Experts urge caution when putting health data in the cloud

Health care has become a favorite target for criminals

Healthcare has become a favorite target for criminals, and some medical organizations are reacting by looking at outside providers to keep their data secure. But jumping to the cloud without first taking some precautions can be a mistake, experts say.

Last month, Salesforce introduced its Salesforce Health Cloud service, a cloud-based patient relationship management solution that integrates data from health records, wearables, and other sources and allows healthcare providers to access this information any time, any where.

The health care system requires that many different organizations have some degree of access to patient data, meaning that the security of the entire system depends on its weakest link. Moving to a provider like Salesforce will, in most cases, provide a higher level of security than organizations can typically manage on their own.

"Salesforce can invest much more in security than any one hospital can," said Rajiv Gupta, CEO at cloud security vendor Skyhigh Networks. "They are patching their systems constantly."

Many security professionals are uncomfortable when data is out of their control, he said, but the mind shift is already happening.

"I think the Salesforce Health Cloud was inevitable," he said. "And the timing is perfect."

One immediate benefit is that it can help move healthcare industry employees off of insecure cloud services, he said.

"An average healthcare employee uses 26 cloud services," he said -- and 5.6 percent of them are classified as "high risk" by Skyhigh.

"Most employees are not aware that some services are high-risk, and doctors like to collaborate," he said. "They find IT restrictions to be too constraining."

Healthcare organizations need to get to a place where they can allow doctors to use the best technology, while still meeting security, governance and compliance requirements, he said.

"Salesforce is one of the most enterprise-ready, lowest-risk cloud service providers out there," he said.

The platform is already being used by a number of large healthcare organizations.

Nashville-based MissionPoint Health Partners, which serves a quarter million patients in six states, manages its entire provider network through Salesforce.

Michigan Health Information Network uses Salesforce to address the problem of $6.3 billion worth of medications dispensed in Michigan each year that have unintended consequences, hurting patients and wasting money.

Other Salesforce customers include Colorado-based healthcare system Centura Health, California-based medical device manufacturer DJO Global, Netherlands' Radboud University Medical Center and the University of California, San Francisco, a center of health sciences research.

[ ALSO ON CSO: Healthcare breaches need a cure for human errors ]

"All our platform customers run off of one code base," said Josh Newman, Chief Medical Officer at San Francisco-based "Each customer benefits from the requirements of the rest. That means that a small company has access to the same security and compliance features as the largest enterprise organizations."

He added that Salesforce complies with its obligations under HIPAA's "business associate" classification. In addition, it offers customers a number of security and compliance tools, including event monitoring, audit trails, and encryption.

"These features make it easier for customers to achieve HIPAA-compliant use of the Salesforce Platform and Salesforce Health Cloud," he said.

But even with the most secure cloud service, there are still potential vulnerabilities. For example, if a doctor is accessing cloud-based records on their laptop or tablet using automatic logins -- or leaves the device in a public area already logged into the system -- then the records become vulnerable.

Ebba Blitz, president of US operations at security vendor Alertsec, said that she uses Salesforce. If she ticks the box that says "remember my password," all she has to do is open her laptop and she is up and running.

"This means that if I lose my laptop, and someone gets my login, they have full access to my Salesforce cloud," she said.

She suggests that healthcare organizations also look at two-factor authentication to lock devices and restrict access to sensitive data.

Mobile devices in particular offer a number of quick authentication methods -- everything from fingerprint scans to voice activation to swipe gestures -- that easily become automatic for users and don't get in the way of using the device.

Organizations also need to watch out for local caching of patient information. This may be useful if, say, a medical professional needs to review records on a long plane trip. But it also means that the data is locally available on the device if the device is lost or stolen.

"That's why its so important to have encryption," said Blitz.

Salesforce's Newman said that there are a number of best practices that Salesforce recommends to its customers.

In addition to two-factor authentication, for example, customers are advised to limit logins to particular IP addresses and using SMS identity confirmation when users log in from unknown devices or IP addresses.

Customers should also strengthen password policies, mandate that all sessions be encrypted, and decrease session timeout thresholds.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place