The Identity Cloud Data Isolation Component That You Need for HIPAA, But Most Vendors Miss
When used in the same sentence, the words “isolation” and “healthcare” conjure up images of masks, vaccines, and social distancing.
However in this case, isolation and healthcare has nothing to do with your physical health and everything to do with protecting healthcare data. In this context, “isolation” of your cloud for data and network traffic provides the ability to secure Health Insurance Portability and Accountability Act (HIPAA) data without hindering the agility and flexibility of your enterprise. Too many organizations are missing out on the important cloud feature of isolation simply because their identity solution doesn’t include it.
What the Traditional Cloud Model Gets Wrong
HIPAA dictates that healthcare data must be protected wherever it exists: on premises, in the cloud, in hybrid models – at rest, in motion, or in use. As security practitioners, we are always looking for ways to “up our game” in this area. Increasingly, organizations are looking at their existing cloud identity deployment models and not necessarily liking what they see.
Traditional software as a service (SaaS) models are architected using a single stack - meaning the software, storage and network are used by all the subscribers to the cloud service.
What does this mean for you? Your data, while residing in one of these software-defined instances, is actually controlled by the same common software operating many other subscribers’ data and processing. This means that a thin layer of computer logic, cloud operator commands, configurations, and virtualization are what separate your data from a potential HIPAA violation.
Why should you care?
The co-mingling of these common cloud components, in an already complex cloud architecture, can lead to data leakage or unauthorized access. Well-documented instances of healthcare data being inadvertently exposed due to a cloud vendor’s weekend software update or a simple misconfiguration error have cost organizations hefty fines and bad publicity.
While the vast majority of healthcare breaches have nothing to do with the architecture of the cloud service, it is very important to think holistically about your end-to-end data security; even the way your cloud vendor stores your data and handles your network traffic. It’s not enough just to have the vendor say they are SOC2, Type 2 compliant. You need to understand the rudiments of how the cloud service works to better understand your total potential risk and your vendor should be willing to have this discussion with you.
The Noisy Neighbor Effect
There is another potential consequence of a traditional “single-stack” cloud model that doesn’t get enough attention. We call it the “noisy neighbor effect.”
In a single-stack traditional cloud service, where every subscriber of that service is relying on the same cloud software and runtime services, if another subscriber “bursts” their usage, it can slow down the performance of every other subscriber on that service. This could happen, for instance, during open enrollment, when unexpected demand from other subscribers pushes the SaaS service to its limits and causes a disruption for another customer.
The New Approaches to Cloud Embrace Data Isolation
It’s no secret that healthcare is a primary attack target. The ForgeRock 2021 Consumer Breach Report shows healthcare to be the most targeted industry for the second year in a row, accounting for 34% of the breaches. The HIPAA Journal estimates that 3.7 million records are compromised each month and records are worth more on the darknet than credit cards.
This is why the full end-to-end protection of HIPAA data is getting more attention these days from the C-Suite and cloud architects alike. In a SaaS model, the cloud vendor is solely responsible for security. The customer just consumes the service, typically with little knowledge of the inner workings of the cloud service they subscribe to. This is a well understood and generally accepted concept. However, that shouldn’t prevent you from seeking cloud vendors that offer true data isolation and asking questions about how your data is stored.
In a true data isolation model, every customer setup is a discrete deployment, separate and apart from any other customer. Data is stored in a containerized Kubernetes cluster accessible only from the tenant’s cloud. One customer’s instance never interferes with another's, and there are no shared resources to compete for.
The ForgeRock Approach
Some organizations are skeptical of going with a SaaS service specifically because of concerns around data isolation or privacy. Instead, they opt to run their own private cloud or stay with an on-premises approach. At ForgeRock, we can support any deployment model you want, but if those are your main concerns, we’ve got you covered. The ForgeRock Identity Cloud operates in true data isolation in a dedicated cloud instance so you can get the performance and peace of mind you need from your cloud vendor.
ForgeRock recently announced that the ForgeRock Identity Cloud has achieved HIPAA compliance. To learn more about our HIPAA compliance, check out our data sheet or reach out to us to discuss ways to protect your HIPAA data.
