The pros and cons of cloud have been debated for decades. But as our industry moves away from monolithic Medicaid Management Information Systems (MMIS) to modular Medicaid Enterprise Systems (MES), now is a good time to revisit the debate.
States have two primary choices when it comes to the hosting that will serve as the foundation for their system: move to the cloud or keep an on-premises (or “on-prem”) architecture. Historically, security has been a big part of the decision — or indecision — to migrate to the cloud, due in part to the perceived security benefits of having servers and data stored in an onsite location. But the fact that many of the nation’s healthcare companies — not to mention, the CIA and the Pentagon — are actively migrating and publishing to the cloud may be helping to settle the debate.
States are right to question the security of cloud implementations. After all, Medicaid systems house highly sensitive information. But when looking at security in the cloud, I challenge states to reframe the question from, “How secure is my information in the cloud?” to, “What innovative things can I do in the cloud that will make my organization even more secure?”
Before diving into that, let’s first take a look at cloud security in general.
One traditional argument against moving to the cloud is a perceived lack of control. And indeed, a large cloud provider like Amazon isn’t going to customize something as specific as one state’s security policy or notification method. However, what is lost in control is more than made up for in the level of security, resources and knowledge these large providers bring to a state’s Medicaid operations.
States, at their core, are not data center management companies, infrastructure management companies or even security organizations. And it is becoming increasingly difficult for them to manage those capabilities.
Major cloud providers, such as Amazon Web Services, Microsoft Azure and Google Cloud, attract top-tier cybersecurity talent and invest billions of dollars into security infrastructure. New cyberthreats arise every day and the faster an organization can adapt to an evolving security landscape, the more secure it is. Cloud provides that agility, and, through cloud deployment, states can benefit from all the investments Amazon, Azure and Google continuously make to harden their environments.
States are also right to examine data security in the cloud. Federal legislation and frameworks such as HIPAA, Health Information Technology for Economic and Clinical Health (HITECH), and Health Information Trust Alliance (HITRUST) require strict security protocols around protected health information (PHI), with some necessitating the physical separation of data. States also face rigorous compliance measures mandated by the Centers for Medicare and Medicaid Services (CMS), which, fittingly, is also in the cloud.
At one time, organizations in the cloud might have found their data comingled with other organizations’ data on the same server and across networks. But cloud providers can now isolate different systems and functions, as well as implement a variety of controls to increase security. With the click of a button, states can choose to use either a shared or dedicated server.
Of course, states could implement their own controls on premises, but without the same degree of simplicity. First, they would have to buy the data storage. Then, they would have to pay an upgrade fee to make sure the data is encrypted and then enlist a third party to ensure the database is encrypted. Or, they would have to configure the database themselves along with the server or software being used to encrypt the data at rest.
With the cloud, all of this happens essentially at the click of a button.
Now, let’s go back to the question of what the cloud can offer in the way of differentiated approaches to security, compliance and resiliency.
One example is with cryptographic key rotation — the ability to change the math that encrypts all of a state’s stored data. It has always been hard to achieve this in an on-prem environment. But in the cloud, states can easily direct the key to rotate every day, achieving a much higher level of security with much greater simplicity.
From Remediation to Prevention
Even more important for states, the cloud offers security and compliance capabilities that are truly out-of-the-box. For instance, states can shift their focus away from remediation to prevention by using “as code” models — Infrastructure as Code, Compliance as Code and Security as Code — to integrate their requirements into the way they develop their products and processes. Through automation, they can embed controls at the very outset to secure a workload as it moves throughout its lifecycle, reducing costly human errors and speeding the process tremendously.
If a state has a security issue in its firewalls, Infrastructure as Code lets the state change its firewall policies at the code level and deploy the changes instantly. With Compliance as Code, a state can log into a single dashboard and see a list of every server and every workload to ensure the right controls are in place, or to see if drift has occurred. And with Security as Code, states can use APIs to define which rights people have at a very granular level. Changes made to the code can be easily applied to all assets in the environment — storage networks, websites and databases. Just imagine all the time, costs and human intervention these tasks would require in an on-prem environment.
The cloud opens the door to more security capabilities than ever before, providing a centralized, automated approach to protecting sensitive data and supporting compliance efforts. But more than that, the cloud allows states to push the innovation bubble beyond the high-level security that already exists in the cloud, enabling them to weave security and compliance into the fabric of their operations.