Cloud Security , Governance & Risk Management , Healthcare
Cloud Assumptions and Misconfigurations Threaten Healthcare Security
Common Cloud Assumptions and Takeaways for Healthcare OrganizationsAs healthcare providers and vendors migrate their infrastructure and services to the cloud, they gain benefits such as increased flexibility, scalability and optimized patient data access and sharing. But several common assumptions about cloud security are jeopardizing the security and privacy of electronic patient health information, ePHI and other sensitive data.
See Also: How to Take the Complexity Out of Cybersecurity
Many healthcare organizations lack skilled cloud security professionals and rely on default settings for meeting their requirements. Such misconfigurations and a lack of awareness regarding the shared responsibility model between cloud service providers, CSPs and healthcare entities expand the attack surface, increasing the risk for potential breaches.
In fact, 40% of data breaches involve data stored across multiple environments, with breaches of data stored in public clouds having the highest average breach cost at more than $5 million. More than 80% of organizations experienced a cloud breach in the last 18 months, while 25% fear they have had a cloud breach and aren't aware of it.
To better understand these cloud risks, healthcare organizations should re-examine and learn from these cloud realities to improve security practices.
Common Cloud Assumptions
Assumption 1: A cloud environment is like a corporate network. We can use the same on-premises infrastructure assumptions to manage the cloud. For example, deploying an MS-SQL virtual server instead of using native Azure SQL services.
Reality: Cloud environments operate under different operational and technical rules and have different benefits. Networking is more nuanced, and lifting systems such as MS-SQL directly to the cloud can be cost-inefficient and prevent leveraging security and scalability options available with native services such as Azure SQL. Operational assumptions also vary depending on the cloud platform, so understanding your specific provider is crucial.
Assumption 2: Cloud access controls are similar to on-premises controls. I don’t need to monitor the environment as my cloud provider will.
Reality: Plenty of cloud security controls are available, but many are designed primarily to protect the provider, not the client. It is the organization's responsibility to properly configure them and monitor for changes. Hackers often target cloud systems and administrators with privileged access, so MFA and privilege access monitoring are strongly encouraged.
Assumption 3: My cloud provider optimizes for cloud security and compliance with their default settings.
Reality: Core features are set for cost optimization to the provider, which are not usually HIPAA compliant. We see logging limitations or inadequate coverage to address proper risk management. While cloud is great for performance and scalability, compliance and security controls must be properly implemented and actively managed.
Assumption 4: We don’t need operational formalities such as change and user management for our cloud environments.
Reality: Poor cloud controls lead to misconfigurations and changes that expose healthcare organizations to risk, especially for internet-facing systems. Cloud provides the speed to move quickly but still requires configuration reviews, vulnerability management, penetration testing, and user and identity access management.
Assumption 5: Choices made during development won’t be promoted into our production environments. My cloud provider will address insecure API configurations and limit development access and backend configurations.
Reality: Many cloud APIs are insecure, aren’t necessarily tested and should be reviewed for their risk exposure potential. But this is not the function of cloud providers. They enable development systems, services and functions to expedite DevOps. Healthcare application developers and organizations need built-in security and monitoring even in such environments. The challenge is leveraging the suitable flexibility and development configurations that align to, and incorporate, the required security and compliance objectives.
Key Cloud Takeaways
These misconceptions highlight the need for cloud-specific security expertise to reduce risk across the healthcare industry. Here’s what healthcare organizations can do:
- Include cloud environments in your overall risk analysis - not just infrastructure but also SaaS, APIs or other cloud-based services.
- Take inventory of your internal team’s cloud security and compliance skills. Provide training and certification opportunities to elevate those who inherently understand your business risk.
- Partner with a third party to assist with security and compliance oversight and gap assessments. Evaluate their cloud security knowledge and capability to provide ongoing programs designed to help you meet your current and long-term goals.
- Use a trust-but-verify guidance across all your cloud environments and programs:
- Implement zero trust policies and procedures;
- Enable least privilege access and other role-based user and identity access management controls;
- Authenticate first, then enable access;
- Enable robust logging and monitoring to detect a threat or anomalous behavior quickly.
- Use security-as-a-design constraint across cloud. Consider it a feature - not an obstacle - that can elevate your organization as a leader in protecting patient safety and healthcare data privacy and advancing healthcare innovation.