Get My Score


Healthcare IT Blog Series - 3 of 6 

(This is the third post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)

In the last blog of our Moving Healthcare to the Cloud series, we discussed why it makes sense for healthcare organizations to move their IT infrastructures to the cloud. In this blog, we examine the process for defining cloud migration projects.

Although every step in the overall cloud migration process is critical, just how well you define the project at the start could very well set the stage to streamline success—or cause a lot of pain along the way.

At a high level, you first need to decide exactly what to move to the cloud:

  • Which business functions?This covers the entire spectrum of the healthcare organization—from patient medical services to billing, procurement, insurance claims, compliance, human resources, marketing, communications and physical security as well as the general operations of buildings and grounds. Business processes to which end users require anytime, anywhere access from multiple devices—as well as those processes through which end users collaborate frequently—will likely benefit the most from moving to a cloud environment.
  • Which systems? You may discover that while it makes sense to move a certain business function to the cloud, the function may be supported by a legacy system that makes sense to keep on-premises for the short term. Older technologies may simply not work well in a cloud environment fraught with new technologies. Perhaps it makes sense to wait until it’s time to upgrade the system before moving it to the cloud. 
  • What data? Data is now just as secure in the cloud as it is on-premises. But there may be some systems containing data that you feel more comfortable keeping under your direct control. Over time, senior management may become more comfortable with storing sensitive data in the cloud, but in the near term, it might be best to go with what makes the boss happy!

Most organizations that move to the cloud end up utilizing multiple environments. While health records, financial systems and human resource applications will generally be moved to a private cloud, you may want to isolate them in separate environments. Other systems, such as email and marketing, could be moved to a separate, yet shared, public cloud in order to reduce costs.

Determine the Necessary Resources  

Another key aspect to defining a cloud migration project is determining who will play a key role. You will likely rely heavily on your primary IT partner—or one that specializes in the cloud—for designing your cloud environments. Depending on the services your chosen partner offers, you may also need to turn to another provider (or providers) to host your cloud environments.

Also, consider the internal resources you will need to coordinate the migration and to interact with your partners who maintain the cloud environment. In addition to IT resources filling these roles, you will want to secure the buy-in of the senior management team in getting the organization as a whole to realize and accept the benefits of cloud computing. Moving to the cloud involves a bit of a culture change in the way people interact with applications, so make sure all your end users are on board.

Getting the Ball Rolling 

The best way to get the ball rolling in defining what systems to move to the cloud is to take a ‘Cloud First’ approach. This means that all heads of each business function must show conclusive evidence why certain apps and data are not cloud-ready. The burden of proof lies on these individuals to prove this; otherwise, the cloud is the final destination.

David Chou, CIO of The Children’s Mercy Hospital in Kansas City, spells this out in a three-phase approach to the Cloud First journey:

  1. Evaluate your current culture and outline what is required to transform into a cloud-first operation.
  2. Draft a vision that answers why you are moving to the cloud and what becoming a Cloud First organization will achieve—in a way executives and non-technical employees, including clinicians, can understand easily.
  3. Communicate the benefits that cloud technologies will deliver; this includes the upside to adopting cloud technologies instead of using on-premises systems that the staff is already comfortable using.

The ‘Cloud First’ mandate helps you identify which business functions are the first to move, what systems within each of these businesses to move, and why (as discussed above). This approach also facilitates the identification of critical versus non-critical data, data subject to compliance mandates, and applications that require strict availability versus more tolerant applications.

Next Up: Managing User Access

In our next ‘Moving Healthcare to the Cloud’ blog,we will discuss how to manage end-user access and reduce risk. This includes how to adequately define and enforce access control policies as well as how to monitor, identify, respond to, and mitigate risks. 

Cavirin joint seminar with Logicworks - Meet 5 Innovators Who Are Revolutionizing HealthTech - May 9, evening, NYC

Read about how Cavirin can protect your ePHI.




That’s all I can say after last week’s very successful (in the eye of the writer), very crowded (50,000 in a construction zone?), and sometimes overwhelming (parties?) RSA. Anyone in attendance would agree that the intensity, the depth of conversation, and even the innovation was a step up from previous years.  But so was the angst.  Read on!

At Cavirin, we introduced CyberPosture Intelligence to the world, along with an accompanying survey on hybrid cloud security that speaks to the necessity and timeliness of our approach.  As a reminder, CyberPosture Intelligence:

  • Provides actionable intelligence for the CISO and stakeholders to take control by delivering continuous risk, cybersecurity, and compliance management across hybrid environments.
  • Offers continuous compliance for the hybrid cloud and eliminates the gaps and risks inherent with current approaches.
  • Secures both the public cloud control plane as well as target hybrid cloud workloads (servers), on-premise, within the public cloud, and within containers.

This last point is especially important, given the need to protect critical workloads in the cloud. Having a solution that only looks at the servers, or the cloud account itself, leaves you half-blind, half-protected. You need real ‘situational awareness’ where you’re immediately made aware of any drift from your ‘golden posture’ and, from there, can take appropriate action. 

At the same time, you need a simple deployment based on a technology-agnostic solution that delivers as close to single click scoring as practical, contrasting with multiple stove-piped tools, manual processes, and point-in-time assessments.  An approach that cuts through the noise to offer real, actionable guidance to protect the hybrid cloud, 24x7.

Similarly, a well-developed GDPR plan should be put in place for implementation. On May 25, the GDPR regulation will officially take effect in the EU, inevitably impacting companies beyond those borders.  According to a recent survey released by Cloud Security Alliance at RSA “31 percent of companies have well-defined plans for meeting GDPR compliance, 85 percent have something in place, and 73 percent have begun executing that plan.”

Ultimately, we want the CISO to achieve business outcomes that reverse what is a disturbing trend, where additional security investments don’t necessarily make things better. Reversing a reality that had Cisco’s SVP of security, John Stewart, lamenting the fact that 3.5 million security jobs will go unfilled in the coming years.  He concluded with the statement ‘we are completely screwed.’   Well, let us help un-screw things!

Check here for some of the great coverage we’ve received on our CyberPosture strategy and how it fits into current security conversations across different verticals and geos.


Healthcare IT Blog Series - 2 of 6

(This is the second post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)

As we presented in the opening message in our ‘Moving Healthcare to the Cloud’ blog series, healthcare IT is in a crisis. The good news is, help is available to address the issues healthcare organizations, and their third-party vendors face—and it comes in the form of cloud computing. From the perspective of enhancing patient services as well as internal and patient communications, the future of healthcare is definitely in the cloud.

Nemi George, the Senior Director of Information Security & IT Governance for Pacific Dental Services, provides one specific example:“A key area in which we see the cloud helping us is with our medical imaging,” says George. “Today, a local server is used to capture images and then synchronizes nightly to the data center. Using a cloud service for imaging significantly reduces the cost and the speed to retrieve image files while also allowing access across multiple platforms without the dependency on location.”

As your organization begins its journey to the cloud, the planning should first involve a close look at the top-level ROI. It’s important to know why it makes sense to move to the cloud.

“In line with our risk methodology and cloud strategy, we are comfortable moving applications to the cloud,” George says. “Our focus is on applications that require a high level of resilience and also general business apps that we seek to mobilize, such as Workday and Box, that offer a mobile experience without the dependency of a VPN.”

Cloud Value Goes Beyond Reduced Cost

Most think of the cost savings first, but that’s not the top benefit of the cloud. Other returns will prove to be much more valuable:

  • Improved system and app availability—allowing doctors, nurses and support staff to work more efficiently so they can spend more time focused on patient care.
  • Enhanced ability to manage risk—with system protections that secure sensitive medical records and personal patient data.
  • Increased ability to employ compensating controls and governance—to ensure compliance with regulations and to avoid costly fines.

After considering the top-level benefits, the next things to consider for moving to the cloud are the tactical measures. Here, the objective is to reduce the number of on-premises data center systems required to run the organization.

Not all healthcare apps are ready to be moved to the cloud. You will likely decide to keep one or two on-premises. Perhaps it will make sense to set up an integrated hybrid IT infrastructure with a mix of cloud apps and on-premises apps.

“There are a number of applications such as our core practice management and finance applications that will remain on premises for a number of reasons,” George points out. “These include our legacy application architecture and applications already billed for decommissioning as well as applications that rely on a VPN or sit behind a corporate firewall for security reasons.”

Most Apps Now Safe to Run in the Cloud

For years, availability, privacy and security were cited by healthcare organizations as the reasons for delaying or jettisoning the idea of moving their apps to the cloud. But AWS, Microsoft, Google, IBM and other cloud providers are all proving this premise wrong. In 99% of the cases, apps can and should run in the cloud!

As we saw in our first post, the inability to hire sufficient technical resources is a critical factor in healthcare organizations deciding to move to the public cloud. Hiring internal technical resources with the expertise to design, deploy and support an on-premises infrastructure is costly, and keeping them on-board is difficult. They need constant training to keep up with the latest technologies, and those that are really good will likely grow bored working on just one infrastructure.

It’s also important to note that the rate of innovation in the public cloud is unmatched. For instance, AWS ECS (Elastic Container Service) was launched in 2015. A short time later, the AWS Lambda Computing function-as-a-service offering was made available. These lightweight, yet powerful services are proving to be a big ally for organizations seeking to increase IT agility and decrease IT costs.

Here are two recent examples:

  • The Centers for Medicare & Medicaid Services created a cloud-based analytics platform that eliminated $5M in underutilized infrastructure spending, according to Jessica Kahn, the director of the data and systems group at CMS.
  • Children's Mercy in Kansas City uses Microsoft's Azure cloud services to host an app and data that save lives of at-risk pediatric patients by tracking them after they leave the hospital, according to Richard Stroup, Children's Mercy director of informatics.  

The success of the cloud for these two organizations echoes the success of George and Pacific Dental Services. “The cloud in itself will not impair our security or our compliance,” says George. “And if managed appropriately with the right level of monitoring, oversight, and governance, migrating to the cloud should reduce our costs.”

With results like this, it’s time for other healthcare organizations to dive in!

In our next ‘Moving Healthcare to the Cloud’ blog, we will examine how to define a cloud migration project. This includes identifying who needs to be involved, what applications should make the short list to move to the cloud, and where’s the best place in the cloud for your organization.

Read about how Cavirin can protect your ePHI.


Healthcare IT Blog Series - 1 of 6 

(This is the introduction post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)

One of the key themes of the recent HIMMS18 conference in Las Vegas is that healthcare IT leaders need to embrace the power of change to transform how doctors, nurses, staff and patients consume IT. This approach may be more important than ever, given that the industry is in the midst of an IT crisis.

Threats are coming in from several fronts. Here are a few reasons why many CIOs and CTOs are finding it hard to get a good night’s sleep:

The fallacy of thinking compliance = a strong security posture

Some organizations think that abiding by regulations such as HIPAA makes them safe, but this has been proven to be incorrect. Let’s take a real public example. In February 2015, Anthem disclosed that criminal hackers had broken into its servers and had potentially stolen more than 37.5 million records that contained personally identifiable information. 20 days later, Anthem raised the number to 78.8 million records. According to Anthem, the data breach extended into multiple brands that Anthem uses to market its healthcare plans, including Anthem Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare. The security breach occurred even though Anthem was HIPAA compliant.

Vulnerable legacy equipment

For decades, manufacturers like Siemens, Bosch, Honeywell and others have built embedded systems that run on operating systems from the Stone Age—unpatched, insecure and vulnerable. An example of this includes Siemens medical scanners. Hackers can exploit trivial flaws in the network-connected devices to run arbitrary malicious code on the equipment. These remotely-accessible vulnerabilities lurked in all Siemens positron emission tomography and computed tomography scanners running Microsoft Windows 7.

Too many compliance mandates

It’s hard to keep up with changing mandates because healthcare organizations have patient data dispersed in many databases across the cloud, the network, and a multitude of endpoints. Sometimes they rely on paper as well. This makes it difficult to comply with the stringent regulatory requirements of HIPAA and HITECH and to safeguard PHI, PII and EHR. In addition, medical teams need to access this information quickly in order to meet the demands of timely care. Security teams are thus challenged to find a balance between patient data security and providing easy access to the information.

Modern-day attacks

Ransomware continued to make the news in 2017 and the healthcare industry was not immune; in fact, it was a leading victim—Hollywood Presbyterian declared a state of emergency over a ransomware attack in February last year. The hospital isn't saying exactly when it paid the ransom, but it looks like they waited at least a week to end the file-hostage situation. The hospital said the payment was 40 Bitcoin, which was worth around $17K at the time. An unnamed doctor told the press that the systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications were out of commission. Email was also down, so the staff relied on pencil and paper. It was also reported that radiation and oncology were temporarily shut down.

Severe shortage of IT security personnel

According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity jobs by 2021. And for qualified security personnel, healthcare IT is not the preferred destination of choice: Facebook, Google, AWS and other high-tech innovators are more attractive. 

New age disruptors

Healthcare organizations have to manage insanely large data sets to make their training algorithms better and more robust. But an even bigger and more disturbing challenge is that non-health entities can now play ‘doctor.’ Findings of the research conducted by the Computational Story Lab, a group led by Chris Danforth and Peter Sheridan Dodds of the University of Vermont, show that Instagram knows if you’re depressed, Twitter can indicate PTSD, and Facebook posts can describe a region’s relative public health.

Identifying the Right Steps to Take in the Cloud Journey

So, with all these developments as a backdrop, and as healthcare organizations look to the cloud as a panacea for everything, there needs to be a reality check on how to look at the cloud in the context of the current state and where healthcare is headed. To help organizations take on this challenge, this blog series will walk readers through the why, the what, and the how of ‘Cloud and Healthcare.’

The series will show how to identify what steps to take in the cloud journey. It starts with the next blog, which will focus on the why—Making the Business Case for the Cloud. The following chapter will delve into understanding what systems are ready for this journey, and frankly, which aren’t. We’ll also look at how you can make that distinction without bias.

The next blog will address the issue of how to assess the appropriate levels of risk for all the assets you are moving (or will be moving) to the cloud to ensure confidentiality, integrity, and availability. The fifth installment will focus on how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to any indications of breaches or potential breaches. It’s a team effort, so make sure you know who the players are and get your team ready!

Finally, we will look at the advent of artificial intelligence and machine learning, and how there is going to be an opportunity to gather more and do more with patient data, research, and analysis. But all of this should be backdropped with a clear ‘Code of Ethics.’ If you fail in the ethics arena, the fallout could be cataclysmic.

The Need to Embrace Education

The cloud provides an amazing path for your healthcare organization to take a leap forward. You can not only address the security sins of the past in a comprehensive manner, but also set yourself up for success in this new age of healthcare IT that includes the Internet of Things, artificial intelligence and predictive medicine

But, to use the cloud effectively, securely and consistently—truly understanding what the cloud can do for your organization and your patients and to set your organization up competitively—requires you to embrace the need for education without bias. Hopefully, these blog series did just that! 

Read about how Cavirin can protect your ePHI.



Today we’re announcing the next phase in Cavirin’s evolution, with an approach and product offerings that will truly provide organizations with the visibility and control they require across their hybrid infrastructures, an approach that provides the CISO with actionable insights to minimize the attack surface while meeting the reporting requirements of his or her board.  We call this ‘CyberPosture Intelligence for the Hybrid Cloud.”  Read on!

The hybrid cloud is real, and in fact, 81% of enterprises are adopting a multi-cloud architecture, spanning on-premise and one or more public cloud providers.  And this won’t go away anytime soon, with about 1/3 of workloads remaining on-premise in 2025, sometimes the most critical.  But there is a problem.  A good 77% of IT personnel identify security as still a barrier to adoption, and almost the same number, 75% lack visibility across their hybrid cloud.

So what is CyberPosture, a word that you’ll be seeing more of in the future?  It is verifying that your slice of the public cloud is secure, be it IaaS, PaaS, SaaS, or even FaaS.  It is confirming that your workloads (servers) in the cloud are secure as well, be they VMs or containers.  It is ensuring that sensitive data if in the cloud, is secured, being able to pass your periodic security audits, and not only securing your own infrastructure but those of your critical suppliers and partners.  Finally, it is an architecture to help you truly understand the risks and deficiencies that are part of any hybrid cloud infrastructure.  One that permits you to effectively balance your risk tolerance with skills and budgets.

CyberPosture is closely aligned with the rise of DevSecOps, the automation of security within DevOps to ensure a more secure cloud infrastructure and to offer more automated remediation when issues are discovered.  In a break from the past, SecOps will no longer be held as a barrier to agile development.  They will regain their place at the table as an enabler.  Who manages this?  The ‘Cloud Security Architect’ runs point, bringing together skillsets from across the organization in a ‘Cloud Center of Excellence.’ 

How do you achieve CyberPosture?  As with any type of posture, it doesn’t just come to you.  You actively set off to achieve it.  We help you instrument your public cloud accounts, your cloud security posture.  We offer the tools to enable continuous compliance across regulations that include GDPR, PCI, HIPAA, SOC, ISO, CIS, and others.  We help you apply these tools across critical verticals and use cases, such as cyber-insurance risk assessment or supply chain risk management.  We integrate these tools with your agile development processes. And, we package up this intelligence in the form of a ‘CISO Dashboard’ or as reports for your audit committee, providing you with a consolidated ‘Cavirin Risk Score’ that combines elements of security and compliance, for your cloud, and for your workloads.

The next step?  Visit us at RSA to learn more about Cavirin’s CyberPosture Intelligence, and while there challenge your existing cybersecurity partner on how to solve this hybrid cloud security and visibility challenge.  Then drop by booth N4439 and share your thoughts with us!


A Catch-up Plan for Technical Controls

In under 60 days, the GDPR regulation officially takes effect in the EU, and will impact companies well beyond Europe’s borders.  As a reminder, on May 25 the GDPR will replace the EU’s existing privacy regulation, and in a nutshell, data protection is now by design and by default.  And, data includes both personal and professional information.  A major point is the ‘right to be forgotten,’ and some of the controversies around Google and Facebook is a result of this intent.

By now, organizations should have a well-developed plan in place for implementation, including the assignment of a Data Protection Officer and coordination across all impacted business functions.  An issue is that this planning is not universal, and in fact, many US companies don’t realize their exposure.  In a recent study, less than 25% of US Firms consider themselves to be GDPR-ready.   Not a good place to be in, given that a just-released ESG survey shows GDPR-subject data as the most widely deployed in the cloud.

GDPR ready

Digging further, the GDPR defines three elements of compliance – people, process, and technology.   Cavirin can’t directly address the first two, but we can help with plugging holes in the third.  In a four-phase process that includes discover, manage, protect, and report, the third – protect – closely aligns with Cavirin’s capabilities.  We’ve created a policy framework that helps to automate the following across cloud providers and operating systems: 

  • Auditing Personal Data Processing Systems: Ensuring that all user and admin activities in personal data processing systems are traceable at all times.
  • Monitoring Personal Data Processing Systems: Ensure they are safe from software vulnerabilities
  • Personal Data Access controls: Ensure that access to systems storing or processing personal data is restricted to only users or programs that need it
  • Personal Data Security controls: Monitoring configuration settings for systems storing or processing personal data to prevent breaches and disclosure
  • Personal Data Transfer Security: Monitoring usage of encryption and network configuration to detect and/or prevent unauthorized transfers of personal data

So how to get started?  In under 30 minutes (really), you can deploy the solution on-premise or within your public cloud provider.  The deep discovery of the critical workloads, you identified in the steps above, then commences, and in a short amount of time, you’ll have actionable reports that identify your top risks.  The assessment delivers remediation guidance, and even for the largest of infrastructures, you’ll have plenty of time to take action before the deadline.  But don’t stop there!  Configure the platform for continuous assessment, so if the configuration of any of your servers changes, or new ones are added, you’ll be immediately notified and can then take action.

Download the linked infographic for more on the above!  And listen to the on-demand webinar for further information on putting your own plan in place for GDPR enforcement day, May 25th, 2018.



© 2019 Cavirin Systems, Inc. All rights reserved.