Healthcare News & Insights

Cloud services put patient information at risk

The cloud is the new normal for enterprise apps, with 70% of all organizations having at least one app in the cloud today, according to IDG’s Enterprise Cloud Computing Survey, 2016. Telehealth, big data management in research and patient management systems are all driving explosive adoption of cloud services in the healthcare industry. In this guest post, Shaun Murphy, CEO of a technology company that provides secure messaging and file sharing for businesses, details the risks hospital IT departments and key decision makers should be aware of and how to avoid them when using this technology.

__________________________________________________________

It’s not surprising that more businesses are now using cloud services. In general, daily business functions such as storing emails and documents, and sharing files between collaborators is easier. Files merely need to be dragged and dropped to a shared folder.

Paying to store backups in the cloud can also be more affordable than investing in physical servers. Overall, cloud services can improve daily work flow and productivity.

They can also make patient care more efficient. Telemedicine applications can be used in a variety of care environments so that patients receive the monitoring and care they need without having to visit a facility.

The question that remains, is at what cost?

Electronic patient records are highly valuable to hackers looking to profit from stolen identities. Storing these files in the cloud or even transmitting them can increase the risk for a cyber attack.

Healthcare organizations that deploy cloud services are at the mercy of the service provider’s security. While cloud storage services use many layers of encryption to protect user’s information that data is relatively exposed when it’s being transferred to and from the service. Additionally, there’s the risk of inside threats or employee errors that can lead to hackers having access to user’s log-in information.

For example, Dropbox reported a potential breach in 2016 that was believed to have occurred in 2012. Dropbox reported that 68 million accounts might have been affected by the breach, but the company wasn’t able to confirm what, if any, files might have been accessed by the attackers. Users whose accounts were involved in the breach were notified and advised to update their passwords.

Changing a password will prevent hackers from accessing a breached account in the future; however, it can’t undo damage that might have already been caused if files were downloaded when the breach initially occurred. Healthcare organizations don’t need to avoid using cloud services because the benefits of enhanced patient care and more efficient business functions outweigh the risks of a security breach. However, IT departments and key decision makers should be aware of and work to mitigate the risks of using this technology.

For starters consider this, if the cloud log-in process is simple for you – the user – it will also be easy for a hacker to replicate the steps. If all you need is a user name and password to access your content that’s all a hacker will need, too. If the cloud provider sends you an authentication email or asks you to enter a security code after you type in your password that’s better. But employees at the cloud provider or hackers who have breached the provider’s system, can bypass these secondary authentication measures. A cloud account that requires you to keep a local encryption key in addition to the above authentication items is ideal, but outside of a few messaging-type apps there aren’t many cloud services that offer this next generation of protection.

Level of encryption

Even if a local encryption key isn’t an option, understanding what level of encryption your cloud provider does offer is essential. There are a few common types that services use including in-transit, at-rest and end-to-end.

In-transit encryption means that when you move a file to the cloud between your device and the service provider’s servers your document is protected from intercept. But once your file is on the service provider’s network, anyone who has access to the network can look at the contents. Using a cloud service that only offers this level of encryption leaves your data at the mercy of the service provider’s employees. You have to trust they don’t and won’t, in the future, attempt to read your files or use them for personal gain. Also, consider that hackers who break into the network would be able to freely read anything you have saved to the cloud.

At-rest encryption means that when the cloud provider saves your data to their storage devices it’s encrypted such that if someone were to steal that storage device they wouldn’t be able to access your content. The company itself, and anyone that hacks into the company, can still access this data.

Finally, end-to-end encryption means that the content you share is protected from the device you send it from to the recipients’ devices with no way for the cloud service company or any outside threat to view it. Ideally, you want your cloud provider to implement all three types of encryption, but only some messaging apps do this. The most popular cloud storage providers typically only offer in-transit and maybe at-rest encryption.

Hybrid solutions

Obviously, when you’re making your data publicly available to third parties by storing and sharing it in the cloud, encryption is important. The biggest risk for organizations is known as “Shadow IT”. This term refers to situations where employees in healthcare organizations use whatever application or cloud service they want without any company oversight. Allowing employees to download personal software on devices also used for business creates a situation where the healthcare organization no longer has the ability to intervene or control its own data. Unauthorized services can violate regulatory compliance and leave sensitive data vulnerable to hackers.

Overall, as the use of cloud computing services continues to increase it will create more opportunities for cyber security problems. Healthcare providers who aren’t ready or able to manage these risks can consider using a hybrid cloud solution. Hybrid cloud solutions provide a way for internal teams to rapidly work on local content. If and when you’re ready to adopt the cloud, it will seamlessly integrate with your local environment. Current cloud providers take an all-or-nothing approach, you either upload your data into the cloud or you don’t access it.

The industry is starting to see success in hybrid cloud approaches, for organizations that need to store and access massive amounts of data, but don’t want to upload everything to the cloud. Whether a hybrid or traditional cloud service is right for a healthcare organization, the most important step in keeping data safe is to thoroughly research and understand the terms of services and privacy policy of a service before uploading any documents.

Shaun Murphy is the CEO of sndr, a technology company that provides efficient and secure message and file sharing for businesses without compromising control of data.

 

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.