In May, hackers broke into the networks of an Indiana-based medical software company. Other than a few reports in the AP and industry trades, the hack has not received the kind of news coverage that more recent digital break-ins have received, such as the one against the Office of Personnel Management. Yet the company, Medical Informatics Engineering (MIE), operates more than 300 medical centers in 38 states[i]. The company believes that the compromised data includes patient names, mailing and email addresses, Social Security numbers and sensitive medical records.
The attack against MIE is notable for another reason, too. The hackers also broke into the company’s cloud-service, NoMoreClipBoard, which allows patients to access their medical information remotely. Although the company informed cloud users to take steps to protect their account, it hasn’t revealed how many patients, or what type of data, was affected. But the attack should send shivers down the spine of the healthcare industry, as well as patients, which have come to rely quite heavily on cloud-based services.
In recent years healthcare organizations have begun to move their storage and computing capabilities to the cloud, almost en masse. For an industry infamously short on resources and dollars the migration makes perfect sense. Indeed, the cloud computing market in healthcare is expected to grow 20.5 percent compound annual growth rate to reach $9.48 billion by 2020. But this phenomenal growth doesn’t come without some security pains.
According to a recent report from Skyhigh Networks, the average healthcare organization uses 928 cloud services. Meanwhile, the report notes, the average healthcare employee uses 28 cloud services during the course of a day. The sheer number of cloud services in use presents an obvious security risk, but Skyhigh warns that only 7 percent of those 928 services meet its enterprise security and compliance requirements[ii]. Put another way, 93 percent of these cloud services are a security risk to the healthcare organization.
The standards for a secure cloud service vary depending on it clients, but there are three main areas. First, a cloud service should be have client-side encryption of data, which both protects files on the local hard drive as well as in the cloud. Second, a secure cloud service should offer multi-factor authentication to add an extra layer of access control for all users. Finally, a secure cloud provider should either provide data loss prevention tools to protect the stored data or allow an organization to extend its DLP protocols to the cloud. In both cases, the organization is alerted immediately the moment a user attempts to send sensitive files to an outside source.
Adding to the danger is that hackers are targeting healthcare organizations more than ever. According to the Workgroup for Electronic Data Interchange (WEDI), which is a coalition of hospitals, pharmacies, vendors and clinicians, hackers compromised approximately 37 million healthcare records between 2010 and 2014. In the first four months of 2015, more than 99 million records have been exposed in 93 separate attacks[iii]. The reason for the increase? Money of course.
Unlike a credit card number, which rarely is the only piece of data someone needs to steal an identity, medical records contain a wealth of personal identifiable information. A hacker with his hands on a credit card number might make some money from it; a hacker with a medical record almost certainly will. This growing awareness of the value of medical records has increased their price on the black market to $20 per record compared to $2 per credit card number, according to WEDI.
The NoMoreClipBoard attack must serve as a warning to all healthcare organizations that it’s time to get serious about cloud security. Some organizations might take comfort in thinking that working with a HIPAA-compliant cloud service takes care of their problems. But the most recent HIPAA rulemaking, which went into effect March 2013, is already three years old. That’s a lifetime in the cyber-security world. Moreover, even when the HIPAA rules governing cloud services were established, there was nothing that said the data held in the cloud had to be encrypted[iv]. In short, HIPAA puts the onus of security on the provider, not the cloud service.
Besides, the cyber-crooks have moved well beyond the tactics HIPAA was designed to thwart. An Insider Threat Report found that cloud storage and file sharing apps are the second highest perceived vulnerability[v]. In fact, the latest techniques for cyber theft are much less about breaching networks from the outside, such as through the cloud service, than they are exploiting holes inside an organization, particularly from careless employees.
Healthcare organizations concerned about their cloud security (read: all of them), must first do an audit on all of their cloud providers. With the average organization using almost a thousand of them, this might take some time. But the demand for cloud services grew so quickly over a very short period that providers had to sacrifice security to come online.
The swift and relentless assault against healthcare organizations has caught the industry off guard. But now they know that that security measures like HIPAA won’t fully protect their highly prized medical data. Until more stringent security regulations govern cloud services, organizations will have to take the security of their data into their own hands.