Feds Urge Healthcare Entities to Address Cloud SecurityAdvisory Comes in Midst of Recent Cyber Incidents Involving Cloud Providers
As the healthcare sector is transitioning to cloud-based applications and services, it must be proactive in addressing a list of associated security risks, U.S. federal authorities say.
While the cloud provides benefits, it also comes with a range of security challenges, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center writes in an analyst brief issued last week for the healthcare and public health sector.
Top security threats and risks involving the cloud, HHS HC3 warns, include:
- Phishing schemes to steal cloud credentials;
- Cloud "hijacking" involving cybercriminals taking over an account;
- Shadow IT - including the unsanctioned use of public cloud services by employees;
- A lack of cloud visibility, such as blind spots that result in a failure to alert on security incidents;
- Misconfigurations, including unrestricted inbound/outbound ports, unsecure application programming interface keys, disabled monitoring or logging features and leaving open the Internet Control Message Protocol.
"The main goal with cloud security is maintaining the integrity of the files and preventing unauthorized access, but traditional tools and strategies are not always capable of accomplishing this," HHS HC3 writes.
Major Cloud Compromises
The HHC HC3 advisory comes as several major recent cyber incidents involving cloud services providers that cater to the healthcare sector are playing out.
That includes a hacking incident detected late last year at cloud-based electronic health record vendor Eye Care Leaders, resulting in a growing tally of healthcare entities reporting data breaches to HHS' Office for Civil Rights in recent months and weeks, affecting at least 3 million of their patients, so far.
The U.K. National Health Services suffered outages of certain applications, including its 111 urgent care service, after a ransomware attack two weeks ago on Advanced, a major cloud-based software supplier to that country's public healthcare system (see: Ransomware Attack Caused NHS Outage, Says Vendor).
Most major healthcare organizations have become increasing dependent on cloud-based services, says John Houston, vice president of privacy and information security and associate counsel of integrated healthcare delivery organizations at the University of Pittsburgh Medical Center, which includes 40 hospitals and 800 outpatient sites.
This reliance is in large part due to many IT vendors moving their services "exclusively to the cloud," he tells Information Security Media Group.
"As such, ensuring the security and availability of cloud-based services - and associated information - is and will remain one of UPMC's top priorities.
"Unfortunately, such assurance can be problematic for a variety of reasons, most notably being able to accurately assess the cloud vendor’s security posture. Further, getting meaningful contractual commitments is difficult - including financial coverage in the event of a breach," Houston says.
Benjamin Denkers, chief innovation officer at privacy and security consulting firm CynergisTek, says he also thinks the biggest threat involving cloud is when organizations are reliant on the third parties and assume the environment is properly secured.
"Cloud security is a shared responsibility, and understanding who is responsible for what is critical," he says.
Organizations need to start with "a deep understanding" of the shared responsibility model, he says.
Entities need to know what the threat landscape looks like as they migrate to the cloud and how the various additions or changes increase or reduce exposure, he says. "They need to continuously validate that controls are effective and appropriate for their level of risk acceptance."
Cloud Security Best Practices
Healthcare sector organizations should implement several best practices to help reduce their security risks involving cloud services, HHS HC3 recommends. They include:
- Using a cloud service provider that encrypts data;
- Conducting compliance audits;
- Implementing a zero trust model;
- Establishing and enforcing security policies and setting up preferred privacy settings;
- Using multifactor authentication;
- Maintaining cloud visibility;
- Installing operating system updates;
- Avoiding the use of public Wi-Fi;
- Understanding cloud compliance requirements and regulations.