Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

4 Ways Cloud Usage Is Putting Health Data At Risk

A huge shadow IT problem is just one of the risks of uncontrolled cloud usage in healthcare organizations, new study shows.

The prolific manner in which healthcare workers use cloud services for storage and collaboration purposes poses a huge and growing threat to health data.

An analysis of cloud service usage of over 1.6 million employees at healthcare providers and payers by Skyhigh Networks shows that a vast majority of healthcare organizations are only dimly aware of the extent of cloud service usage by employees.

Even though healthcare organizations are tightly regulated and the risks to patient health information are well understood, employee behavior with regard to cloud usage is no different from any other sector, says Rajiv Gupta, CEO of Skyhigh.

“You might think because an industry is regulated, things are more locked down,” he says. But the opposite is true, he says. Healthcare workers use un-vetted cloud services to share and collaborate with sensitive health information on a scale that most organizations are completely unaware of, he says.

“The amount of data going from an average healthcare organization to the cloud each month is more than the amount of data in all of Wikipedia’s databases."

Here are four ways the trend is putting sensitive patient health data at risk:

The Shadow IT Problem

A lot of the cloud services used at healthcare organization happen outside the IT group’s purview or their knowledge. The Skyhigh analysis showed that workers at the healthcare organization use over 920 cloud services in the workplace. Yet, the IT organization itself is typically aware of only about 60 of them.

That means on average over 860 cloud services are being used to share, store, and collaborate on health data that IT has no idea about. The risk posed by such shadow cloud services is enormous, Gupta says. “It’s surprising how far the industry is in their understanding and assessment of the potential for compromise.”

Consumer Grade Services

A vast majority of the cloud services that healthcare employees use for work-related purposes is consumer grade and offers little to none of the security controls needed to properly protect sensitive patient health information (PHI).

Skyhigh found that the average healthcare organization uses over 180 collaboration services, including those like Office 365, Evernote, and Gmail. Other popular services include those used for development purposes like GitHub and SourceForge, content sharing services like LiveLeak, and file-sharing services like Dropbox and Google Drive. On average each employee uses 26 distinct cloud services.

Yet, a bare 7 percent are enterprise ready, less than 15 percent support two-factor authentication, and 9.4 percent support encryption of data at rest.

Huge data volumes

The healthcare organizations that Skyhigh considered for its analysis uploaded an average of 6.8 terabytes of sensitive data to the cloud each month, a lot of it without IT’s knowledge.

Such data is increasingly of interest to malicious attackers. The intrusions at Anthem, Community Health Services and Premera Blue Cross over the past several months have highlighted the growing value of healthcare data to cybercriminals. A complete health record with a social security number in fact now can fetch 20 times the price of a stolen credit car, according to Skyhigh.

In addition to the risks posed by malicious attackers, organizations may be at risk in other ways as well, Gupta says. Some cloud services, for example, require users to consent to terms and condition that basically give ownership of the data to cloud providers. Many cloud services also track users for targeted ad delivery purposes. Such services can sometimes be coopted by cybercriminals and used for more malicious purposes, he notes.

Hiding Risky User Behavior

The massive use of cloud services by healthcare workers makes it relatively easy for malicious insiders to conceal illegal behavior, Skyhigh said in its report. In many cases, healthcare organizations have no way to detect intentional or unintentionally risky behavior in the cloud. Not surprisingly, though, 79 percent of healthcare organizations had behavior indicative of an insider threat, only 33 percent actually detected it.

The incidence of potentially malicious, negligent or risky behavior by users in the cloud is much higher than organizations assume, Gupta says. 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:07:28 PM
Re: Nature of Source
A worthwhile point...but a safely assumed one, I think.  Any org that is not a nonprofit doing a study or releasing a whitepaper likely has a strong financial interest...
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:06:19 PM
5th way
I have a 5th way -- or, at least, a way related to the 2nd way.

A doctor I used to see had me read and sign some consent form for putting my EHR in the cloud.  I indicated that I did NOT assent to this.

Months later, I get an email saying, "Congratulations!  Your health data is now in the cloud!" blah blah blah.

I was peeved, to say the least.
User Rank: Apprentice
6/27/2015 | 6:40:44 PM
Nature of Source
While I don't disagree with any of the points made, it probably wouldn't have been a bad thing to note that Skyhigh Networks is a cloud security company.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.