The healthcare industry has always struggled with data security. Because healthcare organizations store enormous amounts of sensitive data and are subject to stringent compliance regulations, they have to make security their number one priority. Therefore, they have long been skeptical about new technologies that could put data at risk — including cloud technologies.
However, everything changes, and healthcare industry is changing as well. In January of 2018, an important decision was made: The National Health Service (NHS), the largest healthcare provider in the UK, officially approved the use of US-based cloud providers to store patient data. According to the 2018 Netwrix Cloud Security In-Depth Report, 84% of healthcare organizations already store data in the cloud, but NHS is the first state healthcare organization to give the go-ahead.
84% of IT professionals employed in the healthcare industry said their organizations store sensitive data in the cloud
Although the NHS’s decision was driven by commonly cited cloud benefits like better data security and reduced operating costs, in reality, the situation is not that favorable. According to the Netwrix survey, only 19% of organizations said their security improved after cloud adoption. In fact, the majority of respondents either were not sure of the impact cloud adoption had on security, or felt that the move had worsened their overall security level.
Top cloud concerns in the healthcare industry
In 2017, malware infiltrations continued to grow, and ransomware was one of the most common attacks. On average, a company was hit by ransomware every 40 seconds. Malware gained momentum among healthcare providers in particular, with variants such as NotPetya, WannaCry and Locky. Ironically, even the NHS itself was hit by WannaCry: The attack resulted in disruptions at 37% of NHS trusts and the cancelation of thousands of appointments and surgeries. Although the NHS did not pay the ransom, it did incur extra costs to cover cancelled appointments, hire IT consultants, and restore data and systems after the attack, not to mention reputational damage. No wonder 61% of healthcare organizations were worried about malware infiltrations, just a little less than were worried about risk of unauthorized access.
Another interesting finding of the Netwrix survey is that healthcare was the only industry that named data encryption as a top cloud security concern. Healthcare compliance standards often mandate data encryption, but encrypting all the data handled by a healthcare provider can double or triple its cloud bill. As a result, smaller healthcare organizations, especially those without government support, tend to resist cloud migration, or at least avoid storing PHI in the cloud.
Although the largest data breach in the healthcare sector was due to a state-sponsored hacker attack on Anthem in 2015, healthcare organizations named employees as the top risk to cloud security, with more than 50% of respondents saying that the human factor plays the most important role. Third parties, external actors and cloud providers are seen as less of a threat.
55% of healthcare organizations identified employees as the biggest risk to sensitive data stored in the cloud
Even though employees were named as the biggest security risk, only 21% of healthcare organizations have a complete understanding of what their IT staff members are doing in the cloud, and visibility into the activity of business users is even less common. In fact, the overall visibility into internal actors is the lowest among all industries surveyed. IT people recognize this mismatch, but most of them do not get the necessary support from the C-level to address it. Only 50% of respondents said that they get top management support to implement cloud security initiatives; this is the lowest result across all industries surveyed as well.
Measures for improving cloud security
Less than a third of surveyed companies can rely on adding security solutions to their toolkit for mitigating risk in the cloud. Lukewarm support from executives leaves the rest without the budget to purchase security software or hire experienced IT professionals, so they have to deal with the security challenges on their own. An equal number of respondents plan to start by improving employee training and tightening security policies.
At first blush, these strategies might seem like a valid response to the high security risk associated with employees. However, poor visibility into user activity makes it impossible to measure success — most IT teams simply do not have any way to determine whether the improved training and stricter policies is leading employees to follow the rules. Moreover, relying on humans to do the right thing because of training or policy is more like wishful thinking than a sound strategy.
Cloud security trends
The announcement from the NHS is definitely going to give a green light to other big healthcare providers to explore cloud technology more intensively, despite their concerns about security and the lukewarm support from senior management. Around 69% of surveyed organizations already have plans to move more data to the cloud.
69% of healthcare organizations plan to move more sensitive data to the cloud in the near future
However, healthcare remains the most cautious industry surveyed: Only 23% are planning broader cloud adoption and the same amount are ready to become 100% cloud-based in the next five years; just 19% are ready to try a cloud-first approach. Only when cloud providers will be able to offer more promising opportunities, the healthcare industry will be willing to consider cloud technologies to solve pressing issues associated with data security and passing compliance audits; otherwise, most respondents will be cautious about cloud adoption.
State healthcare companies are likely to be pioneers in cloud adoption, with large commercial healthcare institutions holding off until authorities oblige them to store healthcare data in the cloud. Right now, the price of a mistake is simply too high, especially given the lack of visibility into user activity and the high risk of insider threats. The adoption rate will change if and when C-level executives pay more attention to the cloud security initiatives proposed by their IT teams.
Smaller healthcare providers are more likely to turn to the cloud in near future, especially if cloud providers reduce the price of data encryption. The cloud security services offered today exceed the modest capabilities of many small and medium companies, and are able to ensure enough protection to pass HIPAA, GDPR and other compliance audits. By removing the burden of compliance, at least partly, cloud providers will enable these organizations to better focus on their core mission of serving their patients.
View the full infographics (click on the image to open a high resolution version in a new tab)
Interested in learning more about other findings from this survey? Please read the full 2018 Netwrix Cloud Security In-Depth Report:
