Genomic Health: Protecting business in the cloud, public and private

Securing healthcare data and applications across a mix of cloud platforms

By Bob Violino

September 04, 2012CSO

About five years ago Genomic Health began to introduce cloud-based business applications. Ken Stineman, senior director of enterprise architecture and security, quickly became aware of the security risks these apps posed.

CSO contributor Bob Violino recently interviewed Stineman on the topic of cloud security.

CSO: Please describe your organizations cloud environment, including the types of cloud services and how the company is using the cloud.

Ken Stineman, Genomic Health: Public and private cloud services have become a strategic part of Genomic Health's information technology strategy. We initially leveraged public cloud providers for commoditized Internet infrastructure services such as spam filtering, domain naming services and worldwide content distribution. Over the past three years we have significantly expanded our cloud bias and use of software as-a-service [SaaS] applications. We now utilize more than 20 SaaS providers for key business applications including payroll and human resources, expense reporting, performance management, project management, learning management, document collaboration, identity management, financial analysis, retirement planning, applicant tracking, and stock options management.


Also read Cloud computing tools: Improving security through visibility and automation


We are in the process of expanding our hybrid cloud and accelerating our use of public and virtual-private Amazon Web Services and Microsoft Azure. These cloud providers will be essential to providing burstable high-performance compute, storage and messaging for our world-wide laboratory business. We are in the process of migrating our on-premise ERP and CRM solutions to a private cloud SaaS provider.

CSO: What assurances have your cloud providers given you that the data is protected?

Stineman: As a healthcare provider and lifescience company, the security and privacy of patient information and intellectual property is critical. We conduct security assessments of our vendors and ensure they have certified processes such as SSAE16 and/or ISO and review their security whitepapers, business continuity and encryption processes. Our contractual commitments must include physical, technical, and administrative safeguards, as well as data breach notification.

We have been extremely cautious and careful in our plans to store health information in the cloud. We require encryption or healthcare business associate agreements with cloud vendors who process or store protected health information. Cloud vendors are just beginning to be positioned and ready to commit to HIPAA, HITECH, and international data protection requirements.

CSO: What concerns do you have about emerging security threats and cloud technology flaws?

Stineman: Coordinated denial of service attacks and cybercrime networks characterized as advanced persistent threats are both concerns for Genomic Health. At the same time, our greatest risk and entry point for malware continues to be social engineering attacks such as spearphishing and Web-based trojans [through which] users inadvertently introduce malware to our networks.

RESOURCE CENTER