93% of Cloud Services in Healthcare Are Medium to High Risk

By on Jun 25, 2015

New Research Highlights Gap Between Real-World Usage and HIPAA Obligations

Today, we released our first-ever Cloud Adoption & Risk in Healthcare Report, with anonymized cloud usage data from over 1.6 million employees at healthcare providers and payers. Unlike surveys that ask people to self report their behavior, our report is the first data-driven analysis of how healthcare organizations are embracing cloud services to reduce IT cost, increase productivity, and improve patient outcomes. However, while the cloud has transformed the way healthcare organizations operate and deliver service to their patients, companies are still responsible for ensuring the security of sensitive patient data.

IT may be vigilant in evaluating whether sanctioned cloud services meet organizational policies, but employees can bring cloud services into the workplace. These services not known by the IT department, referred to as shadow IT, contribute to an industry average of 928 cloud services in use per company. Security teams are responsible for sensitive data uploaded to these cloud services, but IT is typically aware of only 60 cloud services in use – less than 10% of the total amount. In addition to maintaining compliance with internal policies, regulations like HIPAA and HITECH require that healthcare companies secure protected health information (PHI) even as it migrates to the cloud.

Healthcare organizations have come under fire as the targets of an increasing number of criminal hacks in the past year. The number of healthcare records exposed in the last 12 months now totals 94 million, led by blockbuster breaches at Anthem and CHS. This flurry of attacks is driven by the high price healthcare records fetch on the black market. At an average of $50 per record, an individual healthcare records is worth more than a US-based credit card and personal identity with a social security number combined.

Considering that the healthcare industry is highly regulated and handles some of the most sensitive and personal data about individuals, many statistics from the report are troubling. Download the full report to read all the findings.

Only 7.0% of cloud services are enterprise ready

A mere 7.0% of cloud services in use meet enterprise security and compliance requirements. The average healthcare organization uploads 6.8 TB of data to the cloud each month. That’s more than all of Wikipedia’s archives (5.64 TB)! Just 15.4% of services support multi-factor authentication, a key line of defense in preventing unauthorized access to sensitive data.

Silos of Collaboration Uncovered

The cloud is a revolutionary technology for enabling collaboration between employees, but too many cloud services in use can actually be an impediment to collaboration. The average healthcare company uses 188 collaboration services. We call the ensuing phenomenon “silos of collaboration,” in which employees have difficulty sharing data because there are so many different cloud services in use. Paid licenses for redundant services can also unnecessarily drive up costs.

Undetected Insider Threats

Enterprise-ready cloud services can offer even better security capabilities than on-premise solutions, but even secure cloud services can be used in risky ways. The majority of insider threat incidents are quiet and may not be discovered immediately, if ever. With healthcare records so valuable on the black market, especially for patients with certain status or conditions, hospital employees may choose to sell records he or she has access to. We compared perceptions of insider threat with reality and found that 33% of healthcare companies surveyed reported an insider threat incident in the last year, but 79% of companies had usage behavior indicative of an insider threat. 

Employee Passwords on the Loose

There were more software vulnerabilities discovered and more data breaches in 2014 than any other year on record. The result is that many users now have their login credentials for sale on the darknet. In fact, 14.4% of all healthcare employees have a login credential for sale online, exposing 89.2% of organizations. A single health insurance company had 9,932 credentials for sale on the darknet.

Cloud Hyperconnectors in Healthcare

Cloud services are now the main way that employees collaborate across different companies. We discovered that a selection of cloud services, called “cloud hyperconnectors,” were responsible for enabling a large number of these connections. In the customer service category, these services were Zendesk, Salesforce, and Needle. The cloud hyperconnectors in the file-sharing category were ShareFile, Box, and Egynte. In the collaboration category, the top connecting services were Cisco WebEx, Office 365, and Basecamp.

The Most Prolific Cloud User

How much can a single employee rely on the cloud? We spotlighted one prolific healthcare employee who uses more cloud services than anyone else. The average employee uses 26 cloud services, but the most prolific cloud user actually employs an impressive 444 cloud services including 97 collaboration services and 74 social media services. A surprising 30.6% of these services were high-risk – much greater than the industry average of 5.6%.

These findings reflect a wake up call for IT in healthcare organizations: employees are using cloud services now, regardless of sanctioned applications or policies prohibiting cloud use. IT’s new role is to enable secure cloud use, helping employees navigate the cloud while complying with organizational security policies.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs