Why Healthcare Organizations Are Slower to Adopt Cloud Services

Originally published by Skyhigh Security.

Written by Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security.

Security and compliance concerns dominate

Considering the type of sensitive data held by healthcare organizations, it’s not surprising that the sector has been more cautious about adopting the cloud than other industries. Our latest report, “Skyhigh Security Cloud Adoption and Risk Report: Healthcare Edition,” paints the picture of a sector that is hesitant to embark on cloud transformation yet is being pushed to do so, nonetheless.

Not long ago, healthcare organizations stored most of their sensitive data in on-premises data centers—due to strict compliance requirements and the need to access it for urgent patient services. Key statistics from our report show why healthcare has been slower to adopt the cloud.

Healthcare organizations store the least amount of sensitive data in the cloud (47%), compared to all other industries (61%).

The cloud services adoption rate in healthcare is 50% that of other industries, which have seen an uptick of 50% in cloud services from 2019 to 2022, compared to 25% in healthcare.

Healthcare moves ahead with cloud adoption despite security issues

Though healthcare lags behind other industries in cloud adoption, it is still moving ahead with it due to hybrid work and increased cloud collaboration with partners. But the risks inherent in hard-to-inspect internet traffic and unmanaged devices accessing cloud resources are increasing as well.

More than all other industries, healthcare has seen a surge of security issues with SaaS applications and services in 2022: 19% in healthcare compared to 10% for all other industries. Healthcare also experienced more data theft: 86% for healthcare compared to 80% for other industries. Healthcare has had more than its fair share of security incidents (76% versus 75% compared to other industries). It’s evident that healthcare is falling behind in cloud security.

Where healthcare stands in relation to cloud security

There are several reasons for the higher rate of data theft in healthcare.

It is much less likely than other industries to put the responsibility for data security on the shoulders of a C-level executive. In healthcare, the onus is on managers to a far greater extent.

• In healthcare, 47% of respondents say responsibility for cloud security lies with IT security managers, while only 35% of respondents across other industries concur.
• When it comes to C-level roles, 42% in healthcare say the CTO is responsible for cloud security, versus 48% in other industries.

This sector is also less likely to invest in cybersecurity: 51% plan to increase investment, compared to 56% in other industries.

Hybrid workers in healthcare are more likely to be bogged down by VPN issues (48% versus 38%). This may be due to lack of IT support and/or use of legacy systems that haven’t been updated regularly.

Where healthcare is ahead in cloud security

There are some areas of cloud security where healthcare is ahead of other industries, especially in the use of certain solutions:

• Cloud access security broker (CASB) solutions to monitor Shadow IT (43% versus 42%).
• DLP and encryption solutions (30% versus 23%).

A simplified, high-level view and greater trust in the cloud is needed in healthcare

Overall, healthcare organizations are struggling to get a high-level view of what’s going on in the cloud—likely because they still use unintegrated legacy tools with consoles that don’t communicate. This is supported by the fact that 89% of healthcare organizations say that managing cloud security could be simpler, compared to 86% in other industries.

Due to compliance with the Health Insurance Portability and Accountability Act (HIPAA), healthcare is less likely than other industries to keep certain types of sensitive data in the cloud. But healthcare is more likely to store internal information in the cloud and use collaborative tools for remote workers.

Since 2019, healthcare has had greater distrust in the cloud, particularly for HIPAA-protected data, while increasing its cloud utilization overall.

It’s time for healthcare to boost its security maturity

Clearly, the healthcare sector needs to upgrade its security maturity. Given heightened security risks in healthcare, there’s a need to increase investment in technology and people.

Hybrid workers in healthcare need proper support from IT to do their jobs without service interruptions and bandwidth issues. And administrators would benefit from a simplified, consolidated view of the environment.

This points to the need for a unified, single-vendor platform built on Zero Trust principles to provide the same controls and policies across the web, cloud, and private applications. By consolidating multiple security services, healthcare can improve efficiency, simplify management, enhance the user experience, and provide better data protection. This will free healthcare to focus its attention on supporting the health and well-being of its community.