Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/26/2015
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

4 Ways Cloud Usage Is Putting Health Data At Risk

A huge shadow IT problem is just one of the risks of uncontrolled cloud usage in healthcare organizations, new study shows.

The prolific manner in which healthcare workers use cloud services for storage and collaboration purposes poses a huge and growing threat to health data.

An analysis of cloud service usage of over 1.6 million employees at healthcare providers and payers by Skyhigh Networks shows that a vast majority of healthcare organizations are only dimly aware of the extent of cloud service usage by employees.

Even though healthcare organizations are tightly regulated and the risks to patient health information are well understood, employee behavior with regard to cloud usage is no different from any other sector, says Rajiv Gupta, CEO of Skyhigh.

“You might think because an industry is regulated, things are more locked down,” he says. But the opposite is true, he says. Healthcare workers use un-vetted cloud services to share and collaborate with sensitive health information on a scale that most organizations are completely unaware of, he says.

“The amount of data going from an average healthcare organization to the cloud each month is more than the amount of data in all of Wikipedia’s databases."

Here are four ways the trend is putting sensitive patient health data at risk:

The Shadow IT Problem

A lot of the cloud services used at healthcare organization happen outside the IT group’s purview or their knowledge. The Skyhigh analysis showed that workers at the healthcare organization use over 920 cloud services in the workplace. Yet, the IT organization itself is typically aware of only about 60 of them.

That means on average over 860 cloud services are being used to share, store, and collaborate on health data that IT has no idea about. The risk posed by such shadow cloud services is enormous, Gupta says. “It’s surprising how far the industry is in their understanding and assessment of the potential for compromise.”

Consumer Grade Services

A vast majority of the cloud services that healthcare employees use for work-related purposes is consumer grade and offers little to none of the security controls needed to properly protect sensitive patient health information (PHI).

Skyhigh found that the average healthcare organization uses over 180 collaboration services, including those like Office 365, Evernote, and Gmail. Other popular services include those used for development purposes like GitHub and SourceForge, content sharing services like LiveLeak, and file-sharing services like Dropbox and Google Drive. On average each employee uses 26 distinct cloud services.

Yet, a bare 7 percent are enterprise ready, less than 15 percent support two-factor authentication, and 9.4 percent support encryption of data at rest.

Huge data volumes

The healthcare organizations that Skyhigh considered for its analysis uploaded an average of 6.8 terabytes of sensitive data to the cloud each month, a lot of it without IT’s knowledge.

Such data is increasingly of interest to malicious attackers. The intrusions at Anthem, Community Health Services and Premera Blue Cross over the past several months have highlighted the growing value of healthcare data to cybercriminals. A complete health record with a social security number in fact now can fetch 20 times the price of a stolen credit car, according to Skyhigh.

In addition to the risks posed by malicious attackers, organizations may be at risk in other ways as well, Gupta says. Some cloud services, for example, require users to consent to terms and condition that basically give ownership of the data to cloud providers. Many cloud services also track users for targeted ad delivery purposes. Such services can sometimes be coopted by cybercriminals and used for more malicious purposes, he notes.

Hiding Risky User Behavior

The massive use of cloud services by healthcare workers makes it relatively easy for malicious insiders to conceal illegal behavior, Skyhigh said in its report. In many cases, healthcare organizations have no way to detect intentional or unintentionally risky behavior in the cloud. Not surprisingly, though, 79 percent of healthcare organizations had behavior indicative of an insider threat, only 33 percent actually detected it.

The incidence of potentially malicious, negligent or risky behavior by users in the cloud is much higher than organizations assume, Gupta says. 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:07:28 PM
Re: Nature of Source
A worthwhile point...but a safely assumed one, I think.  Any org that is not a nonprofit doing a study or releasing a whitepaper likely has a strong financial interest...
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:06:19 PM
5th way
I have a 5th way -- or, at least, a way related to the 2nd way.

A doctor I used to see had me read and sign some consent form for putting my EHR in the cloud.  I indicated that I did NOT assent to this.

Months later, I get an email saying, "Congratulations!  Your health data is now in the cloud!" blah blah blah.

I was peeved, to say the least.
douglasagray
100%
0%
douglasagray,
User Rank: Apprentice
6/27/2015 | 6:40:44 PM
Nature of Source
While I don't disagree with any of the points made, it probably wouldn't have been a bad thing to note that Skyhigh Networks is a cloud security company.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...