Cloud Cybersecurity in Healthcare: Thoughts on Spectre & Meltdown
 |
Focus on: Cybersecurity in Health |
When we speak with healthcare customers around the world about using hyperscale cloud to store and process patient health information, increasingly we see moving from a position of “can I get comfortable moving to the cloud?” to “can I afford to not move to the cloud?” While there are several value propositions that customers see in hyperscale cloud with cost and agility traditionally dominating the discussion, more and more we see cybersecurity capabilities of hyperscale cloud being listed in the value proposition column. The health industry is no exception.
The reality is increasingly simple economics: Hyperscale cloud providers can invest far more in securing their systems than single any organization can do itself. Even some of the world’s largest consumers of IT have reached that conclusion. Tony Scott gained a fair bit of attention when as CIO of the US Federal Government he said that cloud providers have the incentive, skills and abilities to “do a much better job of security than any one company or any one organization can probably do.” Some of our large health customers like Health Service Executive of Ireland have reached similar conclusions about putting “Cloud First” in designing IT services that handle health data. That’s not to say that hyperscale cloud addresses all cybersecurity in healthcare issues— there are critical investments that customers continue to make to systems and processes that remain under their own control.
Much of that investment we talk about in hyperscale cloud cybersecurity happens behind the scenes. From the physical security controls on data centers, to the organization processes and policies in place that govern employees who operate and update cloud services, to the controls and audits that ensure these policies are followed, it is easy to overlook the scale of this investment. Some of these cybersecurity in healthcare investments can only be done at hyperscale, such as how Microsoft tracks attempted attacks on its cloud – along with hundreds of billions of other pieces of data – in a huge system it calls the Microsoft Intelligent Security Graph. It then uses a branch of artificial intelligence called machine learning to analyze all those billions of pieces of data to continually learn to spot new signs of attack, improve its security defenses, and hone its responses.
Today we have another tangible example of the scale of cybersecurity in healthcare investments we make in the cloud and how it translates into an advantage for our cloud customers. Shortly after welcoming in the New Year, the world learned about the long-hidden Spectre and Meltdown vulnerabilities affecting many modern CPUs. Modern data centers, whether on-prem customer operated, private cloud or public hyperscale cloud all rely on commodity CPUs, and as a result none were immune from these vulnerabilities. These vulnerabilities have been present in all systems, from phones to laptops to cloud servers, for at least a decade, possibly two. Understanding the sensitive data and workloads running in the cloud, our teams immediately secured our cloud infrastructure with updates to address the newly disclosed vulnerabilities.
Organizations large and small face struggles identifying all impacted systems and rolling out patches even to trivial vulnerabilities. For Spectre and Meltdown, organizations with on-prem systems are facing additional challenges around concerns that patching systems may slow down those systems. While there will always be some number of on-prem customer systems that customers will need to patch themselves, for those critical systems running on our hyperscale cloud, the majority of the work was done by the time the world learned about these vulnerabilities. When we spoke of investing $1 billion in security in single year, it was precisely to provide the systems and resources so that we could rapidly respond to security incidents like Spectre and Meltdown, reacting in real time to keep your sensitive data and workloads secured so you can focus elsewhere.
