Security of health applications, and transparent procurement of cloud services for Multi-Cloud health environments
As a Data Centre operator we are acutely aware of the governance and technical requirements for hosting health data in the cloud. The emergence of digital health technologies have seen an uptake in cloud services within this domain. Around 100,000 mobile health apps are currently available across multiple platforms on the global market. (https://ec.europa.eu/digital-agenda/en/mhealth)
This means that CSPs are increasingly under pressure to address the governance and technical requirements of delivering health applications to the European Health economy.
A powerful tool in this challenge is the emergence of multi-cloud technologies. This blog addresses how the MUSA Framework Can assist the public in procuring a CSP for their health application, and deploy in a secure manner.
According to fortune.com as many as 11 Million Premera Blue Cross customers were affected by a hack (http://fortune.com/2015/10/02/heres-whos-been-hacked-in-the-past-two-years/). There is a need to monitor the environment and detect SLA violations at a network and application level. This is important particularly where the networks of health systems are segregated from the rest of the World Wide Web. The UK NHS for example has Electronic Patient Record systems hosted on the N3 network. The N3 network has a number of rules and regulations which require continuous monitoring. Being able to see activity and monitor for violations of these rules protects health data from falling into the wrong hands, furthermore it ensures maximum uptime for mission critical hospital services.
Security of data is an issue both from a governance perspective and a technical perspective.. A recent ruling by the European Court Justice deems that a Key agreement (EU Safe Harbour) that allows European Citizens data to be transferred to the US has been deemed “invalid”. (http://www.cnbc.com/2015/10/07/)
This means that when it comes to the many digital applications listed above, that European Citizens data should remain within the European Union, and in some cases in the country of which the data originates. So how we account for this, how do we account geographical regulations without compromising upon security and contravening data protection laws? Is Multi-Cloud the answer?
With the EU Safe Harbour ruling in its infancy, it’s unclear if Multi-Cloud from a governance perspective is the right answer. On an individual case by case by basis, end users would potentially accept the principle that although data maybe exchanged across borders, it will never be stored beyond them.
How can MUSA address the procurement of cloud services for health?
The MUSA decision support tool hasn’t specifically been designed for health in mind, but the variety of technical and business requirements which can be input, makes it suitable for providing a transparent recommendation in a complex landscape.
The DST takes into account a variety of security requirements, and in turn provides a monitored and enforceable SLA Being able to easily and transparently select a CSP suitable for hosting a health based application is important when considering regional, and national data protection laws and regulations.
How can MUSA address Data Security?
MUSA’s two use cases’ have specific legal requirements when it comes to the security of data.
• Flight Scheduling
• Smart Cities
The applications will make use of a variety of cloud resources, from different cloud service providers across Europe. The MUSA Framework will allow Lufthansa Systems and The City of Tampere to…
• Enforce (MUSA KR6) security policies for their applications
• Monitor (MUSA KR5) real-time security and functional properties of multi-cloud applications
• Notify (MUSA KR7) notify business managers to promptly react to security incidents
These KR will lead to the implementation of the MUSA Security Assurance platform (SAP), encompassing the above KR into a SaaS product The MUSA SAP will empower cloud consumers by putting the control, and the ability to secure their multi-cloud environments in their hands.
AIMES Grid Services is an award-winning cloud technology company spun out from the University of Liverpool that provides data centre and application development services to businesses from across a range of industries, including health informatics, transport/logistics, professional services and the digital and creative sectors.
Multi Cloud Secure Applications has been funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429. It started in January 2015 and is a 3 Year Project.
Consortium Partners are:
1. Fundación Tecnalia Research & Innovation (Lead Partner)
2. Centro Regionala Information Communication Technology scrl (CER ICT), Italy
3. CA Technologies Developement Spain SAU, Spain
4. Montimage EURL, France
5. AIMES Grid Services Community Interest Company, United Kingdom
6. Lufthansa Systems AG, Germany
7. Tampere University of Technology, Finland
Author: Antony Shimmin BSc, CDCT Project Engineer for AIMES Grid Services (firstname.lastname@example.org)