There has been a tremendous growth in the online availability of digital patient records due to the technological advances in communications. The patient records may contain: 1) patient personal data, such as name, age, address and date of birth; 2) historical health data such as the persistent health risks, diseases in the past, the current health condition; 3) financial data such as bank account information; 4) government concessions; 5) Friend of a Friend (FoaF) information such as related-to, lives close-to; 6) future plans; and 7) miscellaneous information such as the details of the assistance required, parking status, vehicle information and emergency contact details. There are incentives for the reduction of costs and the optimization of process flow in the digitization of records. The historical records of patients are further shared around when they are transferred from one healthcare facility to the next or in future examinations. From the growth in technology, the digitization of patients’ records and work flows has reached a record high. However, patient data is in high demand by cyber criminals and the most of the attacks were aimed at the healthcare infrastructure [1]–​[4]. With patients’ lives often depending on connected systems, it is critical that immediate solutions are found. Recently, the incidents reported in the month of September 2017 by HIPAA Journal [5] shows that 76.81% of health information with the number of 363,364 records were exposed. In fact, since its infancy, the digital healthcare industry has faced crippling threats in the form of ransomware, information theft, and records compromise.

In the medical healthcare sector, cloud computing is considered to be an immediate remedy, because it is scalable as well as economical. This sector demands the infrastructure of computing by the means of quality service levels, but if the infrastructure is not configured and maintained properly, it is highly vulnerable to data breaches [6]. The main tenet in the adoption of cloud computing is the sharing of the risk with the client, which is opposite to the customer managed risk [7]. In addition to risk management, the medical sector is attracted towards cloud computing due to the absence of any other definitive solution that can provide the level of services required and is capable enough to counter the frequent data breaches. Several budding companies have offered cloud computing services products that have not been adequately qualified for or mapped to the needs of the customers (in this case, the healthcare industry) such as open flow capability, the needs of connected data, and support for multi-format data in a mutual, and virtualized milieu. Cloud computing is categorized into three service models [8] as illustrated in Figure 1.

FIGURE 1.

Cloud service models.

Show All

One of the cloud computing models known as Infrastructure as a Service (IaaS) suits both the service providers and the service customers better as it shares the risks equally among all the parties [9]. The incentives that are envisioned from cloud adoption are, 1) Workflow Optimization, 2) Data Security, 3) Infrastructure as a Service, and lastly 4) Passive supervision of connected medical devices. The optimization of workflow is essential for the people who are dealing with the public, especially with healthcare organizations because of the high probability of the use of distributed data update models. The host organizations must ensure the availability and governance of the data to enable dynamic workflows [10]. The sharing of the data increases the attack space, and the exposure to a wider audience creates difficulties to solve data security problems. When the data is stored in a centralized location, and is transmitted by applying symmetric data encryption techniques, the deployment and maintenance costs will go beyond cost tolerance thresholds [11].

One of the essences of cloud computing models is the cost sharing model in the technological infrastructure. Different models of infrastructure are compared in [12] and the authors have come to the conclusion that cloud computing models share the cost of operations as well as the cost of the risks. The passive supervision models, although not widely practiced, are a paradigm that we envisage will prevail in the administration of future medical devices. This remote supervision model requires the least cost [13] if applied using cloud computing models.

Therefore, cloud computing exhibits numerous advantages, but also presents various issues that cannot be ignored. Most noteworthy hurdle in the adoption of cloud computing is the security followed by such other matters as isolation. Since, cloud computing signifies a comparatively novel computing representation at every level, like applications, hosts, network, and data, that in turn raises the issue of the application safety to shift towards Cloud Computing [11], [14]. The indecisions and pressures could cause the adoption of solutions that are without the required level of safety that is still a concern with cloud computing. Issues related to cloud security could cause serious threats, for example, exterior data storage space, reliance on public Internet, multi-tenancy, power issues, and the interior safety. In contrast to customary technology, cloud computing has many distinct characteristics, as the range of assets that belong to the cloud contributors are completely disseminated, diverse and entirely virtualized. Conventional safety measures such as distinctiveness, verification, and endorsement are no longer adequate when intended for cloud computing architectures [15], [16].

Since there are many cloud representations that are adopted, with different types and levels of expertise utilized to facilitate numerous cloud services, cloud computing represents diverse hazards to businesses besides conventional Information Technology (IT) solutions [17]. The architecture of cloud computing systems involves numerous cloud components that interrelate with each other ultimately to help the client in acquiring the required data more quickly. The user on the front end only needs to be served, whereas on the backend there are massive data storage devices, with servers working in a distributed manner that makes the cloud.

In this paper, we demonstrate the similarity of the security aspects of cloud computing models, by identifying the critical assets in the HIS, the threats, and by assessing the impact on the HIS. We present the review of the related literature in section 2. The research methodology is presented in section 3 and the risk determination techniques in section 4. The results and their analysis are presented in section 5 and we conclude the paper in section 6 with a summary of our contributions and a discussion of future research directions.

A typical healthcare information system is shown in Figure 2 where the physical and the logical sections of the network are divided into different subnets as per requirements of a healthcare enterprise. A healthcare enterprise is well connected to medical research backbones, Medicare Advantage Plan (MAP)/MAP Remittance Advice Notice (MRAN), and other healthcare enterprises on high speed data links. A Management Information System in HIS provides support to the administrative tasks and is normally kept on a separate subnet. The other legacy systems, i.e., public switched telephone network (PSTN), are also connected to the edge routers in a HIS in a separate section of the network. In cloud computing, platforms of networking, software infrastructure plus storage is provided as services to level up or level down depending on claim. Typically, cloud infrastructures are classified into three deployment models as presented in Figure 3.

FIGURE 2.

Healthcare Information System (HIS) with cloud service support.

Show All

FIGURE 3.

Cloud deployment models.

Show All

The risk management process addresses the possibilities, that in future, may occur and cause disruption to the normal course of business continuity [26]. However, this definition is not accurate in the sense that, if the normal operation is susceptible to eavesdropping, in this case, the normal operation of the organization must be restricted [11]. Figure 4 describes the stages in a risk management cycle. The most important concepts in risk management are risk analysis, assets identification and evaluation, and threat identification.

FIGURE 4.

Risk management process.

Show All

B. Assets Identification and Evaluation

In this paper, we use the ENISA guidelines [29] to identify the critical assets in a Healthcare Information System (HIS) as given in Table 1. According to the guidelines, the first step is to build threat-based asset profiles by identifying and examining the critical assets. According to the rules ironed out in the literature [30], [31] the assets are assigned a Perceived Value (PV) to distinguish them from each other.

TABLE 1 List of Assets

C. Threat Identification

Table 2 is constructed from the threats register maintained by the Cloud Security Alliance (CSA) [28].

TABLE 2 Nine Notorious Threats Identified by CSA

We discuss these threats as follows:

1) Data Breaches

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment [18]. When patient data is accessed, viewed, shared, or utilized/processed without authorization or the patient or the data holder, i.e., the HIS administrator, the process is called a health data breach. An accidental exposure is highly likely when records like patient data is shared among HIS with varying security standards. Often this risk is acknowledged by the patient through information disclosure forms. The patient data breach risks may be increased because of outsourced services which evade the personnel, logical and physical controls.

2) Data Loss

Any event or process with consequences in data being deleted, corrupted or made illegible by a software, user or application is called data loss. This includes ransomware attacks on the HIS, accidental losses, and deliberate attacks on patient data in recent times. Data loss is also known as data leakage. It happens when the data owner or the requesting application can no longer utilize data elements. Data loss can take place while data is either in storage or transmitted over network.

3) Account Hijacking

A process by which the access controls associated with the user are taken away and are used for malicious purposes by an advisory, is called account hijacking. Account hijacking could be performed on an email, computer, or any other account associated with a computing device or service. It is a kind of identity theft in which an unauthorized or malicious activity is carried out by the use of stolen account information.

4) Insecure Interfaces and APIs

A typical cloud customer configures, interacts and manages his/her cloud infrastructure by a set of software interfaces or APIs. The accessibility and security of cloud services is dependent upon the security of these basic APIs. These configurations are shipped along with the typical security controls. If those controls are not enabled, the configurations of the APIs can be altered and the whole infrastructure may be compromised, e.g., this could happen if secure connections are not enabled or utilized, etc.

5) Denial-of-Service Attack (DoS)

When the attackers or hackers try to prevent valid customers from accessing an application or a service is called Denial-of-Service attack (DoS). In a DoS attack, excessive messages are sent by the attacker asking the server or network to authenticate requests having incorrect return addresses. When the server or network attempts to send the authentication approval, it will not be able to discover the return address of the hacker. This situation will cause the server to wait before terminating the connection. When the server terminates the connection, more authentication messages will be sent by the hacker with incorrect return addresses. Therefore, the process of sending authentication approvals and server waiting will restart, keeping the server or the network busy and the legitimate users will be denied of their services.

6) Malicious Insiders

This refers to the case where there is a deliberately misused or unauthorized access to an organization’s data, network, or system by its former or current employee, business partner or contractor. It is done in a manner that negatively affects the availability, integrity or confidentiality of the organization’s assets or information systems.

7) Abuse of Cloud Resources

An unauthorized use of cloud capabilities is classified as an abuse of cloud computing. Sometimes cloud service providers cannot maintain control over their infrastructure, which allows an attacker to abuse cloud services, e.g., by requesting repetitive free limited trials [32].

8) Insufficient Due Diligence

Sometimes organizations may be unaware of cloud service provider’s environment, general nature of cloud technology and related security threats and therefore exhibit insufficient due diligence. HIS administrators should have cloud and security experts in their teams so that the organization can avail their skills and avoid unexpected behaviours from the infrastructure. Without expert knowledge, the adoption to cloud which may lead to more troubles than benefits.

9) Shared Technology Issues

One of the key features of cloud computing is multi-tenancy. In this type of an architecture, shared resources are provided to multiple users, to accomplish scalability. Cloud providers deliver their services to multiple customers to share the same application, platform and infrastructure. This joint nature may result in the disclosure of data to other users, and also due to a single fault, a hacker could possibly observe all the other data.

D. Vulnerability Identification

Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy [27], [33]. It is essential in a risk assessment process to identify the known vulnerabilities to protect the data and infrastructure from attacks caused by the known vulnerabilities as listed in Table 3.

TABLE 3 List of Vulnerabilities in Cloud Adoption

Grobauer et al. [34] define vulnerability as “the probability that an asset will be unable to resist the action of a threat agent”. The research by Grobauer et al. determines the risks and identifies cloud-specific vulnerabilities that could affect any cloud environment.

E. Risk Assessment

In the literature [33], [35], [36], a risk assessment framework is proposed which is a three-step process. The details of the three steps are provided in the following sections:

1) Likelihood Determination

In [33], the threat likelihood is defined as “to derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment”. We aim at determining the breach likelihood to the critical assets identified in Table 1. We consider the results from the vulnerability identification where each vulnerability is evaluated and assigned a numeric value and a likelihood level. The numeric value ranges from 0.1 to 1.0. A value of 0.1 means that the probability of a vulnerability being exploited is very low while a value of 1.0 means that the probability of a vulnerability being exploited is very high. The vulnerability likelihood levels are defined as very high, high, medium, low and very low. Here, a high level means the threat source has high motivations or capabilities to exploit a certain vulnerability while a low level indicates the lack of required skills and incentives to exploit the given vulnerability. Table 4 shows the mapping of each vulnerability and its likelihood level and rate.

TABLE 4 Relationship of Threat and Vulnerabilities

2) Impact Analysis

During impact analysis, we assess the loss impact of each asset based on its value. Similarly, the impact level is divided into five levels or severity: very high, high, medium, low and very low. These values represent educated guesses over a wide range of common cloud deployments and do not have a precise semantics. In practice, the risk levels are related to the values of assets where a high value asset may have a high impact to a particular scenario while a low level asset may have a low impact. Each asset is given an impact value that ranges from 1 to 5 as shown in Table 5.

TABLE 5 Perceived Value of Impact and its Corresponding Numeric Scale

Table 5 shows the impact of threats ($\text{t}_{i}$ ) in non-security configured public clouds. From Table 5, this research estimates the value of an asset based on how a threat impacts given assets. Then, it calculates the total value of each asset and finds the average as follows:

The impact factor of a threat event (Imp$_{\mathrm {e}}$ ) is calculated by dividing the total of the impact factors of affected assets (Ast$_{\mathrm {i}}$ ) by the number of affected assets (n).

$$\begin{equation} {\mathrm {Imp}}_{\mathrm {e}}=\frac {1}{\mathrm {n}}\left ({\sum \limits _{\mathrm {i}=1}^{\mathrm {n}} {Ast}_{i} }\right) \end{equation}$$ View Source\begin{equation} {\mathrm {Imp}}_{\mathrm {e}}=\frac {1}{\mathrm {n}}\left ({\sum \limits _{\mathrm {i}=1}^{\mathrm {n}} {Ast}_{i} }\right) \end{equation}

Assuming that the breaches in HIS have a Bayesian distribution, from [37] the reparative breaches can be modelled as:

$$\begin{equation} \mathrm {Sn} \sim \mathrm {Lognormal}\left ({\mu, \tau }\right) \end{equation}$$ View Source\begin{equation} \mathrm {Sn} \sim \mathrm {Lognormal}\left ({\mu, \tau }\right) \end{equation} where, $$\begin{align} \mu=&\beta _{0}+\beta _{1}+\text {t}_{1}+\beta _{2}\text {t}_{2}+\beta _{3}\text {t}_{3}+.\ldots +\beta _{n}\text {t}_{n} \\ \beta 0\sim&\text {N} (\log (\text {Sn}),1) \\ \beta \text {i}\sim&\text {N} \left ({0,\frac {1}{\text {Var} [\text {t}_{i}]}}\right) \\ \tau\sim&\text {Gamma (1,1) as randomize the variable} \end{align}$$ View Source\begin{align} \mu=&\beta _{0}+\beta _{1}+\text {t}_{1}+\beta _{2}\text {t}_{2}+\beta _{3}\text {t}_{3}+.\ldots +\beta _{n}\text {t}_{n} \\ \beta 0\sim&\text {N} (\log (\text {Sn}),1) \\ \beta \text {i}\sim&\text {N} \left ({0,\frac {1}{\text {Var} [\text {t}_{i}]}}\right) \\ \tau\sim&\text {Gamma (1,1) as randomize the variable} \end{align}

If follow the Operationally Critical Assets Vulnerability Evaluation (OCTAVE) method from [27], we may estimate the risk exposure as follows:

$$\begin{equation} Sn \sim Lognormal \left ({\sum _{i=1}^{i=n}(\mu _{i},\tau)}\right) \end{equation}$$ View Source\begin{equation} Sn \sim Lognormal \left ({\sum _{i=1}^{i=n}(\mu _{i},\tau)}\right) \end{equation} We propose the Impact factor of a threat event as the sum of the impact of all the assets that affect the given threat, then divide it by number of affected assets as shown in Table 6 as graphically represented in Figure 5. From Table 6, impact factor which is also known as risk exposure can be used as, for instance, a threat having an impact factor greater than 4 will be considered as having a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A threat with an impact factor between two and four is considered as having a serious adverse effect on organizational operations, organizational assets, or individuals. A threat with an impact factor of less than two will have a limited adverse effect on organizational operations, organizational assets, or individuals.

TABLE 6 Impact of Threats in Non-Security Configured Cloud

FIGURE 5.

Risk exposure of the identified threats to health information systems.

Show All

3) Risk Determination

In Table 7, we map the countermeasures for each threat, which we identified for each asset in Table 6. This helps narrow down the threats space. However, the countermeasures against each threat are the ones that are reported in the literature [3], [38]–​[40]. It is highly likely that more effective countermeasures may exist for each threat that has been highlighted in this research. We aim at investigating the best suited set of countermeasures in future work. A measure of risk exposure is provided in Table 8.

TABLE 7 Security Threat Along With its Counter Measurements

TABLE 8 Impact of Threats in Security Configured Cloud

In Table 9, we provide a comparison between non-security configured and security configured public clouds. From Table 9, we see that impact factors are significantly reduced by applying counter measurements. In Figure 6, we present our findings from an empirical analysis of security configured cloud infrastructures and non-security configured infrastructures. The figure shows that the overall impact of threats is lower than the impact of threats in non-security configured clouds. By non-security configured clouds, we refer to hybrid clouds, the cloud computing environments where security practices are not considered as a primary concern.

TABLE 9 Comparison of Impacts Between Non-Security Configured and Security Configured Cloud

FIGURE 6.

A Comparison between non-security configured and security configured clouds.

Show All

The results are contrary to the common misconception that a private cloud infrastructure may be more secure than a public cloud infrastructure, in general. An important aspect in both of the paradigms, that is public and private clouds, is the presence of key security countermeasures.

We plan to present a further account of those key security countermeasures in our future work. Those countermeasures do not necessarily make a public cloud infrastructure an outright choice for the healthcare enterprises.

The emphasis is increased on authentication, authorization, and accounting (AAA) control, so the right people may be able to access information. The data ownership and rendering issues are also of considerable importance. Another challenge of public clouds is the juristic and cyber law about the “hosting” of data in public clouds.

An increasing range of risks to digital healthcare industry due to the persistent threats, stimulates the acquisition and development of new technology. Cloud computing is seen as a quick fix to many security vulnerabilities in the healthcare and public health sector that are discussed in this paper. Despite their benefits, this paper presents the findings that highlight the hurdles in the adoption of cloud computing solutions. Furthermore, relevant risk factors are identified and classified, which ultimately slow down the adoption of cloud computing in the medical sector. In addition, the assets in a healthcare system and their criticality that effects the overall integrity of the HIS are identified, and the vulnerabilities are tabled. Such details help us determine the impact of a breach and risk exposure of the components. The presented analysis demonstrates that the use of cloud computing environments can reduce the said vulnerabilities and alleviate the threats to the integrity of the HIS.

We plan to present a more detailed account of the listed key security countermeasures in our future work. Another challenge of public clouds is the juristic and cyber law about the “hosting” of data in public clouds, which we will also address in our future research.