Anyone in the U.S. who has seen a health care provider in the last two decades is familiar with the data privacy requirements of the Health Insurance Portability and Accountability Act, better known as HIPAA. Every patient is asked to read a privacy statement and sign a form to acknowledge understanding that statement.
Health care workers are schooled on the intricacies of the law, so it’s a bit of a surprise that workforce members of St. Elizabeth’s Medical Center (SEMC), a hospital in Brighton, Mass., used an Internet-based file sharing service to store documents that contained electronic health records of 498 individuals without first assessing the risks associated with the use of the service. As the result of the HIPAA violation, SEMC agreed to pay $218,400 to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), and SEMC must comply with the terms of a Corrective Action Plan (CAP).
Software applications delivered via the Internet, commonly known as cloud computing, are transforming how businesses operate. Studies from Vanson Bourne have shown that businesses taking advantage of productivity-enhancing cloud services grow 19.6 percent faster than their counterparts that don’t. That kind of growth is luring more companies to the cloud.
The ready availability of more than 16,000 cloud applications empowers individual workers, work groups and entire business departments to engage directly with service providers to set up the applications they need in hours, or even minutes. While the rapid road to productivity that cloud computing offers is a positive development, it also opens up areas of risk, especially when applications are deployed without the support or knowledge of the IT department. This is a costly lesson that was learned firsthand by the staffers of St. Elizabeth’s Medical Center.
Skyhigh Networks’ analysis of actual usage shows that the average organization now uses 1,154 cloud services — a number that has more than doubled in just two years. New cloud services are launched every week, offering innovative features and capabilities that entice workers to try them. On the plus side, organizations have never had more cloud apps to choose from that provide robust levels of security for enterprise data. Nevertheless, workers opt to use less secure consumer-grade cloud services for business purposes 27 percent of the time.
In recent years, the role of the IT department has shifted away from being an organization’s sole source of all computing resources and information services to being more of a consultative partner to help business departments evaluate and select appropriate cloud-based services. A primary concern is the security of corporate data going into various cloud apps. Business departments and their IT counterparts have a shared responsibility to ensure that data is protected with measures that meet or exceed corporate policies.
Risky behavior: When sharing is erring
Among the most frequently used types of cloud applications are collaboration and file-sharing services. Many originated as a means to synchronize files across devices, but now they commonly offer the ability to share files with colleagues and business partners and to allow users to edit the same file in real time. The average company uploads 5.6 terabytes of data to file sharing services every month. To put that in perspective, 5.6 terabytes is roughly 480 million pages of Microsoft Word documents. Every month.
It’s not so much the volume of shared data that’s a concern, but the nature of the data and how it’s protected. Around 15 percent of all documents uploaded to cloud-based file sharing services contain sensitive information such as confidential company data, personally identifiable information, payment data or protected health information. These classifications of data need strong security measures to protect against theft, corruption or loss.
Some, but not all, cloud services inherently provide enterprise-grade data protection features, including encryption, tokenization and data-loss prevention. It’s the responsibility of the party engaging with these services to ensure that the data security measures are completely in line with corporate standards. For example, a cloud service might provide data encryption, but the encryption keys are held by the service provider. This is inadequate as a corporate security measure, in that whoever has access to the keys can also have access to data in the clear; in this case, it’s the service provider. Most enterprises have policies that prohibit this scenario.
Another concern about the use of file-sharing and collaboration services is who the files are shared with. Skyhigh Networks has observed that 28 percent of documents that are shared via a service are provided to external business partners. Of the shared files, 5 percent are accessible by anyone with access to the appropriate link. These links are easily forwarded and can create risk, since the organization cannot audit or control who is accessing the document. Of further concern, 2.7 percent of these files are actually publicly accessible and indexed by Google. Imagine confidential business development plans, meant exclusively for the use of a business partner, being readily available to anyone using Google’s search engine.
When attackers act like insiders: Compromised accounts
Data thieves are taking notice as organizations put more and more sensitive information into cloud applications. Compromised credentials for SaaS applications can make it easy for an external actor to gain access to these critical business applications and, for all intents and purposes, appear to be the legitimate user. How are account credentials compromised? Largely through phishing attacks and database hacks. Skyhigh research has shown that 92 percent of companies have cloud credentials for sale on the Darknet. Three out of four organizations have at least one compromised account each month.
A highly popular cloud storage service had a breach in 2012 in which users’ accounts were easily accessed. The attackers used account information and passwords that were stolen from other websites to gain access to the storage accounts. The damage could have been lessened if users hadn’t reused their credentials from other websites, but it also shows that multifactor authentication (MFA) could have been a good deterrent in the attack. MFA requires a second form of authentication, such as entering a code that is sent out-of-band via text message, email or phone. Using MFA is a best practice for all applications, but certainly for cloud applications that sit outside a corporate firewall.
IT departments don’t want to stand in the way of business workers’ productivity. If cloud-based applications are needed to support business processes, that’s fine, but engaging those services should be a shared effort between the lines of business and IT. The business departments own the data going into the cloud, but IT personnel have a duty to help secure it. IT can help workers and departments assess and select enterprise-ready cloud apps and verify that adequate controls are in place to help assure data security, governance and compliance. Less data security should never be a trade-off for the convenience of using cloud-based applications.
No organization wants to be the next data-breach news headline, and all employees have a responsibility to protect their company’s data assets, regardless of where they are.
Rajiv Gupta is a co-founder and CEO of Skyhigh Networks, a cloud security and enablement company. He has more than 20 years of successful enterprise software and security experience, and is widely recognized as a pioneer of Web services. Reach him @trustedmind.
This article originally appeared on Recode.net.