everythingpossible - Fotolia

Healthcare cloud usage leading to security concerns

Healthcare organizations are increasing their cloud service usage, but is the cloud making them safer or creating more security issues?

As healthcare companies become an increasingly popular target for malicious actors, healthcare cloud usage has come under scrutiny as a major security concern.

Healthcare cloud adoption has accelerated recently, according to numerous reports, as organizations look both to upgrade their aging legacy systems and lower infrastructure costs. According to a 2014 study from the Healthcare Information and Management Systems Society (HIMSS), a non-profit focused on IT in the healthcare industry, more than 82% of healthcare organizations use some type of cloud services -- primarily software as a service (SaaS) and cloud applications.

But growing healthcare cloud usage has brought a variety of security concerns, most notably around unauthorized or "shadow cloud" services and the lack of protection for account credentials.

Skyhigh Networks Inc. last month released its first "Cloud Adoption & Risk in Healthcare" report, which found, among other things, that healthcare organizations use an average of 928 different cloud services and upload 6.8 TB of data to the cloud each month; the number includes enterprise cloud services, such as Cisco WebEx, Salesforce and Microsoft Office 365, as well as consumer cloud apps like Dropbox, Google Drive and Apple iCloud.

The problem with that number, according to Kamal Shah, vice president of products and marketing at SkyHigh Networks, is that -- on average -- just 60 of those cloud services were authorized by the organizations' IT departments, while the rest are being used by employees with no oversight or security. "The use of cloud services is pervasive across all industries today, including healthcare," Shah said. "And in many cases, [healthcare companies] are using a lot more cloud services than they think they are."

The Skyhigh report, which combed over data from 1.7 million cloud users across its customer base, also found that the vast majority of those cloud services lack basic enterprise security features. Just 15% of those cloud services supported multi-factor authentication (MFA); only around 9% encrypt data stored at rest.

But perhaps the most alarming findings in the Skyhigh healthcare cloud report involved compromised credentials. According to the report, nearly 90% of the healthcare organizations it studied had some type of exposure to compromised credentials. Even worse, Skyhigh's data showed that healthcare companies are at a higher risk of suffering compromised credentials than other industries, such as manufacturing, technology and telecommunications.

Specifically, the report claims that 14.4% of the 1.7 million users had at least one compromised credential, well above the 11.2% average for all vertical industries -- only financial services had a higher incidence of compromised credentials, with 15.5%. This, Shah said, is where the lack of MFA and other security measures for popular cloud services really hurts enterprises.

"It's a huge problem," Shah said. "MFA was designed to protect credentials if users' passwords were stolen, but it can't protect anything if it's not offered by the cloud providers."

Shah said he expects more cloud providers to offer MFA and encryption because enterprises are now demanding such protection, though it may take a while for adoption to ramp up.

But another problem, according to Ping Identity CEO Andre Durand, is that much of the enrollment data used for enterprise authentication doesn't change. "There are a lot of authentication vulnerabilities," he said. "When authentication enrollment is based on information like social security and birth dates that are easily obtainable and static, then the whole system is vulnerable."

That's part of why healthcare organizations have become an increasingly popular target for hackers and cybercriminals, Durand said; they can obtain personally identifiable information (PII), such as birth dates and social security numbers, through health records. And since the healthcare organizations themselves are relying on the same type of PII for authentication, it makes them vulnerable to attacks.

The combination of weak authentication and unsupervised cloud usage are a dangerous concoction of vulnerabilities for healthcare organizations, one that hospitals and health insurance firms seem to be increasingly aware of. A recent report from the Ponemon Institute LLC, "Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data," cited cloud usage as a primary security concern for the healthcare industry.

The report, which surveyed 90 different healthcare organizations, showed that 33% of respondents believe public cloud service use is a top security threat for healthcare organizations; behind only employee negligence at 70% and cyberattacks at 40%. The report also surveyed 88 business associates of healthcare organizations, and 48% of those respondents cited public cloud service use as a top threat, second only to employee negligence at 51%.

While the Ponemon report noted improvements in awareness and technology adoption from the previous year's study, it also stated that the pace wasn't fast enough to "achieve a stronger security posture" that could keep up with the increased threats. "Cybercriminals recognize two critical facts of the healthcare industry," the report reads. "[First], healthcare organizations manage a treasure trove of financially lucrative, personal information, and [second], healthcare organizations do not have the resources, processes and technologies to prevent and detect attacks, and adequately protect patient data."

Next Steps

Find out why shadow cloud services are a growing threat to enterprises

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security