Why Cloud-Based Services Are a Mixed Bag for SecurityUPMC CISO John Houston on Dealing with Vendor Issues
Cloud-based services can be both a "blessing and curse" when it comes to dealing with security, says John Houston, CISO and associate counsel for the University of Pittsburgh Medical Center.
"For a large organization like UPMC, where we have a very sophisticated IT infrastructure, cloud makes our life more difficult. It introduces risk ... and complexity to us," he says in a video interview with Information Security Media Group. "For the smaller and midsized hospital, the cloud can provide a certain degree of relief in the context of information security."
Many cloud vendors have a more sophisticated security practice than the average smaller hospital, Houston argues. "So, by selecting a good cloud-based electronic health records system, for instance, you may be doing yourself a favor in terms of simplifying your security posture and allowing yourself to be more secure. But you've got to be careful in who you select."
In his role at UMPC, Houston, an attorney, negotiates most of the organizations large IT deals. "If I look back five years, less than 10 percent of the contracts I negotiated as an attorney dealt with cloud services. Today, its 90-plus percent," he notes.
That shift to the cloud has changed how larger organizations, such as UPMC, assess risk, he says. "One of the biggest challenges in the industry is that it's difficult for anyone to assess risk of these cloud services," he says.
Those challenges often include a lack of transparency from vendors, and an unwillingness by them to provide "substantive information" needed for healthcare entities to appropriately and continually manage their risks, he says.
"We as a healthcare industry need to ... force the vendors to subscribe to some kind of [security] framework ... [so] we can look quickly and say, 'OK, they're doing the right thing in respect to security.' However, unfortunately it seems that every time we engage a cloud vendor, we have to go through a de novo process to assess risk. And then every year we have to reassess risk, so it becomes very tedious and difficult process."
In the video interview conducted at ISMG's recent Healthcare Security Summit in New York, Houston also discusses:
- The biggest changes the healthcare sector has been seeing in cyberattacks and breaches this year;
- The threat of ransomware and why it should be treated like other malware;
- Cybersecurity predictions for the healthcare sector for 2017.
Houston is vice president, information security and privacy, and associate counsel for University of Pittsburgh Medical Center, an $11 billion health system. At UPMC, Houston handles such issues as privacy, information security and legal matters associated with the acquisition, licensing and use of technology. He is an adjunct assistant professor in the department of biomedical informatics at the university's school of medicine.