It might come as a surprise, being in one of the most highly-regulated industries around, that the healthcare sector has made significant strides when it comes to embracing the public cloud and the myriad cloud applications that exist today. Messaging apps like Slack enable rapid communication while file sync and share apps like Box enable instant collaboration. A good example of a cloud app that has become essential in large enterprises is Microsoft’s Office 365.
Adoption in the healthcare industry has nearly doubled in since 2016, up from 30.9 to 57.3 percent in 2018. At the same time, with the adoption of new technologies, the door is often left open for nefarious actors to take advantage of misconfigurations and careless employee practices that leave data exposed.
The number of healthcare data breaches each year hovers around 300 (reported breaches of more than 500 records), affecting millions of individuals annually. When considering this high frequency and the steady increase in the adoption of new and changing technologies that serve as the backbone of the patient/practitioner relationship, it prompts questions of how to move forward. What are healthcare organizations going to do to ensure the safety of patient data while maximizing efficiency for practitioners?
A Multi-Faceted Problem
Before security professionals can begin to address the issues associated with cloud adoption and device management, they must first determine the scope of the problem. Maintaining visibility of the number of devices accessing the network is challenging enough, but when that number fluctuates constantly, and users are accessing sensitive data from any Internet connection via cloud platforms, quantifying the risk becomes a massive and important challenge.
Data Sensitivity and Complex Regulations
Because of the sensitivity of the data they handle, healthcare organizations must maintain compliance with several regulatory mandates. Nationally, HIPAA imposes rules around protected health information (PHI) and while PCI-DSS regulates billing information. Additionally, individual states each have their own regulations around personally identifiable information (PII).
Adoption of Cloud Platforms
A prime example of a cloud-based application that has seen significant adoption in healthcare is Microsoft Office 365, which currently sits at a 57% usage rate—nearlytwice what it was two years ago (30%). In fact, it has become the productivity platform of choice for healthcare firms and affiliates looking to migrate from on-premises Exchange environments to the cloud.
Bring Your Own Device
Many healthcare organizations have instituted bring your own device (BYOD) policies – rules around access to data that, in most cases, is already stored in several locations. Of note, BYOD rules involve personal devices and require employee buy-in – difficult where employees are protective and often resistant to security solutions that involve on-device agents. Put simply, few employees are willing to give their organizations access to personal data on a personal device.
Background on Breaches
The annual number of data breaches across the industry has remained fairly consistent over the past two years, hovering around 300. However, when considering that healthcare organizations hold not only sensitive patient medical records but also identifying information like social security numbers and credit card information, the consequences for individuals whose information is stolen could be disastrous. The estimated annual cost of each leaked healthcare record is $380, meaning a large-scale IT incident can represent hundreds of millions in cost.
In 2017, a little more than 28 percent of unauthorized data access was the result of loss/theft of a device or an unauthorized disclosure, which leaves more than 70 percent of breaches being attributed to a hack or IT incident. Depending upon the size of the organization breached and the number of records compromised, the price tag can increase quickly regardless of the root cause of a breach.
A Case Study in Data Security
Despite the uptick in adoption of cloud-based productivity platforms, single sign-on (SSO), a basic user control and authentication function, has not seen rapid adoption. The adoption rate of SSO is only 23% across healthcare organizations—far below its 40 percent usage in education.
If SSO isn’t the answer for healthcare organizations that are increasingly looking to secure the cloud, the question remains, what is?
The aforementioned healthcare firm in Northern California is a prime example of a company looking to secure data everywhere. It is a case study in handling all these converging factors: increased cloud usage, access from a variety of devices and, of course, handling sensitive patient data. The company’s BYOD policy combined with its deployment of Office 365, meant its physicians and other employees would be accessing patient data from personal devices via the cloud.
Given employees own data privacy concerns, security solutions involving on-device agents were not an option at this health provider. Consequently, the organization needed a solution that would enable it to protect sensitive patient data but also maintain its own access to the other information on employees’ personal devices.
Because cloud application security solutions are app-specific and not data-specific, this organization needed an extra layer of security to meet all these access parameters while keeping in compliance with federal and state regulations. The solution was a cloud access security broker (CASB), enabling security and compliance in the cloud. Clinicians were free to use personal devices without the invasion of their security teams having access to all of their own information.
Mike Schuricht is the VP of product management for Bitglass, a next-gen Cloud Access Security Broker (CASB) solution and the research team behind both the Cloud Adoption Report and the Healthcare Breach Report.