Medical Data Everywhere: Danger in the Cloud

This is part 3 of a 4-part series on healthcare data risks. Read part 1: Medical Data Everywhere: Health Revolution or Time Bomb? and part 2: Medjacking: The Newest Healthcare Risk? and part 4 Data Insecurity and the Human Factor

Chances are that your healthcare organization has already chosen to use cloud computing as part of its IT infrastructure, and with good reason: cloud computing is a cost-effective way to grow IT capacity, and software services available through the cloud can make your workforce more productive. And your IT team has worked with your service providers to protect your data in the cloud. All good, right? But here’s the rub: a new study from Skyhigh Networks shows that the average healthcare organization is using over 10 times more cloud services than the IT organization knows about. Think about that: more than 9 out of 10 services used in the course of business are unmonitored and unsecured. That amounts to one huge security hole, and cybercriminals are jumping in to exploit it.

In this series on medical data, we’ve looked at the many new places healthcare information is being exposed including through connected devices. In this article, we’ll look at the least understood and most insidious new threat to healthcare information security.

Foggy About the Cloud

In a recent report from the Ponemon Institute, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, survey respondents identified cloud usage as a primary security concern for the healthcare industry. Thirty-three percent rated public cloud service use as a top security threat for their organizations. (Employee negligence was listed as the top threat, at 70 percent, and cyberattacks came in second at 40 percent.)

In fact, the cloud security threat is likely bigger than most organizations realize. According to MedCity News, the recent Skyhigh study found that the average healthcare organization uses 928 different cloud services, 60 that are known to IT and 868—about 93 percent— “shadow services” that are not known or tracked by the IT, infosec, privacy, or compliance functions. While the volume of untracked cloud computing is troubling, it is not surprising. Statistics from the study reveal how much of today’s everyday communication and collaboration happens online:

• The average employee uses 28 distinct cloud services, including seven collaboration services, four file-sharing services, three social media services, and four content-sharing services.
• The average organization shares documents with 826 external domains, including business partners and personal email addresses such as Gmail.
• Almost 28 percent of users have uploaded sensitive data to a file-sharing service.
• The average organization now connects with 1,586 business partners via the cloud. A significant number of these may also be partners of partners, and hence unknown and unaccounted for. And it’s best to assume that every employee of every partner is also using multiple cloud services.

The bottom line is that you can’t protect data you can’t see, and you can’t see a lot of what’s in the cloud.

Crime Lurks in the Cloud

It’s interesting that the Ponemon study respondents listed cloud computing behind employee negligence and cyber-attacks as a security worry. The truth is that the three work hand in hand to put organizations at risk.

Virtually every security study this year has revealed that cyber-attacks are now the number one cause of data breaches, and most of these are multi-stage attacks that begin with social engineering, proceed to gain network access with stolen passwords or malware, then exfiltrate sensitive information. As contributor Dan Munro recently pointed out in Forbes, “The latest techniques for cyber theft at scale are much less about breaching networks from the outside—and all about social engineering with sophisticated tools to capture privileged access from the inside…Consumer cloud services like LinkedIn, Snapchat, Zappos, Evernote, Adobe, Kickstarter, eBay, Uber, iCloud and LastPass have all had significant data breaches.”

Cloud services expose employees to all kinds of social engineering. The Skyhigh report finds that each cloud user is tracked by an average of 4 analytics and advertising services, and cyber-criminals are increasingly using these services to deliver “malvertising” that can lead users to spoofed sites and capture their passwords. Tracking also enables “watering hole” attacks where criminals impersonate users at a favorite site and trick other users into revealing information. Employees may also download apps containing malware to their workstations or personal devices, giving criminals a foothold from which to attack. Even social media passwords can give criminals enough access to steal information: Skyhigh found an attack that used Twitter to exfiltrate data 140 characters at a time. While employees may not be outright negligent in these situations, most are certainly unaware that their social media usage may be putting their employer’s data at risk.

Once criminals gain access to information in the cloud, stealing data is relatively easy. The Skyhigh report found that only 15 percent of cloud services supported multi-factor authentication (MFA) and only around 9 percent encrypt data stored at rest. Over 57 percent of the sensitive data in the cloud is in Microsoft Office files. When breaches involving cloud data do happen, not only do organizations face the normal risks, they also have to face the potential regulatory penalties of having unsecured data. The CypherCloud data security report found that 64 percent of the cloud security challenges faced were in the areas of audit, compliance, and privacy regulations.

Safety Tips for the Cloud

Ironically, one of the motivations for adopting cloud computing has been to improve security: lost devices have historically been a major cause of data breaches, and real-time access to data in the cloud eliminates the need to store large data sets on individual devices. Unfortunately, the threat balance has shifted toward cyber-attacks. Cloud services provide an easy entrée for cyber-criminals, and the genie is out of the bottle: cloud services are not going away anytime soon. But there are steps your organization can take to help protect against cloud-based attacks. In Health Data Management, cloud security vendor Portico offers some tips for improving cloud security on the IT and compliance side:

• Consider extending identity and access management solutions to the cloud.
• Obtain business associate agreements (BAAs) from all solution vendors, including cloud vendors and service providers, and make sure they clearly define the division of responsibility for compliance.
• Have your internal IT request certifications and audits from cloud vendors and perform penetration tests periodically. (The Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits.)

All of these steps will help improve security, but most of what happens in the cloud is in shadow services that your employees and partners use and that you can’t control or monitor. You can lower those risks by granting users access to the minimum amount of information necessary to perform a given task, and you can work with your staff and business partners to teach good security practices and raise awareness. But the siren call of the web is strong, and since you can’t control what people do in the cloud, you have to plan for cloud-based risks as you would for any security incident or breach. Regardless of where the data lives, if you’ve done thorough data inventories and risk analysis, you know what protected health and personal information you hold and the risks if it is compromised. If you have a solid incident response plan in place, you should be prepared for a cloud-based attack if it comes.

In the end, both risk and protection depend on people. In the final article in this series, we’ll take a deeper look at the human factor in medical data risks.