by Geoff Halstead, GoCircle, Inc.
September 2020– The global impact of COVID-19 has dramatically accelerated existing trends by fundamentally requiring companies of all sizes to quickly adopt a remote engagement and distributed collaboration strategy for their customers, employees and business partners. The early indicators – and our collective lived experience – tells us that this is a transformational, permanent shift driven by benefits to productivity, flexibility and satisfaction for all types of users.
As the daily headlines attest, however, this sudden and dramatic shift has also brought attention to the “dark side” of cloud-based application architectures: they provide efficiency and convenience but are weak in the areas of security and data protection. Indeed, the next epidemic already breaking upon us is a new wave of data theft, ransomware, infrastructure and other attacks by criminal hackers, malicious state actors and a myriad of other threats. The environment and hosts that can be exploited by these destructive viruses of the connected digital age has just expanded dramatically. The Internet of Things will further exponentially accelerate this expansion into every facet of daily work and life.
The Challenges and Impacts for Payors and Providers
Given the value and sensitivity of electronic protected health information (ePHI) and personal identifiable information (PII), dire operational impacts, and enormous costs of breaches, healthcare providers and payors are at particular risk. The numbers are stark:
- $3.92 million: the global average cost of a data breach in 2019
- 25,575: average number of records compromised
- $5.1 million: the total cost for companies with more than 25,000 employees
- $2.65 million: the total cost for companies with 500–1,000 employees.
- 6%: The odds of experiencing a data breach
- $150: the average cost for each lost or stolen record containing confidential information
This is exacerbated by the conflicting demands for:
- the protection of ePHI and PII by HIPAA; while also
- providing patients with access to and portability of their healthcare data; and
- enabling efficient and fluid exchange of information between providers that are using heterogeneous networks and applications.
How can payors and providers satisfy all of these requirements simultaneously?
The Bad News: Current Cloud-based Application Architectures Are Insecure
The bad news is that with the current cloud-based architectures of most applications this is nearly impossible. The best that can be achieved is a series of compromises between data access and efficiency on the one hand and data privacy and security on the other.
The problem is foundational. Current cloud-based architectures gain efficiency through principles that are fundamentally flawed from a security standpoint.
- Centralization of data. All data in centralized data warehouses on cloud servers. This means that when there is a security breach, it is enormous and catastrophic.
- Remote Access. All data therefore must be accessed remotely, meaning that users must log-in with credentials – user names and passwords – a vulnerability which leads to over 80% of breaches today.
- Keys in the Cloud. Encryption is applied widely as a critical first step for data security. Unfortunately, current architectures require that the keys to decrypt this data be stored and used in the cloud. And capturing keys is all too easy for hackers.
- Enormous Attack Surface. Finally, any one of the billions of devices connected to the Internet can attack a Cloud server, exploiting the vulnerabilities above.
Thus, while companies should and do take many steps to add layers of security to their platforms and applications, they cannot address the cracks in their foundations. We can treat the symptoms, but we cannot cure the disease without a fundamentally new approach.
The Good News: Next Generation P2P Application Architectures Can Solve This Problem
The good news is that revolutionary new approaches to software that leverage decentralized, peer-to-peer architectures, end-to-end encryption and distributed ledger technology can address these challenges and power the next generation of secure, private and trusted collaboration on the Internet.
Thanks to their use by Blockchain and Cryptocurrencies, many people are familiar by now with the terms and concepts of “Distributed Ledger Technology” and “Peer-to-Peer Network”. What is less well known is that the architectural principles that make these secure can be applied to bring a new level of security to software platforms and applications in the connected digital age. These principles change the equation, eliminating the foundational cracks in current architectures while preserving the benefits of the cloud and the internet:
- Decentralization of data. Data is separated, and most crucially, access to data is segmented with many smaller pools that are separately encrypted. This minimizes impacts of breaches, and particularly the insider attacks by the Edward Snowden’s of the world.
- Device-based Access. Even though the data is stored in the cloud, it can only be accessed locally, on specific devices. This means that there are no credentials – no user names or passwords – to steal! Hackers must gain access to the device: remote attacks are impossible. And even then, data on each device is encrypted, and access to it can be restricted to authorized users in ways that are impossible to hack without that user’s explicit cooperation.
- No Keys in the Cloud. With P2P architectures, encryption keys are created and stored only on devices in the P2P private network, never in the cloud. This ensures that hackers cannot gain access to any encrypted data stored in warehouses in the Cloud.
- Minimal Attack Surface. Finally, as described above, P2P architectures have zero attack surface in the Cloud. The only vector of attack is devices physically controlled and accessed by users. And there are many methods available to lock these down in ways that are impossible with a centralized cloud application architecture.
The cloud and the internet are not going away: the benefits are too enormous. But if we want to regain security and privacy, we need to change our approach. No system is ever “hack-proof”, but the new P2P architectures fundamentally change the paradigm for security to address the weaknesses of current approaches, while preserving the benefits of the cloud. This creates an opportunity to power a new generation of distributed collaboration and remote engagement with no compromise of security, privacy, compliance, data protection, and ease-of-use.
About the Author
Geoff is a seasoned technology product and business development executive who brings over 25 years of successful execution in creating, design and building Web and Mobile software products. He is currently consulting with clients as a Fractional Chief Product Officer, including GoCircle, Inc. Launching soon, Circle will power the next generation of distributed collaboration with No Compromise on security, compliance, privacy, ease-of-use, data governance, and peace of mind.
Prior to GoCircle, Geoff was Chief Product Officer of Connexient, Inc. In that role, he took the company from a napkin sketch to the clear market leader for Enterprise Digital Wayfinding and Navigation Services, with over 35 major medical centers and healthcare network clients across North America and acquisition by Everbridge. Prior to Connexient, Geoff was Vice President of Business Development for Lagardere Active, the seventh-largest media company in the world, where he was part of the go-to-market team that launched and built the company’s mobile unit in North America to over $100M in revenues in 4 years. Geoff was also Co-Founder and CEO of Traffic Station, Inc., an early B2B2C pioneer in Location-based Services for mobile applications and precursor to Waze.