One unnamed healthcare provider's IT department thinks there are 60 cloud-based services in use throughout the campus. The actual number is 928.
Sadly, that's an all-too-common problem. The emergence of The Cloud (capitalization intended) as a quick and easy place to share and store information is making it a popular place for innovation – and abuse. And since anyone can jump on Google, pay $20 and set up their own private cloud, it's easy to see where the concerns are. And where healthcare executives and IT departments are stumbling.
[See also: Latest hospital data breach involves cloud services]
"It's not that they're failing or making a mistake," says Rajiv Gupta, CEO of SkyHigh Networks. "It's that the cloud is – no pun intended – a nebulous thing."
SkyHigh is a Campbell, Calif.-based provider of cloud security and enablement services across a wide range of industries, including healthcare. Its customer base includes Aetna, Adventist Health, Torrance Memorial Medical Center, Qualcomm, AstraZeneca, Humana, Molina Healthcare, Christus Health and Australia's NSW Government eHealth network, to name just a few. The company recently released its second quarter report on cloud use within healthcare, and the results are eye-opening.
According to the report, the average healthcare network uses 928 cloud services, of which perhaps 60 are known to the IT department. That's broken down into collaboration services like Office 365 and WebEx, development platforms like GitHub and SourceForge, content sharing (YouTube, LiveLeak), social media (Facebook, Twitter) and file sharing (Google Drive, Dropbox). Digging even deeper, the average healthcare employee uses 26 distinct cloud services, including eight collaboration services, four file-sharing services, four social media services and four content-sharing services (as an aside, the most active healthcare employee who responded to the survey uses a whopping 444 cloud services).
[See also: Demanding mHealth security in the cloud]
Given that the average healthcare organization uploads 6.8 TB of data to the cloud, every month, that's a lot of data put at risk. And the risks are there. According to SkyHigh's survey, only 7 percent of cloud services meet enterprise security and compliance requirements, 15.4 percent support multi-factor authentication, 9.4 percent encrypt data stored at rest, and only 2.8 percent are ISO 27001-certified.
"The problem is that (healthcare executives) don't know how many cloud services are in use across the network, and they certainly don't how many of them or which of them are very, very risky," Gupta said. "Many of these systems I use are pretty susceptible to data being extricated. And with smart devices and connected networks in the healthcare setting, there's a multiplication of all these devices" that can access the cloud.
Which leads to what Gupta calls "data sprawl."
"The data is so dispersed that it's difficult to control," he said. "And it's not so much a specific platform as it is behaviors that put data at risk."
For example, with research indicating more than 30 percent of people use the same password in multiple places, one compromised password could set up a chain reaction of imperiled data. According to the SkyHigh survey, almost 90 percent of all healthcare organizations have exposure to compromised credentials, and 14.4 percent of healthcare employees have reported at least one stolen password.
The threats aren't only coming from outside the system. According to SkyHigh, one third of healthcare providers reported they have had an insider threat incident in the last year, but almost 80 percent of those organization actually had behavior indicative of an inside threat in the last quarter alone. That could mean an employee knowingly accessing protected health information – either to steal and sell it or just out of curiosity – or, more likely, someone unknowingly doing something that puts the network at risk. Not all those cat videos on Facebook or sports blooper reels on the web are safe, after all.
Gupta's advice? "Go in with your eyes wide open," he said. Do a thorough analysis of all services inside the healthcare setting that touch the cloud (as well as those outside the physical setting that reach in and access cloud-based applications). Then tighten things up – and make sure employees know what is and isn't secure.
"Don't just say no," he added. "There's a lot out there that you can and can't do, but you need to understand it and get a handle on it. The IT department is often thought of as the 'Department of No,' but they can be the heroes here."
[See also: Want to protect your EHR from hackers? Secure those mobile devices]
