Posted by: adelvecchio
Cloud, cloud security, cybersecurity, healthcare data
Guest post by Doug Pollack, CIPP/US, chief strategy officer, ID Experts
Chances are that your healthcare organization has already chosen to use cloud computing as part of its IT infrastructure, and with good reason: Cloud computing is a cost-effective way to grow IT capacity, and software services available through the cloud can make a workforce more productive. And your IT team has worked with your service providers to protect data in the cloud. All good, right? But here’s the rub: A new study from cloud security vendor Skyhigh Networks shows the average healthcare organization is using more than 10 times more cloud services than the IT organization knows about. Think about that, more than nine out of 10 services used in the course of business are unmonitored and unsecured. That amounts to one huge security hole, and cybercriminals are jumping in to exploit this new threat to healthcare information.
Foggy about the cloud
In a recent report from the Ponemon Institute, the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, survey respondents identified cloud usage as a primary security concern for the healthcare industry. A third of respondents rated public cloud service use as a top security threat to their organizations. Employee negligence was listed as the top threat, at 70%, and cyberattacks came in second at 40%.
In fact, the cloud security threat is likely bigger than most organizations realize. According to MedCity News, the Skyhigh study found that the average healthcare organization uses 928 different cloud services, 60 that are known to IT and 868 –about 93% — are “shadow services” that are not known or tracked by the IT, infosec, privacy, or compliance functions. While the volume of untracked cloud computing is troubling, it is not surprising. Statistics from the study reveal how much of today’s everyday communication and collaboration happens online:
- On average, an employee uses 28 distinct cloud services, including seven collaboration services, four content-sharing services, three social media services and four file-sharing services.
- The average organization shares documents with 826 external domains, including business partners and email providers such as Gmail.
- Almost 28% of users have uploaded sensitive data to a file-sharing service.
- The average organization is connected to 1,586 business partners via the cloud. A significant number of these may also be partners of partners, and hence unknown and unaccounted for. It’s best to assume that every employee of every partner is also using multiple cloud services.
The bottom line is that you can’t protect data you can’t see, and you can’t see a lot of what’s in the cloud.
Crime lurks in the cloud
It’s interesting that the Ponemon study respondents listed cloud computing behind employee negligence and cyberattacks on its list of security worries. The truth is that the three work hand-in-hand to put organizations at risk.
Virtually every security study this year has shown that cyberattacks are now the top cause of data breaches, and most are multi-stage attacks that begin with social engineering, proceed to gain network access with stolen passwords or malware, then exfiltrate sensitive information. As Dan Munro recently pointed out in Forbes, “The latest techniques for cyber theft at scale are less about breaching networks from the outside — and all about social engineering to capture privileged access from the inside. Consumer cloud services like LinkedIn, Snapchat, Zappos, Evernote… have all had significant data breaches.”
Cloud services expose employees to all kinds of social engineering. The Skyhigh report found each cloud user is tracked by an average of four analytics and advertising services, and cybercriminals are increasingly using these services to deliver “malvertising” that can lead users to spoofed sites and capture their passwords. Tracking also enables “watering hole” attacks where criminals impersonate users at a favorite site and trick other users into revealing information.
Employees may also download apps containing malware to their workstations or personal devices, giving criminals a foothold from which to attack. Even social media passwords can give criminals enough access to steal information. Skyhigh found an attack that used Twitter to exfiltrate data 140 characters at a time. While employees may not be outright negligent in these situations, most are certainly unaware their social media usage may be putting their employer’s data at risk.
Once criminals gain access to information in the cloud, stealing data is relatively easy. The Skyhigh report revealed that only 15% of cloud services supported multi-factor authentication and only around 9% encrypted data stored at rest. More than 57% of the sensitive data in the cloud is in Microsoft Office files. When breaches involving cloud data happen, not only do organizations face the normal risks, they also face potential regulatory penalties of having unsecured data. A CipherCloud data security report found that 64% of cloud security challenges stem from the areas of audit, compliance, and privacy regulations.
Safety tips for the cloud
Ironically, one of the motivations for adopting cloud computing has been to improve security. Lost devices have historically been a major cause of data breaches, and real-time access to data in the cloud eliminates the need to store large data sets on individual devices. Unfortunately, the threat balance has shifted toward cyberattacks. Cloud services provide an easy entrée for cybercriminals, and the genie is out of the bottle: Cloud services are not going away anytime soon. But there are steps an organization can take to help protect against cloud-based attacks. In Health Data Management, cloud security vendor Porticor Ltd. offered some tips for improving cloud security on the IT and compliance side:
- Consider extending identity and access management solutions to the cloud.
- Obtain business associate agreements from all vendors, including cloud vendors and service providers, and make sure the agreement clearly defines the associate’s compliance responsibilities.
- Have the IT department occasionally perform penetration tests and request audits and certifications from cloud vendors. The Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits.
All of these steps will help improve security, but most of what happens in the cloud is in shadow services that employees and partners use and can’t be controlled or monitored. These risks can be lowered by granting users access to the minimum amount of information necessary to perform a given task. Staff and business partners should also be taught good security practices. But the siren call of the Web is strong, and since what people do in the cloud can’t be controlled, cloud-based risks have to be planned for in the same way as any other security incident or breach.
Regardless of where the data lives, if thorough data inventories and risk analyses have been done, an organization will know what protected health and personal information it holds and the risks of it being compromised. If a solid incident response plan is in place, an organization should be prepared for a cloud-based attack.
In the end, both risk and protection depend on people.