Skip to main content

Minimising security risks when handling sensitive patient data with cloud services

(Image credit: Image Credit: Photo_Concepts / iStock)

According to a recent piece of market research by Meticulous Research the Healthcare cybersecurity market is estimated to be worth $26.1 billion by 2027. The demand for advanced cybersecurity is mainly being driven by the large-scale cloud adoption paired with the emergence of increasingly complex cyber threats.

Due to the pressure of handling highly sensitive patient data, healthcare organizations must balance the business benefits of embracing cloud adoption to transform the delivery and accessibility of healthcare services against the organizational, reputational and legal headaches caused by a hack or data leak.

Perhaps the highest profile of all, in the UK healthcare sector, was the famous WannaCry ransomware outbreak in 2017 that ravaged the National Health Service. While not specifically targeted against the NHS, WannaCry exposed the lack of investment of many NHS trusts in their IT infrastructure.

This attack did not simply highlight a case of a lack of the right cybersecurity tools or controls but exposed the fact that a large number of NHS entities were running outdated or completely unsupported operating systems – Windows XP being a prime example. For those operating systems that were in support, many of them were not being patched in a timely manner, if at all.

The key thing after any major breach is to understand what happened and make the appropriate changes and improvements to minimize the risk of the same or similar happening again. In this instance, we can use the learnings from the NHS’ failures to help secure and improve our own cloud and IT infrastructure.

Patch – and check compliance

The leading cause of worm-like cyber threats spreading around all IT systems is due to them exploiting a vulnerability in either the operating system or third-party software that has been installed on the network.

If you outsource the management of patching to an external Managed Service Provider (MSP) then ensure your IT Director, CISO or similar responsible person understands how these patches are applied, what is being patched – whether just the operating systems, or third-party software as well (and which products), and at what frequency.

Utilize a third party to test for patch compliance. If you outsource to an MSP then use your internal team or an external IT security consultancy to run a vulnerability scan to ensure you do not fall victim to a team that claims to be patching, but is not actually delivering.

You can utilize a number of software/SaaS tools to automate the vulnerability scanning – such as Nessus or OpenVAS. While it is advisable to work with security experts to interpret and close down discovered issues, the tools above will highlight patch issues and scan using known common vulnerabilities.

Ensure your patching and management extends to all areas of the network and cloud services. Do not forget Azure/AWS or similar platforms that you are expected to secure.

Patching and closing security vulnerabilities is harder with full SaaS offerings, as you do not typically have any access or control of the software or underlying infrastructure. However, you can still check for vulnerabilities or run scheduled penetration testing on these services and I’d recommend you work with your SaaS vendor to facilitate the required access – but ensure you use your own security consultants to run the penetration testing. Do not let the vendors “mark their own homework”.

Seal your leaky buckets

Over the past decade huge amounts of personal data have been leaked to the internet via misconfigured data stores – known as buckets in the Amazon Web Services’ (AWS) world.

Security mistakes have allowed hackers to stumble across databases of private data which should not be accessible to anyone outside of the organization.

If your IT team are working with AWS, Microsoft Azure, Google Cloud or other public cloud providers then ensure that you have the skills in-house to secure and test the security of these cloud instances.

If you do not, or are not confident, then outsource a security audit to a professional security firm who specialize in the cloud platform you have chosen to work with.

Restrict your cloud and SaaS access

While cloud-based systems can be accessed from anywhere, that does not mean that they should be.

In a healthcare environment there are clearly defined data access requirements and controls which should be replicated in the cloud systems you are using. This should filter down to physical access to the systems, as well as to individual patient records.

For example, the access to write medical imaging data into a PACS (Picture archiving and communication system) should be locked down to the specific devices and locations that need this functionality, and not left open to the entire network.

Auditing all your key systems is a good place to start. Look at what data is stored, how classified it is, who needs access, and where they need access from. Then work with your IT team and SaaS vendors to mirror your requirements on the firewalls, access control lists and user permissions.

Once the audit is completed, and the controls are in place, ensure you have proper information management controls in place to handle requests for new users, permission uplifts, changes and alterations, and other odd cases that may require a temporary or permanent change to your permission structure.

Schedule a regular audit process to pick up outliers or non-compliant users or devices and investigate why they have been given incorrect permissions.

Use the security provided

Many SaaS vendors offer a range of security tools and settings within their products, many of which are not enabled out of the box.

Make sure you are using features such as multi-factor authentication (MFA or 2FA), password strength requirements, and conditional access based on location or device profiles to provide a solid security baseline.

Gather the logs at minimum, actively monitor at best

All SaaS applications and physical systems produce logs, and most major SaaS applications allow the exporting of these logs to a security information and event management (SIEM) platform, which is a centralized log and event storage tool.

Depending on the size of your organization, you may have a security operations center (SOC) either in-house or outsourced. If you do, then they will have a SIEM platform that they will want you to feed into, so ensure you keep them involved and informed of new SaaS systems you are planning to implement. If you do not currently work with a SOC, you should consider doing so. Having security logs in place and not monitoring them means you are always reactive to security threats, if you are even aware of them at all.

If your size or budget does not warrant a SOC, then ensure you are gathering and keeping the logs at minimum, to allow you to bring in forensic data breach investigators in the event of the worst happening.

Craig Atkins, Managing Director, 1-Fix Limited