Blog Post

Inadequate Security Common Among Healthcare Cloud Services

Healthcare is moving increasingly to the cloud, but that doesn’t mean the deployments are always safe. In fact, 9 in 10 cloud services used in healthcare environments should be considered moderately or severely vulnerable.

Many Healthcare Cloud Services Risky

Many cloud tools used by healthcare organizations are not properly protected, as indicated by a systematic assessment http://www.forbes.com/sites/danmunro/2014/09/01/over-90-of-cloud-services-used-in-healthcare-pose-medium-to-high-security-risk/ of more than four dozen data protection features, including encryption and two-factor authentication (2FA):

77% of services are moderately vulnerable.
13% are severely vulnerable.

Much of the risk of cloud is associated with individual users. Cloud providers are typically expected to encrypt sensitive information and allow users access to 2FA, but they typically don’t demand that customers use all available safety mechanisms.

2FA is an extra security feature that many consumers and business users often avoid for the sake of efficiency. However, failing to protect each account with all mechanisms currently available can lead to disaster http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/.

It’s not all doom and gloom, of course. You just need to make sure that your users are educated and PHI is properly protected within a HIPAA-compliant, healthcare-specific cloud.

Health Data Increasingly Valuable

Beyond compliance, why do healthcare companies need to be aware of the risks of inadequately secure data? Well, unfortunately for those in healthcare IT, there is a target on the industry these days. Polls conducted by the Ponemon Institute each year revealed that the number of healthcare firms that said they were hacked at least once during the year rose from 1 out of 5 in 2009 to 2 out of 5 in 2013.

The rise was obviously dramatic between 2009 and 2013, but attacks continued to escalate last year. According to the research institute’s founder, Larry Ponemon, 2014 was a year of all-time highs both for breaches and for the total quantity of compromised patient files.

The hackers are going for the most valuable data. Amazingly, healthcare data now sells (exchanged on the black market) for 10 times the rate of credit card numbers.

In August, the FBI advised hospitals and other providers to increase their vigilance and protections when one of the biggest American hospital chains, Community Health Systems (CHS), announced that state-sponsored Chinese cybercriminals had infiltrated their system and absconded with more than 4 million records. The hack of Anthem dwarfed that of CHS, though: although the breach of nearly 80 million user accounts was announced in February 2015, insiders have noted that initial penetration occurred several months prior, in 2014.

“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” explained http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 Dave Kennedy, CEO of TrustedSEC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”

Getting hacked obviously is not an accpetable option, which is why so many healthcare companies are adopting our fundamentally compliant and secure healthcare-exclusive cloud.

Healthcare Cloud Statistics & Issues

Here is the basic state of the healthcare cloud, as highlighted briefly in the introduction:

Cloud services deployed, on average, throughout healthcare sectors – 944
Collaborative tools adopted, on average – 118
Proportion of services assessed as severely vulnerable – 13.5%
Proportion of services assessed as moderately vulnerable – 77%
Proportion of services deemed enterprise-appropriate as-is – 9%
Proportion of healthcare workforce with more than two work devices – 53%
Quarterly incidents in which data was removed en masse, per sector – 63
Quarterly data sent to severely vulnerable apps, on average – 12.4 GB
Proportion of hack attempts that take place at night (8 AM-6 PM) – 73%.

Based on those rising numbers, here are three broad elements of healthcare security – all of which can be confidently addressed with the right cloud partner:

The offensive maneuvering of criminals is outpacing the defensive tactics of many healthcare companies. Part of the reason is because those wanting to infiltrate must only find one weakness, and tech professionals are required to safeguard the complete enterprise.
“Cyber experts as a resource are in high demand ‒ and dwindling supply,” wrote Dan Munro in ForbesBrandVoice. “This doesn’t bode well for healthcare generally ‒ which has tended to downplay the importance of IT infrastructure and typically under-funds security specifically.”
What became particularly evident last year was the incredibly organized nature of attacks. Our image of hacking is of a single person, typically wearing a ski mask or constricted hoodie, doing damage with their PC (as indicated by “hacker” images on search engines and stock photo sites). But more and more, that’s not an accurate portrayal. Rather than being a single person, similar to a burglar, hackers are now considered http://www.symantec.com/theme.jsp?themeid=apt-infographic-1 “advanced persistent threats” by the security community, ranging from international cybercrime rings to state-sponsored cybersoldiers (North Korea, China, Russia, etc.).

Solution: Defending Against The Advanced Persistent Threat

When advanced persistent threats infiltrate a healthcare provider, “attackers access unprotected systems and capture information over an extended period,” Symantec described. “They may also install malware to secretly acquire data or disrupt operations.”

In these scenarios, the cost is astronomical: in the example of CHS, Munro estimates a total cost of $75 million to $150 million.

The solution to the advanced persistent threat is choosing a partner with industry-leading healthcare-optimized security and compliance: ClearDATA. We aren’t just secure. We are unparalleled – offering the only healthcare-exclusive cloud in the world.

Credentialed. Certified.

In the news

10 Tips to Shrink Attack Surface by Prioritizing Digital Hygiene

ClearDATA’s founder and Chief Privacy & Security Officer Chris Bowen gives his take on digital threats associated with the pandemic and the risks and mitigation efforts.

5 ways IT vendors put customers’ PHI at risk

Warning to technology vendors that service the healthcare industry: nearly half of serious data breaches occur in the healthcare sector and the majority are caused by a third party. There are five common ways technology vendors set themselves up – and their healthcare customers – for a data breach that could be catastrophic to patients’ privacy and the vendor’s reputation.