(HIM750)
MODUL SESI 8
ISU KEAMANAN CLOUD COMPUTING
DISUSUN OLEH
SYEFIRA SALSABILA, S.GZ, MKM
The appearance of cloud computing technology with major advantages is one of the
present key challenges. This is a new prototyping technology based on “pay-
ondemand”fortheuseofinformationandcommunicationstechnology(ICT).The National
Institute of Standards and Technology (NIST) in the USA has focused on three
models of cloud computing: SaaS, PaaS, and IaaS [19]. In healthcare cloud
computing for internal communications, an extensive number of computers and
servers are dedicated to meeting the requirements of the medical care business.
Healthcare services can be delivered to users (patients or physicians) through an
internet connection.
Also, it is important to note that the [US] Health Insurance Portability and
Accountability Act (HIPAA) compilation rule requires patient data to be well
protected, regardless of where it is stored. Organizations that are working as
contractor firm and do not necessarily analyze the data on a normal basis must
adhere to HIPAA rules. This particular system records every access attempt by the
username and include the date, time, relationship to the patient, etc. Still, more
Universitas Esa Unggul
http://esaunggul.ac.id 5/
21
research work is required in this field to increase the security of patient data and
users’ trust levels.
How to protect the data Protection of critical patient information and medical
records is one of the most basic duties of the healthcare industry and one of the
most firmly regulated. To defend data as they move in and out of the cloud requires
data encryption,which makes the data unusable if they are compromised. It also
demands safe communication connections, which limit browser access and encrypt
content as it is moved over the network and throughout the cloud. However, data
encryption based on the Advanced Encryption Standard (AES) algorithm is very
compute intensive.
Malware and viruses Malware and viruses are being developed continuously, and
ransomware (a type of malware that, once it has taken over the computer, threatens
harm) is one of the most frequent sources of attack. According to one report, a
companyistargetedbyransomwareevery40seconds.Malware—suchasNotPetya,
WannaCry, and Locky, in particular—has spread among healthcare providers. Even
the NHS itself has been targeted by WannaCry: the attack resulted in disruptions at
37% of NHS organizations and cancellation of many appointments and surgeries.
AlthoughtheNHSdidnotpaytheransom,itdidincurextracoststocovercancelled
appointments, hire IT consultants, and restore data and systems after the attack,
besidesincurringdamagetoitsreputation.Unsurprisingly,nearly61%ofhealthcare
organizations are reportedly worried about malware and the threat of unauthorized
access.
The HIPAA Privacy Rule dibuat untu melindungi data medis pasien d dan
informasi kesehatan lainnya. Hal ini mencakup data pasien dalam rekam medis,
asuransi, dan lembaga keuangan yang menjalankan transaksi elektronik terhadap
data pasien ini. Auran ini mencakup mengenai pengaman secara sesuai terhadap
kerahasiaan data informasi kesehatan, dan menentukan batasan dan kondisi yang
dapat digunakan dalam membuat informasi tanpa seizin dari pasien. Aturan ini juga
memberikan hak kepada pasien terhadap informasi kesehatannya, termasuk dalam
memeriksa dan mengumpulkan salinan dari hasil kesehatannya dan melakukan
pengajuan pembetulan.
b. Security Rule
1. Ensure the confidentiality, integrity, and availability of all e-PHI they create,
receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or
integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures;
and
4. Ensure compliance by their workforce.
The Security Rule defines “confidentiality” to mean that e-PHI is not available
or disclosed to unauthorized persons. The Security Rule's confidentiality
requirements support the Privacy Rule's prohibitions against improper uses and
disclosures of PHI. The Security rule also promotes the two additional goals of
maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity”
means that e-PHI is not altered or destroyed in an unauthorized manner.
“Availability” means that e-PHI is accessible and usable on demand by an authorized
person.
HHS recognizes that covered entities range from the smallest provider to the
largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to
allow covered entities to analyze their own needs and implement solutions
appropriate for their specific environments. What is appropriate for a particular
covered entity will depend on the nature of the covered entity’s business, as well as
the covered entity’s size and resources.
Technical Safeguards
• Covered entities are required to comply with every Security Rule "Standard."
However, the Security Rule categorizes certain implementation specifications
within those standards as "addressable," while others are "required." The
"required" implementation specifications must be implemented. The
"addressable" designation does not mean that an implementation
specification is optional. However, it permits covered entities to determine
whether the addressable implementation specification is reasonable and
appropriate for that covered entity. If it is not, the Security Rule allows the
A. Daftar Pustaka
1. https://www.hhs.gov/hipaa/for-professionals/security/laws-
regulations/index.html
2. Mehmood, R., Katib, S. S. I., & Chlamtac, I. (2020). Smart Infrastructure
and Applications. Springer International Publishing.