Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

4 Ways Cloud Usage Is Putting Health Data At Risk

A huge shadow IT problem is just one of the risks of uncontrolled cloud usage in healthcare organizations, new study shows.

The prolific manner in which healthcare workers use cloud services for storage and collaboration purposes poses a huge and growing threat to health data.

An analysis of cloud service usage of over 1.6 million employees at healthcare providers and payers by Skyhigh Networks shows that a vast majority of healthcare organizations are only dimly aware of the extent of cloud service usage by employees.

Even though healthcare organizations are tightly regulated and the risks to patient health information are well understood, employee behavior with regard to cloud usage is no different from any other sector, says Rajiv Gupta, CEO of Skyhigh.

“You might think because an industry is regulated, things are more locked down,” he says. But the opposite is true, he says. Healthcare workers use un-vetted cloud services to share and collaborate with sensitive health information on a scale that most organizations are completely unaware of, he says.

“The amount of data going from an average healthcare organization to the cloud each month is more than the amount of data in all of Wikipedia’s databases."

Here are four ways the trend is putting sensitive patient health data at risk:

The Shadow IT Problem

A lot of the cloud services used at healthcare organization happen outside the IT group’s purview or their knowledge. The Skyhigh analysis showed that workers at the healthcare organization use over 920 cloud services in the workplace. Yet, the IT organization itself is typically aware of only about 60 of them.

That means on average over 860 cloud services are being used to share, store, and collaborate on health data that IT has no idea about. The risk posed by such shadow cloud services is enormous, Gupta says. “It’s surprising how far the industry is in their understanding and assessment of the potential for compromise.”

Consumer Grade Services

A vast majority of the cloud services that healthcare employees use for work-related purposes is consumer grade and offers little to none of the security controls needed to properly protect sensitive patient health information (PHI).

Skyhigh found that the average healthcare organization uses over 180 collaboration services, including those like Office 365, Evernote, and Gmail. Other popular services include those used for development purposes like GitHub and SourceForge, content sharing services like LiveLeak, and file-sharing services like Dropbox and Google Drive. On average each employee uses 26 distinct cloud services.

Yet, a bare 7 percent are enterprise ready, less than 15 percent support two-factor authentication, and 9.4 percent support encryption of data at rest.

Huge data volumes

The healthcare organizations that Skyhigh considered for its analysis uploaded an average of 6.8 terabytes of sensitive data to the cloud each month, a lot of it without IT’s knowledge.

Such data is increasingly of interest to malicious attackers. The intrusions at Anthem, Community Health Services and Premera Blue Cross over the past several months have highlighted the growing value of healthcare data to cybercriminals. A complete health record with a social security number in fact now can fetch 20 times the price of a stolen credit car, according to Skyhigh.

In addition to the risks posed by malicious attackers, organizations may be at risk in other ways as well, Gupta says. Some cloud services, for example, require users to consent to terms and condition that basically give ownership of the data to cloud providers. Many cloud services also track users for targeted ad delivery purposes. Such services can sometimes be coopted by cybercriminals and used for more malicious purposes, he notes.

Hiding Risky User Behavior

The massive use of cloud services by healthcare workers makes it relatively easy for malicious insiders to conceal illegal behavior, Skyhigh said in its report. In many cases, healthcare organizations have no way to detect intentional or unintentionally risky behavior in the cloud. Not surprisingly, though, 79 percent of healthcare organizations had behavior indicative of an insider threat, only 33 percent actually detected it.

The incidence of potentially malicious, negligent or risky behavior by users in the cloud is much higher than organizations assume, Gupta says. 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:07:28 PM
Re: Nature of Source
A worthwhile point...but a safely assumed one, I think.  Any org that is not a nonprofit doing a study or releasing a whitepaper likely has a strong financial interest...
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:06:19 PM
5th way
I have a 5th way -- or, at least, a way related to the 2nd way.

A doctor I used to see had me read and sign some consent form for putting my EHR in the cloud.  I indicated that I did NOT assent to this.

Months later, I get an email saying, "Congratulations!  Your health data is now in the cloud!" blah blah blah.

I was peeved, to say the least.
User Rank: Apprentice
6/27/2015 | 6:40:44 PM
Nature of Source
While I don't disagree with any of the points made, it probably wouldn't have been a bad thing to note that Skyhigh Networks is a cloud security company.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...