What’s the most valuable thing that cloud can provide to both clinicians and patients in federal health care settings?
Access to the right data at the right time, said Srini Iyer, senior vice president and chief technology officer for the health group at Leidos.
It’s possible to do that securely, but it requires continued efforts by both agencies and industry to evolve use of the latest tools and management techniques, Iyer said during the Federal News Network Cloud Exchange 2023.
Health care agencies across government are moving to modern multicloud architectures as the foundation for securely sharing data across their entire enterprise and with partners, inside and outside the federal government.
But emerging trends in health care delivery — including a surge in telehealth, a rise in Internet of Things medical devices and greater use of artificial intelligence — also present new opportunities for adversaries to compromise sensitive information, including personally identifiable information (PII).
“The amount of data that is being generated on a daily basis is significant, and protecting that data is very critical,” Iyer said.
Taking on shared responsibility of cybersecurity in health care
New challenges to federal health care require a new approach to cybersecurity. To ensure the protection of data in the cloud, Iyer said agencies need to understand security is a shared responsibility between the cloud provider and the data user.
“Cloud service providers provide really good, solid infrastructure — up to a certain point. Beyond that, it is up to the user of the applications or the app owner to ensure that there is security all the way through,” Iyer said.
A typical federal employee uses up to 30 cloud-based services on any given day, he said. Given that wide array of tools, it’s essential for agencies to ensure there’s end-to-end encryption and security across all their platforms and devices, Iyer advised.
“When you look at security, it is end to end. It’s all the way from your handheld device, if you’re using that to schedule an appointment, all the way through the back end, to the physician’s office — and back. It just can’t be in bits and pieces. And typically, that’s what has been happening in days past, where you were siloed and people were looking at security in bits and pieces,” Iyer said.
Most federal health care agencies work in hybrid cloud environments, managing some data and workloads on premise and some in the cloud. That likely won’t change, he said.
“Most customers that we’ve been working with are migrating to the cloud and also keeping the data on prem. When you’re looking at radiology or imaging data, that has to be on premises because you’re looking at petabytes of data,” Iyer said.
Therefore, the security strategy must be hybrid as well, he said.
Managing cloud sprawl in federal health care
The fairly low barrier to entry for cloud makes it easy for agencies to begin their IT modernization journey. But that hybrid work environment can be challenging to manage unless IT organizations track their cloud workloads effectively, Iyer said.
“That is becoming a nightmare for the CIOs, from an enterprise standpoint. Between cloud sprawl and shadow IT, it keeps them busy, because you’re dealing with multiple cloud entities,” Iyer said.
Additionally, to ensure health care agencies stay on top of emerging threats to their networks, Iyer said they need visibility throughout their enterprise and across multiple cloud service providers.
“When your workload traverses from one CSP to another CSP, now you’ve lost visibility. It’s like a relay race, passing the baton to somebody else, and they may not be interested in looking at that. But we need to ensure that there is visibility across multiple CSPs. And that becomes very challenging, it’s not trivial,” Iyer said.
That visibility is also essential so that agencies avoid overpaying for cloud services or underutilizing the cloud capabilities they’re paying for.
“In the early days of cloud, people had some services running overnight or on late nights or weekends, and suddenly they started seeing their bills come up. That was sky high. We can avoid a lot of that with proper governance and proactive care,” Iyer said.
To stay ahead of emerging threats, he suggested that agencies need to have strong multifactor authentication in place — especially for increasingly automated processes.
“This becomes even more critical when you’re having machine-to-machine interactions,” Iyer said. “A lot of times, there is no human in the loop. You have two different services, especially in a microservices architecture, interacting with themselves. You need to ensure that the right authentications and credentials are passed, so that it gives them access.”
Meanwhile, agencies continue to refine their zero trust strategies, as mandated by the Biden administration.
Iyer cautioned that proper implementation of zero trust requires that agencies understand their employees’ workflows and help them navigate changes.
Without this work in place, Iyer said agencies run the risk of locking legitimate users out of applications.
“Zero trust is not a silver bullet, in the sense that there is not a single product or solution that can that you can put on an enterprise and say, ‘I’m now golden.’ That’s not going to happen. It is a process, it’s an approach, it’s a culture,” Iyer said.
In the event of a cyber incident, agencies need to ensure they have adequate incident response plans in place.
“We need to be able to respond in a fairly reasonable amount of time. We just can’t wait for days or weeks because typically we don’t realize that there is an attack vector in our system until it’s a few weeks in,” Iyer said.
Embracing AI challenges and opportunities
Agencies also need to stay on top of cyber hygiene basics, such keeping up to date on security patches and educating employees about phishing campaigns.
Iyer said agencies need to remain especially vigilant about these steps now that adversaries are using generative artificial intelligence tools to their advantage.
“Your attackers are always looking for that vulnerability. They have to succeed once, but from a security professional standpoint, you’ve got to be 100%,” he said.
AI and automation may factor into a new wave of cybersecurity threats, but these same technologies are also driving innovations in the delivery of health care services, he said.
“AI is here. And generative AI especially is going to change how we’re going to do things. We are already using it — whether we like it or not, whether we acknowledge it or not. … The question is, how much do you trust that? That trust becomes a big factor,” Iyer said,
He said Leidos is using natural language processing to help one health care agency reduce the number documents employees have to go through and is improving productivity.
“Everybody’s time is constrained. You don’t want them going through volumes and volumes of data. But getting to the right amount at the right time is very important,” he said.