The Growing Need for Cloud Security in Healthcare: Insights from Anahi Santiago
The healthcare industry is witnessing a significant transformation with the increasing adoption of hospital-at-home programs and home-based care solutions. This change necessitates a reevaluation of cloud security responsibilities for healthcare organizations, particularly as patient data is transferred beyond traditional hospital settings. Anahi Santiago, the Chief Information Security Officer (CISO) at ChristianaCare, emphasized this pressing issue during a recent interview with ISMG at the HealthSec conference held in Boston.
As healthcare delivery continues to evolve, security teams are tasked with safeguarding an ever-growing volume of sensitive patient information. Santiago pointed out that the complexities inherent in today’s cloud ecosystems further complicate their responsibilities. "Because the care is taking place outside the four walls of the hospital, the data that is needed in order to care for those patients has to go up to the cloud," she explained. As a result, organizations like ChristianaCare are experiencing an exponential increase in both the amount of data they need to protect and the methods required to ensure its security.
Amid these advancements, healthcare organizations are still grappling with challenges posed by cloud vendors who may not fully comprehend the shared responsibility model that governs data security. Santiago noted that many providers still depend on cloud service provider attestations rather than validating the security measures that their own software layers employ. This reliance can lead to vulnerabilities that could otherwise be mitigated through due diligence.
"Although a lot of the providers are getting better at understanding that shared responsibility model, we’re still finding that we have to educate and contractually require those vendors to get aligned with the model," she said. This highlights a significant barrier to comprehensive cybersecurity in the healthcare sector—providers must not only bolster their internal frameworks but also ensure that their external partners comply with shared security protocols.
In the interview, Santiago delved into several high-priority issues surrounding cloud security for healthcare, including the complex challenges related to identity and access management. As she articulated, cloud environments present unique hurdles that require targeted strategies to effectively manage who has access to what data, thereby ensuring that sensitive information remains protected from unauthorized access.
Another crucial topic discussed was the necessity for more agile vulnerability management programs. The rise of powerful artificial intelligence tools, such as Anthropic’s Claude Mythos, introduces a new layer of complexity in cybersecurity. Healthcare organizations must adapt quickly to protect against evolving threats introduced by these tools, emphasizing the need for a proactive rather than reactive cybersecurity posture.
In line with strengthening cybersecurity efforts, Santiago advocated for healthcare organizations to adopt recognized frameworks that enhance their security fundamentals. She specifically mentioned the National Institute of Standards and Technology’s Cybersecurity Framework and the U.S. Department of Health and Human Services’ cybersecurity performance goals. These frameworks provide essential guidelines that can help institutions safeguard their data more effectively while navigating the intricacies of cloud-based infrastructure.
Santiago carries significant responsibility in her role as CISO at ChristianaCare, overseeing the organization’s overall cybersecurity and assurance program. Her experience extends beyond her current position; she is an active participant in several local, state, and federal cybersecurity initiatives. Key among these are the Healthcare Sector Coordinating Council’s Cybersecurity Working Group, the Delaware Healthcare Cybersecurity Alliance, and the Women and Cybersecurity group in Philadelphia. Her extensive background includes over a decade spent as the information security and privacy officer at Einstein Healthcare Network, amplifying her expertise in navigating the rapidly changing landscape of healthcare cybersecurity.
In conclusion, the rapid evolution of healthcare delivery systems necessitates a comprehensive understanding and implementation of cloud security measures. As patient data increasingly flows beyond traditional environments, organizations must tackle complex challenges related to security, identity management, and vendor collaboration. Anahi Santiago’s insights serve as a critical reminder that a collective effort is essential in fostering a secure digital environment for healthcare, where the safety of patient information remains paramount amid ongoing change.