Healthcare Moves To The Cloud But Is The Cloud Ready For Healthcare?

In less than one year ‒ we’ve seen a staggering number of data breaches in healthcare. Almost 96 million records were stolen in just 3 high‒profile cases alone ‒ Community Health Systems (4.5 million), Anthem (80 million), and Premera (11 million).

[Disclosure ‒ our family is among those at possible risk through the Anthem breach]

Last month saw another health data breach representing one of the earliest (1995) cloud vendors in healthcare ‒ NoMoreClipBoard.com.

Fort Wayne-based Medical Informatics Engineering (MIE) said the attack on its main network and its NoMoreClipboard network began May 7 and wasn’t detected until May 26. The exposed information includes names, addresses, birth dates, Social Security numbers and health records, it said. St. Francis affected by hacking of medical software company ‒ IndyStar

The risk of electronic health data has clearly been growing and we should expect to see more. The value of the health data is exponentially larger than a stolen credit card and the brief warning on MIE’s website is typical of those who are responsible for protecting our most sensitive data.

Medical Informatics Engineering has been the target of a sophisticated cyber attack. MIE website

The implication, of course, is that the “sophisticated cyber attack” overwhelmed their defenses and there was simply nothing that anyone could have done to prevent the onslaught. The public will never really know what happened, of course, as the post‒breach forensic analysis is always heavily cloaked under terms of legal non‒disclosure (either directly through law enforcement or cyber consulting firms paid to analyze the carnage).

Going forward, the only real consequence for companies that have been breached is a marketing effort to assuage any public indigestion and then internally to try to close the proverbial barn doors technically. Those marketing efforts almost always include a phrase like the one in the notification letter on MIE’s website.

We take the security of health information very seriously and understand that such incidents cause real concern. MIE website

The value of health data also transcends the technical means used to manage and protect it. Today, the larger health data stores are often held in software solutions that are on-site (known as on-premise), but the use of cloud services ‒ where data stores are managed by 3-party hosting providers ‒ is growing and cloud solutions (like MIE) are not immune from “sophisticated cyber attacks.”

There are four reasons we should all be concerned.

• Privacy may well be dead, but trust isn’t and trust is finite.
• Medical data is lifelong and has serious clinical consequences ‒ along with financial ones.
• Motivated attackers have a big advantage over all defenders of every size. Attackers only need to exploit one vulnerability once whereas defenders need to protect against all attacks ‒ all the time.
• The latest techniques for cyber theft at scale are much less about breaching networks from the outside ‒ and all about social engineering with sophisticated tools to capture privileged access from the inside.

This last one is a game changer and also means that the “cloud” as a delivery mechanism for applications is no vaccine against motivated attackers. Consumer cloud services like LinkedIn, Snapchat, Zappos, Evernote, Adobe, Kickstarter, eBay, Uber, iCloud and LastPass have all had significant data breaches. The LastPass breach (here) is notable as a cloud-based security solution for helping consumers to manage passwords ‒ in the cloud. NoMoreClipboard is simply among the first in healthcare to join the list as a cloud solution.

A recent report by Skyhigh Networks (here) suggests a staggering number of cloud services in use at most healthcare organizations. While the average number of cloud services in use has decreased from last year, the sheer number ‒ 928 ‒ will come as a surprise to many.

Almost 93% of these cloud services (about 863 of the 928) pose a medium or high security risk to the healthcare organization.

The report shows that employees everywhere, even in the most locked-down organizations, are the same — they all use cloud services in order to get their job done most efficiently — and don’t often take permission from their IT departments when using cloud services.  Organizations have the choice to ignore this need, to make a futile attempt to block the use of all cloud services, or to recognize this need, understand the risks of specific cloud services, and coach their employees to use enterprise-ready cloud services.  Whatever approach organizations take, this report also shows that organizations are subject to more insider threat and compromised account incidents than they are aware, and that they therefore need to track the use of all cloud services (sometimes referred to as “to shine a light on Shadow IT”) in order to detect and prevent company confidential data from inappropriately leaving the organization over a cloud service. Rajiv Gupta – CEO at Skyhigh Networks

The VENOM bug discovered earlier this year was a code vulnerability that’s existed in virtualized servers (in wide use everywhere ‒ but a dominant technology in hosted solutions) for 11 years. Like Heartbleed ‒ the SSL vulnerability discovered last year ‒ the vulnerability is in an open‒source component (QEMU) included in a number of virtualization platforms like Xen and KVM.

The simple route to exploiting this vulnerability is for an attacker to buy space on a cloud hosting provider. From there, he can use the vulnerability to escape the VM he’s running and move laterally among the other VMs on that host. The attacker may then be able to access the local network running the host and get to sensitive data stored there. ‘VENOM’ Flaw in Virtualization Software Could Lead to VM Escapes, Data Theft ‒ May, 2015

Sophisticated hacking isn’t just against low‒level software vulnerabilities either. The threat inside the proverbial firewall is growing and often easier than hacking through complex technical defenses. An Insider Threat Report from June of this year highlighted the types of applications most vulnerable to either malicious or careless insider threats. At 43%, cloud storage and file sharing apps represented the 2nd highest perceived vulnerability in the survey.

When speaking about threats that originate from inside the perimeter – the insider threat – the focus must be on detection.  If we can detect inappropriate activity or behavior, we can respond to it and mitigate the damage.  Too often the challenges associated with attempting to stop attacks cause organizations to wrap themselves around the prevention axle, and they find themselves paralyzed by the difficulty associated with preventing someone from using authorized access in an unauthorized way.  Mike Tierney – COO at SpectorSoft

A recent example of this insider threat is trojan software that uses innocuous image files to deliver malicious software and is specifically targeted at healthcare.

Most victims of the Stegoloader Trojan, which has recently been making its rounds in the news, are observed to come from healthcare organizations in North America.  The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files. US Healthcare Organizations Most Affected by Stegoloader Trojan ‒ Trend Micro, June 2015

The effect of all the data breaches and lack of privacy on fundamental trust is chilling.

More than half of Americans say if they could start fresh they wouldn’t join social media at all and 75% may go off the grid if major digital security breaches continue. USA Network “Nation Under A-Hack” Survey Results ‒ June 23, 2015

Cloud services are increasingly popular with healthcare organizations ‒ and they do offer distinct security advantages compared to on‒premise solutions ‒ but they are not impervious to attack (either internally or externally). That’s especially true when it comes to the most personal and valuable data of all ‒ our health data.

Source: Forbes