Securing the Cloud for Critical Access Hospitals

Joint Blog with HIPAATrek, Co-Author: Sarah Badahman, CHPSE, CEO/Founder, HIPAAtrek

While medical treatment innovation may move at the speed of light, the same cannot be said for the rates at which healthcare providers have migrated to the cloud.

The largest obstacle to widespread adoption? The responsibility of securing their data within the cloud. And the concern is easy to understand; it is estimated that the loss of data and related failures will cost healthcare companies nearly $6 trillion in damages in the next three years.

Growing Cybersecurity Risk for Healthcare

At least 41 healthcare providers experienced ransomware attacks in just the first half of 2020 alone. Considering the staggering amount of private information available—social security numbers, account payment information, and private medical records—protecting this data is crucial.

It is no wonder that an increasing number of hospitals and healthcare systems are beginning to recognize an evolving cybersecurity and compliance landscape that they must become part of to maintain security, remain in compliance, and sustain patient and public confidence. With the realization that cloud migration is not a “should we?” but rather “when are we?” question, IT leaders and compliance officers are working to recognize and overcome challenges such as data location, staffing, and financial costs of migrating their EHR systems into the cloud.

Backed by larger budgets and personnel resources, the cloud migration process for larger hospitals and networks can be an intricate, but fairly simple, process once a strategy is in place. But for critical access hospitals (CAHs), it can be quite different.

CAHs Face More Obstacles

Outside of these potential cloud migration challenges, leaders and officers who operate within CAH frameworks must be even more careful about budgeting and optimizing their cloud migration process.

Located in rural areas, CAHs play a critical role in providing basic healthcare to community members who otherwise would have to travel far distances to find it. Though they are sometimes members of larger hospital networks, CAHs are often “on their own” in many ways:

  • They often operate without the same C-suite-level teams commonly found in larger hospital settings.
  • Most do not have a compliance officer and are often given control to self-govern their IT.
  • Further complicating their cloud migration is the common practice of CAH leaders wearing multiple hats and not being able to focus on the fluid nature of the cloud landscape.

Despite these issues, CAHs are still expected to maintain their HIPAA compliance and securely protect data—all within their limited resources.

A Healthy Cloud Migration Journey

Embarking on a cloud journey for CAHs does not have to daunting. And the benefits—protecting healthcare data, achieving and accelerating compliance, and being able to redirect resources to accelerate patient care initiatives—far outweigh any initial intimidation.

Due to the unique obstacles they face with limited staffing and decreased budgets, a healthy and secure cloud migration journey for CAHs should start with an assessment of their objectives, whether it is cost reduction, a better allocation of IT resources, or reducing cyber risk while maintaining HIPAA compliance. Once these have been established, ensuring that all stakeholders are involved in the migration is key, as the migration will possibly impact their department operations, and their collaboration is needed for the smoothest transition possible.

Selecting the appropriate cloud framework also is essential to aid in their cloud migration. It is the step that aligns with an internal assessment of a CAH’s available resources and current environment as well as leads to the exploration of platforms and their abilities.

At minimum, CAHs should ensure they have their servers properly backed up in the cloud. There have been several instances where a hard drive was seen plugged into a server, acting as a very poor backup system for a CAH’s data. Using a cloud-enabled vendor is another option. Due to their rural locations, vendors are either unable or unwilling to travel to CAH locations and connecting with one takes data protection and security a step further.

Evaluating Security & Compliance Vendors to Achieve Your Goals

Completely migrating to the cloud is the most effective way for CAHs to adhere to compliance frameworks, be audit-ready, and ensure the security of their data. Vendors vary, and choosing one experienced in the intricacies of healthcare in the cloud is important.

Before this happens, however, CAH leadership should start with asking themselves questions to create the security-first organization they want their care facility to be. This keeps a focus on long-term security outlooks versus a “band-aid” situation that begins only when a breach happens or when the focus is on avoiding a penalty due to lack of compliance.

These questions can range from:

  • CAH’s role in securing their data – Do you understand the Shared Responsibility Model and what your organization is responsible for?
  • The best strategy to achieve compliance – Is there a dedicated security team in place to handle events and failures?
  • What a CAH should look for in vetting a third-party security provider – Can the provider secure data across your full environment or just in a single area?

CAHs’ sensitive workloads should be backed by a cloud security vendor that provides threat detection and response, which includes knowing when an attack occurs and providing 24/7/365 support to help resolve and remediate any security issues. A vendor should offer secure hosting and/or be able to securely protect on-premise environments already in place to ensure all data (no matter where it is located and stored) is protected.

Ultimately, CAH leadership must determine the best solutions for their healthcare facility. And there are vendors who specialize in understanding the special considerations and meeting the unique challenges CAHs have for their cloud needs. Healthcare facilities should remain focused on patient care, and with the right compliance, security, and CAH-centric experts on board, their cloud security journeys can be efficient and successful with the best possible outcomes.


Sarah Badahman

Sarah Badahman, CHPSE, CEO/Founder, HIPAAtrek

Blog contributor Sarah Badahman is the CEO of HIPAAtrek. She regularly speaks at healthcare and compliance industry conferences on HIPAA, risk management, security, training, and more. Learn more at

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals