2015 Was the Year of the Health Care Data Breach, But Cloud Sails Around the Storm

Earlier this year, the media warned the public that 2015 would be the year of the health care hack. The prediction has come true, as 2015 saw a record 100 million people affected by a health care data breach. In this article, we remind ourselves of the main factors that contribute to security risks in health care cloud computing and compare these to the actual reported data breaches in 2015.

Cloud Security Risk Factors

Traditional security threats are well-known, and most of them apply as much to cloud computing as they do to traditional information and communications technology (ICT) networks. However, cloud computing does also bring a few new or more specific risks.

Insiders

When it comes to security breaches, it is often stated that the malicious insider is one of the most important initiators. In a cloud setting, there is a second group of insiders to consider: the staff at the cloud provider, such as administrators with high-privilege roles or who deal with incident response and auditors.

All common cloud types (e.g., IaaS, PaaS or SaaS) are equally affected by third-party insider attacks as long as the insider can gain access to the data center or cloud management system.

Cloud Computing Itself

In the past, cybercriminals used multiple computers or a botnet to create enough computing power for an attack. This process was complicated and could take months to complete. Nowadays, however, malicious actors use the computing and storage power of cloud networks to prepare brute-force attacks in a few minutes.

The Profits

With the black-market price of a patient’s identifiers now higher than the price for credit card details, motives for initiating data breaches in health care cloud environments are mainly financial. Health data is not only used for identity theft, however. Companies make a business out of medical conditions and approach patients with targeted marketing of medications or treatments.

Popular Attack Types

IBM recently identified the most frequent types of attacks to health care data in the cloud. The top offenders included getting a victim to open a malicious document or to click on a link that leads to a malicious site, the Shellshock vulnerability, brute-force attacks and the use of outdated systems.

The Year of the Health Care Data Breach

In 2015, several large data breaches were reported by health care organizations. In fact, according to the Breach Level Index, the health care industry suffered more breaches in 2015 than any other sector. The breach portal of the U.S. Department of Health and Human Services showed that over 100 million people were affected by health care data breaches in 2015. Of the breaches affecting more than 1 million patient records, only one reported that health care cloud services were involved, although details were not revealed.

The other large-scale breaches reported no business partners involved and stated that the incidents took place within the organization itself. In fact, 46 percent of the 242 incidents were related to portable data, such as data on laptops, hand-held devices, paper or film. These are breaches that may have been avoided if the companies in question had used cloud services.

This seems like good news for cloud providers, but they can’t get too smug about this. When that one cloud data breach does happen, the impact will likely be enormous, and the consequences will be felt by millions of patients for a long time to come.

With few cloud breaches reported, it seems that providers are doing a good job with security. To continue this trend, they have to stay on top of it, especially as more and more data is moved to the cloud.

It is somewhat disappointing that the breached organizations do not provide more detail about what really caused the leaks. Academics, the public, health care providers and ICT providers need to learn about current threats and vulnerabilities to ensure that patient data in the cloud stays secure. Keeping the details of data breaches secret does not help to design better security.

Read the IBM Research report: Security trends in the healthcare industry

Conclusion

Many health care organizations use cloud services for the hosting of clinical applications and data, health information exchange and backups and data recovery. With these cloud services come specific security risks even though there haven’t been many reported health care cloud breaches. In the years to come, cloud security will be truly tested and we must be prepared.

Security intelligence tools offer predictive analytics, prioritized threat data and a proactive response to support that preparation. However, the full potential of security intelligence can only be reached when details about threats and breaches are publicly shared. Then researchers and the industry create intelligent systems that outsmart attackers that are after our personal data.

Share this Article:
Nicole van Deursen

Information Security Researcher

Nicole van Deursen has worked in several industries as an information security consultant and manager. In these roles, she has managed security teams, awareness projects, developed organisational policies, and performed many audits and risk assessments. Furthermore, when she worked towards her PhD, she collaborated with Edinburgh Napier University to develop a novel method to monitor socio-technical information security risk. She blogs about socio-technical aspects of information security on http://isrisk.wordpress.com.