Top Cloud Security Risks for Healthcare
by VPNHaus | 05/28/2019
Healthcare already has some of the most varied and complicated IT environments of any industry.
Telemedicine, gene sequencing, patient electronic healthcare records (EHRs), radiology and digital imaging are just some of the constantly expanding IT-based applications in healthcare.
Together, these systems generate huge volumes of highly sensitive data on a daily basis.
Storing this data in the cloud lets technicians remotely access pools of information for detailed analysis or for ground-breaking research. Among the numerous benefits are flexibility and scalability as well as time and cost savings.
Healthcare providers, however, must also operate within strict regulatory constraints. This forces them to approach emergent technologies such as cloud services with painstaking care.
Notwithstanding, a growing number of medical professionals are adopting these services for accessing and sharing information over the Internet.
In these circumstances, guaranteed security and privacy for patient data is paramount.
Enterprise-grade virtual private network (VPN) software encrypts all communications between multiple endpoints and geographic locations as it passes over the Internet.
A VPN renders the data unintelligible to unauthorized observers. Data integrity and privacy is consequently assured.
Information technology is transforming the healthcare industry.
The benefits can be measured in more effective treatments, lower operating costs and greater efficiency in how patient data is managed.
Much of this change is underpinned by a greater willingness to adopt cloud services.
A 2017 study by Commvault found the majority (60%) of healthcare organizations exploiting cloud services for backup/disaster recovery and around half (51%) for essential clinical applications/data.
Further evidence of cloud’s growing importance to healthcare came with the announcement in January 2018 that the UK’s National Health Service (NHS) was officially extending its use of US-based cloud providers to store patient data.
Forecasters in May 2019 have predicted the healthcare cloud computing market worldwide will reach $40 billion by 2026.
Data from EHRs, billing records, clinical trials and experimental research is highly prized by cybercriminals and other attackers.
As cloud services spread, the connected systems of healthcare organizations face security risks in a number of key areas including:
1. Unprotected IoT Devices
IoT devices in the form of smart wearables for monitoring a variety of conditions like cancer, diabetes, heart disease and asthma are entering the fabric of day-to-day hospital life.
A great many IoT devices still do not feature security built-in by design.
Yet, they are in constant contact with core IT systems such as workstations, network printers, servers, tablets and so on.
In effect, healthcare organizations are expanding their attack surface. This is expected to encourage cyberattackers to intensify their efforts to find weak points in their defenses.
Acording to reports, 30% of healthcare cybersecurity incidents in 2019 will be attacks on IoT equipment.
In 2017, there were 50,000 attacks. This year the figure is estiimated to be 300,000 – a rise of 500%.
2. Insider Privilege Abuse
According to the 2018 Protected Health Information Data Breach Report (PHIDBR) from Verizon, one of the top risks arises from insiders misusing their systems privileges.
The study attributed 58% of breach attempts to insiders.
A 2019 study by Carnegie Mellon University describes the most common insider incidents as receiving/transferring funds (25.8%) and misuse of systems privileges (24.2%).
In such incidents, the actors try to cover their tracks – either by modifying log files, using a compromised account or creating an alias.
Undetected, there is a real risk this kind of activity may open up new security vulnerabilities for attackers to exploit.
3. Insufficient Segmentation
Medical devices must be kept regularly patched with software updates. It’s a logistical nightmare.
The most productive way to do this is remotely, albeit with appropriate security measures in place.
Industry experts agree one of the best ways to enhance overall security is to keep different parts of the IT infrastructure separate.
It appears that organizations often struggle to understand and implement the basic principles of network segmentation effectively.
Best security practice recommends that groups of IoT equipment and medical devices be kept segmented from the network overall.
This improves the chances of a successful attack being detected and contained locally. Without proper segmentation its effects could spread and cause serious harm elsewhere.
4. Legacy Vulnerabilities
Healthcare organizations still rely heavily on legacy IT systems. New technologies may be more cost effective in the long run but they are hard to justify in the face of short term budget constraints and ongoing compliance factors.
Adding cloud services into this mix introduces fresh risks. For example, legacy systems may run on obsolete machine code. Their designers never envisaged they might one day be joined up with wider systems or communicate extensively with future generations of equipment and devices.
Wherever the old joins up with the new it creates a point of vulnerability that must be fully addressed and locked down.
In accordance to guidance produced by the National Institure of Standards and Technology (NIST), no patient information should be stored or transmitted in an unencrypted form and strict controls should be in place to guard against unauthorized access to encryption keys.
Using enterprise-grade VPN software allows healthcare organizations to securely manage cloud-based remote communications with systems and devices across the board.
A VPN’s encrypted connections allow sensitive data to pass securely and in complete privacy over the public Internet.
In summary, as cloud services gain traction in healthcare, encryption is a well-established defense against those risks described above.
Cloud-based VPN services can help healthcare organizations mitigate these threats.
VPNs enable them to securely manage their remote connections and guarantee the privacy of their interactions with fellow professionals, systems and devices over the web.