Few events could have tested the strengths and vulnerabilities of our healthcare industry like a global pandemic—and in ways far beyond the management of human and material resources. We should not be surprised how from the early stages of Covid-19 healthcare leaders also saw emerging and wide-scale security threats to patient data and cloud-based IT systems.
Let’s look back. Mere weeks after it declared a global pandemic in March of 2020, the World Health Organization reported a five-fold increase in cyberattacks on its own infrastructure.
Two months later, oversight bodies such as the U.K.’s National Cyber Security Centre and the Cyber Security and Infrastructure Security Agency in the U.S. were recommending that healthcare staff change passwords and use more robust multifactor authentication (MFA) amid a surge of attempted data thefts.
Fast-forward to today and the challenges of securing healthcare data are sure to outlast the pandemic itself. Why? Many of those challenges have to do with the very nature of cloud infrastructure.
For healthcare organizations of all sizes, a cloud-based IT model makes good sense on many fronts. The huge growth of patient data along with the critical need to comply with data security regulations means that cloud services are an efficient and cost-effective way for the healthcare sector to modernize and streamline data.
More practically, cloud IT also appeals in healthcare because of the increasing need to store information offsite while keeping it accessible from multiple locations. According to Mordor Intelligence, the healthcare cloud market is expected to reach $71,730.64 million by 2027, registering a CAGR of 14.12% between 2022-2027. A more recent
Unfortunately, what’s too often overlooked is how all the advantages of cloud-based data management can also give rise to a range of security concerns if the data, SaaS and cloud applications are not thoroughly and diligently protected.
Even today, despite all the warnings and the increase in reported breaches, the security posture of cloud IT for healthcare organizations can range anywhere from almost impregnable to dangerously vulnerable.
What are the most hazardous threats that industry decision makers should be aware of? Along with the chaos and uncertainty of the pandemic, explosive data grown in healthcare has made its organizations highly attractive targets for bad actors who deploy sophisticated ransomware and other cyberattacks—attacks that can be both crippling and costly.
While the financial impact can vary greatly, IBM research from 2021 shows that organizations with fewer than 500 employees spend an average of nearly $3 million per data breach.
Regulatory fines also vary but can be eye-opening in size. Under the Health Insurance Portability and Accountability Act in the U.S. (HIPAA), settlements for data breaches among health insurers have reached as high as $39.5 million. In 2019, a company agreed to pay a data breach penalty of $575 million in a settlement with the FTC and several other parties.
To reduce the growing risk of cyberattacks and financial exposure, healthcare decision makers making use of cloud IT should look at three key areas of security: file sharing, user authentication and cloud services configuration.
First, according to a 2020 report by Forrester, 72% of businesses rely on file-sharing to enable business continuity but such widespread use of the technology can make it challenging to track how data is being shared and by whom. HIPAA regulations require that healthcare providers securely store sensitive files on-premises, in a private cloud or in a virtual private cloud. That’s easier said than done when files are often located on employee workstations, laptops, mobile devices and servers. That’s why a centralized and all-encompassing approach to storing and protecting files is usually the only solution.
Second, it can’t be overstated how important it is to adopt the industry best practice of multifactor authentication for user login. In 2020, Microsoft confirmed that only 11% of its own enterprise accounts had multifactor authentication (MFA) enabled. Contrary to widespread perception, MFA is not very difficult to adopt, does not necessarily require the use of external devices and is flexible enough for organizations to minimize potential disruption for users.
Third, many of the popular clouds services used in healthcare and elsewhere are not automatically set for optimal levels of security. That’s because most cloud providers use a “shared responsibility” model where they protect underlying infrastructure and let client organizations secure their own cloud-deployed assets and data.
Without some configuration, for example, Microsoft 365 allows any user to share files freely and to leave meetings open to anyone. Healthcare organizations would be wise to assess their cloud service provider’s approach to security and then identify in-house training and external resources that can significantly improve protection for cloud IT.
As it will be in most industries, the post-pandemic future of healthcare data storage and security lives in cloud infrastructure, where the convenience and flexibility can be both a compelling strength and a dangerous point of vulnerability. Industry leaders and MSPs who take an educated and proactive approach stand the best chance to lock down their data and systems far into the future.