The prolific manner in which healthcare workers use cloud services for storage and collaboration purposes poses a huge and growing threat to health data.
An analysis of cloud service usage of over 1.6 million employees at healthcare providers and payers by Skyhigh Networks shows that a vast majority of healthcare organizations are only dimly aware of the extent of cloud service usage by employees.
Even though healthcare organizations are tightly regulated and the risks to patient health information are well understood, employee behavior with regard to cloud usage is no different from any other sector, says Rajiv Gupta, CEO of Skyhigh.
“You might think because an industry is regulated, things are more locked down,” he says. But the opposite is true, he says. Healthcare workers use un-vetted cloud services to share and collaborate with sensitive health information on a scale that most organizations are completely unaware of, he says.
“The amount of data going from an average healthcare organization to the cloud each month is more than the amount of data in all of Wikipedia’s databases."
Here are four ways the trend is putting sensitive patient health data at risk:
The Shadow IT Problem
A lot of the cloud services used at healthcare organization happen outside the IT group’s purview or their knowledge. The Skyhigh analysis showed that workers at the healthcare organization use over 920 cloud services in the workplace. Yet, the IT organization itself is typically aware of only about 60 of them.
That means on average over 860 cloud services are being used to share, store, and collaborate on health data that IT has no idea about. The risk posed by such shadow cloud services is enormous, Gupta says. “It’s surprising how far the industry is in their understanding and assessment of the potential for compromise.”
Consumer Grade Services
A vast majority of the cloud services that healthcare employees use for work-related purposes is consumer grade and offers little to none of the security controls needed to properly protect sensitive patient health information (PHI).
Skyhigh found that the average healthcare organization uses over 180 collaboration services, including those like Office 365, Evernote, and Gmail. Other popular services include those used for development purposes like GitHub and SourceForge, content sharing services like LiveLeak, and file-sharing services like Dropbox and Google Drive. On average each employee uses 26 distinct cloud services.
Yet, a bare 7 percent are enterprise ready, less than 15 percent support two-factor authentication, and 9.4 percent support encryption of data at rest.
Huge data volumes
The healthcare organizations that Skyhigh considered for its analysis uploaded an average of 6.8 terabytes of sensitive data to the cloud each month, a lot of it without IT’s knowledge.
Such data is increasingly of interest to malicious attackers. The intrusions at Anthem, Community Health Services and Premera Blue Cross over the past several months have highlighted the growing value of healthcare data to cybercriminals. A complete health record with a social security number in fact now can fetch 20 times the price of a stolen credit car, according to Skyhigh.
In addition to the risks posed by malicious attackers, organizations may be at risk in other ways as well, Gupta says. Some cloud services, for example, require users to consent to terms and condition that basically give ownership of the data to cloud providers. Many cloud services also track users for targeted ad delivery purposes. Such services can sometimes be coopted by cybercriminals and used for more malicious purposes, he notes.
Hiding Risky User Behavior
The massive use of cloud services by healthcare workers makes it relatively easy for malicious insiders to conceal illegal behavior, Skyhigh said in its report. In many cases, healthcare organizations have no way to detect intentional or unintentionally risky behavior in the cloud. Not surprisingly, though, 79 percent of healthcare organizations had behavior indicative of an insider threat, only 33 percent actually detected it.
The incidence of potentially malicious, negligent or risky behavior by users in the cloud is much higher than organizations assume, Gupta says.