Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One
In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the ’70’s, playing Nintendo in the ’80’s or watching stock market go up and down (whenever!), trends are a lenses through which we see the world. Much like trends in fashion or entertainment, our workplaces showcase various trends as well and the healthcare information technology (HIT) community is no different. Currently, organizations migrating their data to cloud based systems is a trend which shows no signs of slowing down anytime soon. The migration of healthcare records from being placed “in the closet down the hall” to the cloud, is becoming commonplace for both single doc practices and large health plans alike. The cloud allows organizations of all sizes to compete effectively in the new digital era and stabilize costs.
As this IT shift occurs, we can’t help but wonder, is Cloud Security truly secure? After all, an organization may transfer their security risks to an external provider, however does that organization understand the responsibility for safeguarding the data cannot be transferred? For example, under HIPAA/HITECH it is the responsibility of the data-owner to report the breach and assume costs even if the breach occurred by the Business Associate (45 CFR §§ 164.400-414.)
Currently the marketplace is saturated in cloud service providers. Public providers like Amazon Web Services (AWS), Microsoft Azure or Google cloud, dominate the landscape and offer cloud services at very competitive prices. Despite their brand recognition and reputation, do we have any assurances AWS or Microsoft Azure are secure? Is the feeling of security with these companies real or a convenient illusion?
The truth is these public providers are by-design very secure, however, they are also delicate and susceptible to common, simple and unintentional configuration errors that can lead to data leakage and/or data loss. Like safety belts in automobiles are statistically-proven to save lives, it is up to the driver and passengers to fasten before embarking on the next drive. Within the last two years, over 1.5 million private medical records have become publicly available through Amazon Web Services due to mis-configurations on the security settings of the latter. The exposed data, impacted organizations like Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.
Cloud Security Impacts Everyone
The common misconception is only small organizations pay little regard on Cloud Security. However, recently two stories became publicly known regarding military data exposed on the Internet. The first included “dozens of terabytes” of social media posts identifying and profiling persons of interest for the U.S. Intelligence, while the other one, included a classified toolkit for potentially accessing U.S. military intelligence networks. Both examples were found on an open Amazon-hosted data silo, due to misconfigured access rights.
A large number of other data leakage stories have also made headlines recently including major international players like Accenture, Verizon and Viacom. All of these stories have the same underlying theme, the affected companies where all placed in the awkward position of having to comment on misconfigured cloud accounts. These data breaches revealed that every cloud deployed solution is not bullet-proof and can only be as safe as their privileged users / administrators (the weakest link of this chain) allow them to be.
In an attempt to address cases like the aforementioned misconfigurations, in the 4th quarter of 2017 Amazon announced new security features and safeguards. These new features, which include data encryption and user warnings when data is publicly accessible, are a step in the right direction. However, due to the fact that cloud services become more and more complex with new features added every day, no one can solely rely upon these new features to secure their cloud infrastructure.
Tip of the Iceberg
Due to the fact these cases were discovered on large public cloud providers, like AWS, Microsoft Azure and Google cloud, one can easily assume that any organization regardless of size is at risk. As IT professionals, we can only speculate about the cloud security vulnerabilities of private cloud environments as not many cases have been analyzed in the international literature. In private cloud systems, functionality is prioritized over security. Irrelevant but interdependent configurations are to be sorted out in limited amount of time, using different and possibly incompatible software vendors. These characteristics showcase just some of the potential misconfiguration threats for the confidentiality of your data in private cloud storages.
It is important to remember that all the aforementioned risks, are placed on healthcare providers while they try to remain HIPAA compliant and does not take into any account the usual risks imposed for all online content. Negligent user activity or becoming a target of cyber-criminals remain a valid risk that requires urgent mitigation.
Cloud Security in Healthcare
Whether public or private, all cloud systems should be tested in order to identify vulnerabilities in an effort to become “cyber-proof.” Any exposure of sensitive data heavily impacts the image and reputation of healthcare providers. Cloud security testing is truly a necessity and should be implemented from the very first day your organization begins saving sensitive data on a cloud system. After weighing the cost of a data exposure, the value of investment in external IT security services absolutely increases.
At TwelveSec and HIPAA One, our group of certified consultants can offer your organization a thorough assessment of your cloud systems’ security posture. By identifying gaps and vulnerabilities that may harm your enterprise and customer data, we are able to work together to secure your systems and address the following:
- Assess the security of your cloud infrastructure,
- Review your cloud security policies and
- Test your cloud Applications against unauthorized usage.
As a team at HIPAA One, we understand through first hand experience Platform-as-a-Service security concerns. Contact us today for a free application security consultation to find the most effective way to assure the risks of unauthorized access to your organization’s data are minimized.