April 27, 2016
Most hospitals have officially embraced at least some cloud services, such as Microsoft 365, and been diligent in determining that vendors can be signed and sealed Business Associates under HIPAA. Microsoft has provided BA agreements for years that outline its security responsibilities.
But the big picture of healthcare’s cloud app usage includes widespread unmonitored employee and departmental adoption of popular commercial apps like Dropbox, Evernote and Smartsheet. And these are the tip of the iceberg. The average healthcare organization uses an astounding 928 cloud services, according to a mid-2015 Skyhigh study. In case you’re stunned, IT departments must feel the same, since they estimated only 60 services. What is going on here?
As a quick preamble, while HIT surveys normally rely on self-reporting, Skyhigh, a top cloud security broker and research organization, used actual usage data for over 1.6 million employees of healthcare providers and payers. The bottom line is that employees bring cloud services into their work places for increased productivity and sometimes personal enjoyment without the knowledge of IT. Services vary from collaboration tools such as Gmail and Evernote, to development tools like SourceForge and Github, to content sharing services like YouTube and LiveLeak, to social media (Facebook, Twitter, LinkedIn) and file sharing such as Google Drive and Dropbox.
Are we really surprised? It’s time to acknowledge the extraordinary level of immersion in online resources of our healthcare employees — not unlike our entire population. Says Skyhigh: “The average healthcare employee uses 26 distinct cloud services including 8 collaboration services, 4 file-sharing services, 4 social media services and 4 content sharing services.” Many of these services promote work quality productivity, though other apps do not.
In either case, how is your hospital’s security at risk when an employee uses them? Cyber criminals monitor cloud services to determine what sites healthcare employees like to frequent. Criminals compromise the sites if they can in order to ultimately compromise a targeted healthcare organization in what is known as a “watering hole attack.”
Here’s just one way this works, and it’s so simple that it is humbling. When a data-heavy cloud-based organization experiences a data breach, user passwords are among the first casualties. For example, eBay had to prompt 145 million users in 2014 to change their passwords after account credentials were compromised. University of Cambridge research by Joseph Bonneau shows that at least 31% of passwords are reused in multiple places. When the average healthcare employee is using 26 different cloud services, chances are good that one overused password could put a criminal in the driver’s seat — inside the hospital and, perhaps, inside a system containing PHI.
Unconvinced? Another potential source of cloud-based data access is APIs, software building blocks that are used to connect to other software. An example is that an employee may connect his or her Facebook account to Dropbox, so it can automatically save the most recent content posted. If the Facebook account gets compromised, the same will happen to the Dropbox account, which may well contain private information — hopefully not PHI.
Do these dangers indicate your organization should flatly outlaw adoption of cloud services by employees? Probably not, unless you plan to spend millions to enforce it. Your employees are using these applications and services in the often justifiable belief that they support better job performance. Your staff will continue to find applications that work for them: task management, team collaboration, automated spreadsheets, and much more. This kind of unauthorized but often harmless and productive activity is so common that security experts have given it a name: “shadow IT.”
The control that IT organizations once had over enterprise IT is gone; I would argue that it never existed. Regardless, this puts your IT and security team in a difficult position. IT’s job isn’t to hold your organization back from being able to quickly adapt and innovate, but it must ensure security across the enterprise. What should you do? Establish a cloud application strategy, including policies and procedures:
1. Learn what applications are being used.
Knowledge is the beginning; monitor network traffic and identify what cloud applications are in use and how prevalent they are. If you don’t have software that will accomplish this, you should.
Many cloud services meet HIPAA requirements, but many have unacceptable levels of risk. Dropbox, as an example of the former, announced in November 2015 that it is HIPAA-compliant. Salesforce’s Health Cloud patient relationship tool “has built-in tools to facilitate adherence to HIPAA Requirements.” Other tools may meet your hospital’s risk threshold but cannot prevent your staff from populating them with PHI. For example, the popular Evernote appears to have strong security backbones, but you will have to establish strong guidelines prohibiting employees from posting PHI. Other tools may be high-risk cloud applications that your IT department can block and notify employees of their prohibition.
Even the riskiest applications are often used by well-meaning employees. Few employees knowingly move sensitive data to their own devices or cloud-based tools for criminal purposes. If your IT staff watches and analyzes cloud activity for naively risky activities as well as suspicious movements, the results will be critical to developing a strategy for migrating toward sanctioned cloud apps and providing employee-friendly training.
Your IT / security team can eliminate unsafe apps, and still enable employees to utilize safe and productive cloud-based tools. Review, assess, and approve/disapprove your employees’ most commonly used cloud-based apps in a measured, security-focused manner. Because technologies and applications are constantly increasing, provide a documented process for employees to request approval to use new cloud services, and create a track record of fast review and approval. If that effort is transparent, your users will recognize that IT’s motives are aligned with organizational objectives and concerned with empowering employees while minimizing security risks.
IT should be able to to identify approved cloud services and communicate its list to employees, based on their roles. It should periodically update the list, and provide usage standards like not recording PHI and proprietary business information, and provide associated training. A big benefit to absorbing this responsibility is that users will have no excuse to circumvent the rules, thereby lowering your organization’s overall security risks.
From our experience, most hospitals don’t have the kind of cloud app risk mitigation program described above. Instead, they are doing little or nothing to understand and address what has become a ubiquitous reality. We need to establish a middle ground that allows employees to take advantage of valuable popular services while maintaining our hospitals’ data security.
To get into the weeds on hospitals’ security risks and strategies for mitigating them, please consider contacting us.