How Mount Sinai Health System Protects Its Health Data in the Cloud Computerworld

Avec le transfert d

To better protect its data, the New York healthcare provider is moving its key clinical and business applications to the cloud and auditing its encryption systems in preparation for the quantum threat. To lead the New York healthcare provider’s migration to the cloud, Kristin Myers, CIO of Mount Sinai Health System and dean of IT at its medical school, has made data protection and security her top priority key With a degree in law and computer science from the Queensland University of Technology and an executive master’s degree in public health from Columbia, Ms. Myers returned to college in 2019, this time at Carnegie Mellon, to earn CISO certification, with the idea of ​​overhauling cybersecurity. focus of the New York City hospital network, born from the merger of the activities of Continuum Health Partners and Mount Sinai Medical Center in 2013. “It lasted six months. It was very challenging, but I learned a lot and it prepared me as a CIO to really understand what a cyber program should be and how we should evolve in the future,” she stated. This training led Ms. Myers to take a number of security measures in preparation for moving Mount Sinai Health System’s business and clinical applications to the cloud, including the May 2021 hiring of Chief Information Security Officer Rishi Tripathi, whom Ms. Myers will ensure. serves on the hospital network’s cloud executive steering committee. “Some may think that moving applications to the cloud is secure, but it’s not,” said Myers, for whom the CIO-CIO relationship is extremely important. “It’s imperative to make sure you have security built in when you do these migrations,” he added. Moving to the cloud In the second half of 2021, Ms. Myers began building the business case for moving to the cloud, a process “what and it took some time, because not everything fits the technology budget of companies.” centers”, he explained. “And there’s also an impact on other budgets like facilities.” To assess these impacts, Mount Sinai Health System’s CIO and his team conducted a bottom-up budget analysis of data center costs and asked finance to review their business case. “When we and our team reviewed the facility, it was very clear,” said Myers, who along with Mount Sinai’s CEO-overseen enterprise risk management committee set out to evaluate the “three” cloud providers, and finally chose Microsoft Azure. , supported by Accenture for managed services. “What impressed us about Microsoft was their philosophy on data security and how they positioned themselves to help healthcare customers,” he added. Ms. Myers has also begun moving certain business applications to Oracle’s cloud, “including Oracle Financials, Supply Chain, HCM Talent Management and Learning,” he said. But to migrate other business and clinical applications to the cloud, the IT department wanted “something more agnostic.” Mount Sinai’s cloud migration is just getting started. Ms. Myers has given himself three years to move most of the healthcare provider’s applications to the cloud. Epic, Mount Sinai’s electronic patient record system, will be among the applications moving to Azure. Since joining the healthcare group, Kristin Myers has deployed Epic to various departments across the New York hospital network and plans further deployments through at least 2025. “It seems endless, but when we acquire or merge companies, we have to make sure that we are able to put in place the technology that connects all the hospitals or establishments with the main centers”, he explained. Mount Sinai already uses multiple clouds for the genomics research, leveraging best-of-breed solutions, but, according to Ms. Myers, “it didn’t make sense for us to adopt a multi-cloud strategy for our business and clinical applications, in part because the resources, given that with multi-cloud environments, you have to maintain distinct but overlapping skill sets,” said Mount Sinai’s CIO. “Given the talent retention lab problem and the ability to find the right skills to manage these environments, it was clear that we needed to put between the 80 and 90% of our applications with a single vendor.” Preparing for the Quantum Threat With much of Mount Sinai’s IT operations moving to the cloud, I follow Data recovery has become a priority for Ms. Myers. “Security must be integrated into the entire migration process,” he insisted. “Just migrating applications to the cloud doesn’t necessarily protect them, unless you encrypt the data.” Also, it’s not just whether the data is encrypted, but how. If, with today’s computing equipment, it would take years for an attacker to crack encryption algorithms, it will only take seconds if he has access to a working quantum computer. It is true that, for now, quantum computing remains the domain of laboratory experiments, but the time will come when quantum computers will be more available and the threat they pose more tangible. The White House takes the quantum threat very seriously, so much so that in January 2022 it issued an executive order requiring operators of national security systems to update their security plans and systems to protect against it. Healthcare organizations are not subject to the same requirement, but they are subject to the same threat: if their data is not properly protected and encrypted, it could be collected today and decrypted later, when operational quantum computing becomes a reality. According to Ms. Myers, this quantum threat could manifest itself in the next three to five years. “It may seem like a long time, but it’s not,” he said. To prepare, the DSI hired Sandbox AQ, a Google spin-off, to inventory Mount Sinai’s encryption systems and make them quantum-safe. Sandbox AQ provides an audit tool that organizations can run on their internal network to identify all encryption systems in use and then advise them on upgrading. Kristin Myers hopes that this audit will have identified the necessary mitigation measures by the end of the year: “If we start this work now, we will be in a better position to address this vulnerability before it becomes unexploitable.” For DSI, this is a preventative action for Mount Sinai Health System’s IT assets and patient data.
#Mount #Sinai #Health #System #Protects #Health #Data #Cloud #Computerworld


Please enter your comment!
Please enter your name here