Your RT QA data is very important to your organization. QA data represents an enormous commitment of physicist and therapist time to measure and analyze. You want to ensure that sensitive machine performance data is not shared outside your organization. Furthermore you need to retain and produce that data to demonstrate compliance with accreditation requirements and regulatory authorities.
To this end we expect our data to be:
- Available when and where we want to see and use it. It is not acceptable to be told that the network is down for expected reasons such as maintenance or unexpected reasons such as power outages. Users want access to their data on a variety of devices, not just on a dedicated workstation.
- Secure from unintended use or abuse. We don't want to worry that we have missed some crucial security loophole. Most of us are not world-class security experts and don't aspire to become an expert. We have enough on our plates.
- Durable and not subject to becoming lost or corrupted over time. Not only might we want to retrieve historical data for further analysis but increasingly we need to maintain such data in a highly durable fashion for regulatory and accreditation requirements.
Our data is under constant threats both external and internal that threaten to compromise its availability, security and durability.
These threats can be categorized broadly as:
- Physical threats: Threats ranging from power outages through unauthorized physical access into facilities to catastrophic natural events.
- Network threats: These are perhaps the most ubiquitous threats in our interconnected world. These run the range from blunt denial of service attacks to more sophisticated intrusions of data systems.
- Organizational threats: Vulnerabilities caused by poor organizational practices or sometimes simply a lack of depth and expertise in an organization.
Image Owl has years of experience in providing and managing secure online analysis services and databases. We have chosen to use Amazon Web Services (AWS) to host and manage our cloud infrastructure. This allows us to focus on providing the user with unparalleled QA data management and analysis solutions while maintaining the highest levels of availability, security and durability.
A resilient QA system from Image Owl based on a modern cloud platform such as Amazon Web Services can address these threats through:
1. World-class Physical Security:
The first question to ask yourself is whether your data is all contained in one physical location and whether that location is truly secure? Even if you have backups in remote locations how accessible are they and how easily could you restore your system to its previous state?
Some threats to consider:
- Fire: Not only do you want to consider fires in the actual facility itself but also mandatory evacuations due to events such as forest fires, train derailments, industrial chemical fires and explosions.
- Flooding: Over the years a number of therapy and diagnostic facilities have experienced catastrophic flooding due to hurricanes or river flooding. The tendency of RT facilities to be in basements does not help here!
- Power Outages leading to loss of climate control: Extended power outages with lack of environmental controls can play havoc with data storage systems.
- Physical intrusion: Intruders may not care what they damage, destroy or remove. Or perhaps they are well aware and this is a targeted attack. How easily can an unauthorized person access your data storage and networks.
- Decommissioning Risks: An often underappreciated threat is data leaks during decommissioning of devices where data is not completely removed and destroyed.
AWS employs a dispersed strategy to mitigate physical threats. Its data centers are in physically diverse locations within each of its service regions. AWS ensures that the centers are not subject to common natural disaster threats and are not dependent on common services such as power utilities and water supply. Users of AWS can further diversify their exposure by electing to use multiple regions for their services around the world for both performance and security reasons.
Access to these facilities is strictly controlled even within the Amazon organization and they are continuously monitored 24/7 by both human and automated security systems. The facilities have state of the art fire detection, prevention and suppression capabilities and can generate power independently for extended periods of time.
Most importantly your data is always held at a minimum of 3 dispersed locations. If any of the copies goes off -line or is destroyed new copies are automatically and seamlessly generated. Should an instance of your server and other AWS services go down or become excessively slow new instances will be initiated. To the end user this switch is completely transparent.
2. Superior Network Security
Network threats abound no matter whether your infrastructure resides in a cloud service or in your own server facility. These are just some of the more obvious threats to networked systems.
- Distributed Denial of Service Attacks seek to overwhelm the service with torrents of requests. Recognized denial of service attacks reached levels of 28 per hour in 2014 (Preimesberger, Chris (May 28, 2014). "DDoS Attack Volume Escalates as New Methods Emerge". eWeek.)
- Man in the Middle Attacks occur when communications between two trusted parties are intercepted and manipulated. This is often to gain sensitive information and access privileges. Often this malware comes in the guise of spam emails.
- Packet sniffers (sometimes referred to as protocol analyzers) can intercept and decode individual data packets in a network. Originally developed to analyze and troubleshoot network problems the have also been used by law enforcement and national security agencies to eavesdrop on network traffic. They can be used to reconstruct exchanges of data between parties especially when the traffic is unencrypted.
- Access points to networks represent potential vulnerabilities both in hardware and software weaknesses.
- IP spoofing happens when a server presents itself with a trusted IP address that does not belong to it in order to gain access to other systems or sensitive information.
- Port Scanning refers to the practice of probing a server’s port addresses to find unsecured open ports to exploit.
This is merely the tip of the iceberg and network threats are continually evolving.
The AWS service originated in Amazon’s need to quickly scale its operations to meet seasonal needs in the Holiday season. As the world’s largest online retailer Amazon’s success is absolutely dependent on its systems’ reliability and security. This operational experience translates to an almost unparalleled depth of knowledge and skills in maintaining uptime and security. By using AWS we tap into those capabilities for a nominal cost.
- AWS services employ state of the art practices when designing secure networks. Special attention is paid to external network access points to ensure that hardware and software vulnerabilities cannot be exploited and that redundant backups exist should they be subject to attack.
- A key component for network security is encryption both while the data is stored and at all times during transmission. Image Owl makes full use of encryption services offered by AWS to ensure data security.
- A corporate firewall exists between Amazon’s retail and corporate operations and its AWS services. Although Amazon is a large company access to AWS infrastructure is strictly controlled with multiple layers of authentication required.
- Amazon systems are designed to be fault tolerant. Sections of the service could go down with minimal impact on customer experience.
- The distributed and independent nature of AWS resources mitigate the effects of denial of service attacks. As one of the clouds most prominent entities Amazon is experienced at defending its networks from attack and has developed numerous proprietary technologies to combat these threats.
- Again encryption at all points along the data transmission chain ensure that eavesdropping ad packet sniffing will be fruitless enterprises.
- The AWS systems operate on the basis that all access is denied unless explicit permission is given. Access permissions can be managed at a very granular level to limit users to very specific actions.
- Crosstalk between server instances is strictly controlled even if they are owned by the same user.
Ask yourself if your organization’s IT department has the same resources and depth of experience and track record as Amazon.
They may be very good but are they absolutely world–class?
3. Superior Network Security
Organizational threats can undermine your system even if you have excellent physical and network security. Organizational security is largely a matter of organizational discipline and sound practices.
- A small IT organization can be severely hampered by the departure of one or two key people with deep institutional and network architecture knowledge.
- Data breaches have often occurred by accidental or deliberate removal of data by employees.
- Unsafe or out of date systems (often the result of poor hardware and software maintenance practices ) expose significant vulnerabilities. It is surprising for example how many XP desktops are still in use in the medical field despite being no longer supported by Microsoft.
- Simple data access practices such as password strength requirements, password expiration and the adoption of multi-factor access help prevent some of the most common causes of data breaches.
AWS has a number of state of the art access control technologies that it employs internally and makes available to its customers Image Owl make use of all these technologies. Access to AWS services is very strictly controlled with extensive background checks and monitoring of employees . Credentials are limited and expire automatically when no longer needed.
Think about the maintenance and testing budget your organization’s IT department has . Does it maintain a continuous testing program to thoroughly test software and hardware upgrades?
AWS ensures that hardware and software is fully tested and up to date before becoming operational. AWS’s maintenance budget and scale allows for the continual testing and upgrading of equipment to the latest standards.
AWS also provides logging services that provide a very detailed trail should an incident occur.
4. HIPAA/ HITECH Compliance
The cloud infrastructure provided by AWS is certified to be HIPAA and HITECH compliant.
HIPAA requires that Patient Health Information (PHI) be maintained securely. AWS’s encryption throughout the process ensures that PHI cannot be read or exposed. Access policies limit access to trusted individuals . Your data is encrypted and AWS cannot decrypt it.
HIPAA also requires disaster recovery plans to be in place and AWS's physical and network security ensure that these are up to date and effective. Image Owl makes full use of these tools.
Even though Image Owl’s service does not cover patient specific information the policy is to comply with HIPAA policies just in case the system should come in contact with patient information.
Securing your data is not a simple task and requires extensive resources and dedication. Although your organization may have many of these elements to one degree or another, ask yourself whether data security is really your institute’s core competency or does your organization’s true calling lie in another area such as delivering outstanding patient treatment and care?
Where do you really want to place the focus of your organization’s innovation and resources?
In our view maintaining your QA data on the cloud with Image Owl products is not only convenient but the responsible choice from a security and reliability point of view. It allows you to concentrate on delivering world-class treatment and care to your patients without distraction.
PS: We would love to keep you up to date on all of our news and developments. Consider following us on LinkedIn to get our latest news.