The pros and cons of cloud have been debated for decades. But as our industry moves away from monolithic Medicaid Management Information Systems to modular Medicaid Enterprise Systems, now is a good time to revisit the debate.
States have two primary choices when it comes to the hosting that will serve as the foundation for their system: move to the cloud, or keep an on-premises (or “on-prem”) architecture. Historically, security has been a big part of the decision — or indecision — to migrate to the cloud due in part to the perceived security benefits of having servers and data stored in an onsite location. But the fact that many of the nation’s healthcare companies — not to mention the CIA and the Pentagon — are actively migrating and publishing to the cloud may be helping to settle the debate.
States are right to question the security of cloud implementations. But when looking at security in the cloud, I challenge states to reframe the question from “How secure is my information in the cloud?” to “What innovative things can I do in the cloud that will make my organization even more secure?”
Let’s take a look at cloud security in general.
One traditional argument against moving to the cloud is a perceived lack of control. However, what is lost in control is more than made up for in the level of security, resources and knowledge these large providers bring to a state’s Medicaid operations.
States, at their core, are not data center management companies, infrastructure management companies or even security organizations. And it is becoming increasingly difficult for them to manage those capabilities.
Major cloud providers attract top-tier cybersecurity talent and invest billions of dollars into security infrastructure. The faster an organization can adapt to an evolving security landscape, the more secure it is. Cloud provides that agility, and through cloud deployment, states can benefit from all the investments that companies such as Amazon, Azure and Google continuously make to harden their environments.
States are also right to examine data security in the cloud. Federal legislation and frameworks such as HIPAA, Health Information Technology for Economic and Clinical Health (HITECH), and Health Information Trust Alliance (HITRUST) require strict security protocols around protected health information, with some necessitating the physical separation of data. States also face rigorous compliance measures mandated by the Centers for Medicare and Medicaid Services, which, fittingly, is also in the cloud.
Cloud providers can now isolate different systems and functions, as well as implement a variety of controls to increase security. With the click of a button, states can choose to use either a shared or dedicated server.
Of course, states could implement their own controls on premises, but without the same degree of simplicity.
With the cloud, all of this happens essentially at the click of a button.
What can the cloud offer in the way of differentiated approaches to security, compliance and resiliency?
One example is cryptographic key rotation — the ability to change the math that encrypts all of a state’s stored data. In the cloud, states can easily direct the key to rotate every day, achieving a much higher level of security with much greater simplicity.
From remediation to prevention
Even more important for states, the cloud offers security and compliance capabilities that are truly out-of-the-box. For instance, states can shift their focus away from remediation to prevention by using “as code” models — Infrastructure as Code, Compliance as Code and Security as Code — to integrate their requirements into the way they develop their products and processes. Through automation, they can embed controls at the very outset to secure a workload as it moves throughout its lifecycle, reducing costly human errors and speeding up the process tremendously.
The cloud opens the door to more security capabilities than ever before, providing a centralized, automated approach to protecting sensitive data and supporting compliance efforts. More than that, the cloud allows states to push the innovation bubble beyond the high-level security that already exists in the cloud, enabling them to weave security and compliance into the fabric of their operations.
About the author
Jacob Sims serves as chief technology officer for Gainwell Technologies, responsible for leading the technology vision, strategy and execution of Gainwell’s data science, advanced analytics and service platform. He brings significant experience leading large-scale healthcare IT organizations and specializes in transformative initiatives and data-centric product cultivation.
Gainwell Technologies is the leading provider of cloud technology solutions vital to the administration and operations of health and human services programs. We offer clients scalable and flexible solutions for their most complex challenges. These capabilities make us a trusted partner for organizations seeking reliability, innovation and transformational outcomes. For more information, visit gainwelltechnologies.com.