are still responsible at the end of the day for the delivery of your ICT services in a safe, reliable, and secure manner. No one else is. Amazon isn’t. All of Government IaaS isn’t. You are. It’s all you can eat security for all you can pay. There is no loss of control, in fact with the tools available today, there is more control than ever before.
The continuing FUD around Cloud services is incorrect and unhelpful. Passed off as “advice” making it more potent.
Any move to Cloud needs to be considered with a strong view to risk. However, on balance, moving your services to Cloud is likely to significantly increase your security, reliability, and performance.
Risk must be qualified.
I’ve picked on the National Health IT Board, yes, there are many other examples that echo the same FUD. It just happens that was one that was pointed out to me.
While we are sitting around NOT using Cloud, consumers are. Another statistic shows that 20% of us already store our health information in the Cloud. The horse has bolted well and truly.
The CIA is using the Cloud. Hard to argue with that one.
Cloud is more secure, more scalable, better performing, cheaper, and more reliable than your old data centre in your head office.
There is a caveat of course, I understand that, New Zealand Health Information Systems are generally a hodge podge mixture of custom built applications on varying platforms that then have hodge podge custom built interfaces to each other and the Ministry. Point being, they don’t lend themselves well to being transitioned to Cloud.