When Ermetic, a cloud access security risk company, opened its doors in 2019, one of the first things the company did was conduct a survey to ascertain the most significant cloud-related security concerns and whether businesses were able to keep their data safe in this environment. More than three quarters of the 300 respondents had a cloud data breach in the past 18 months; almost half had at least 10 cloud breaches during that time. Amy Ariel, Chief Marketing Officer at Ermetic, which has headquarters in Palo Alto, California, and Tel Aviv, Israel, said it was “amazing” to see people admitting to those kinds of numbers, but not shocking those breaches were occurring.
“We know that the cloud is very exposed and is an open invitation and hackers are trying to get there,” she said. “In an industry where data is of value, the number of potential breaches will be high because the number of attempts is so high.”
It is important that healthcare providers understand they can be, at least in part, responsible for reducing the risk to information stored in the cloud. Both covered entities and business associates need to follow HIPAA procedures through a shared responsibility model.
Basic Security Hygiene
There are several things a provider can do to diminish the chances data stored in the cloud will be breached, and they are all just generally smart HIPAA practices.
First is password security. Do not have sticky notes with passwords laying around the office and do not use shared passwords. Using multi-factor authentication can also help reduce the chance of unauthorized people accessing others’ accounts. It is also wise to require staff to change their passwords on a regular basis.
Any computers that can access information in the cloud should have anti-malware and antivirus software installed as well, said Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services at Clearwater Compliance, a healthcare cyber risk management company based in Nashville, Tennessee. Encryption also recommended so protected health information is difficult to read if a system does get breached.
It is incumbent upon any organization that has information stored in the cloud to be sure they understand their responsibilities and have the staff to do what is needed for their security tasks.
The only way to know this for sure is to understand the type of cloud model that is being used. The 3 main models are platform as a service, infrastructure as a service, and software as a service. In each of these there is a different shared security model, healthcare providers have varying roles and responsibilities depending on the model they are using.
“Practices need to be aware of that, or they could get themselves into a jam,” Moore said. “They need to have the confidence that they are going to be able to meet their security responsibilities, and if they can’t, they need to stay away from the cloud.”
Major cloud providers, like Amazon Web Services or Microsoft Azure, have a lot of safety built into their programs, Moore said. But providers still need to know what to do with the various features. For instance, Azure has an add-on that monitors cloud environments, but practices must have staff who can track the logs that record potential problems and respond to alerts sent by the program.
In the Ermetic study, security officers were asked the major risks posed to the cloud. The top 3 were security misconfiguration, lack of insight into access settings and access management, and permission errors. Access appears to be as much of a risk in the cloud as it is in traditional environments.
“Anyone who works in security understands excessive access is the biggest risk to data today,” Ariel said. “They can’t steal what they can’t access. Practices need to make sure the crown jewels are sealed off.”
Understanding who has access to different systems can be a challenge in the cloud. It is not easy to create least privilege access for staff (that is, ensuring people can only get into systems they are required to use and only see the data they need).
Determining who has access to what systems can be done manually using tools in a cloud environment, but it is difficult to do on a large scale, Ariel said. Ermetic has a product that can analyze staff policies and audit logs to show the data access they have. It also can be used to reduce excessive permissions.
Cloud environments are complicated, and Ariel said clients are consistently surprised when the product shows all of the places where staff has excessive access to data. Staff need only the minimum amount of access to get their jobs done. This may be to keep employees out of records they should not be seeing. More importantly, this limits the information a hacker can access if they infiltrate a system through an employee’s credentials.
Putting information in the cloud can be a good move for a physician’s practice if done well. But it is important to choose a good partner with which to share the responsibility. Understanding whether someone is a true expert is the challenge. Ariel recommends asking vendors whether they support the levels of encryption needed for healthcare and if they log and audit data access and take measures to make sure the audit logs are not compromised.
Practices also should consider whether an organization offers certification to vendors, which some of the major cloud providers, like Azure, do. It is also important to ask for references for any vendor that will be working with PHI.