Many healthcare organizations—including hospitals—have completely outsourced much of their IT operations to the cloud. You may even have a cloud-based Patient Management System, Electronic Health Record provider, cloud hosting, and many other services.
What I want you to think about today: how safe is your cloud infrastructure?
Cloud vendors are becoming prime targets for criminal hackers. They have pots of information gold at their fingertips and many hackers know it.
One recent example—a Connecticut-based vendor got phished. One team member clicked on an invoice report in an email, leading to malware that shut down nearly all of the cloud environment (that included a variety of provider offices and a few small hospitals!).
What did those organizations trusting that cloud vendor end up with?
A data breach—it is still uncertain whether files were explicitly accessed, but as we know with ransomware, it can sometimes be hard to prove your PHI was not affected by an event or incident.
Locked files—many client experienced files locked and encrypted by the ransomware virus. Some of these were backups, but many were working copies of their data simply being hosted in the cloud opposed to onsite. I am sure you can imagine some of the hurdles that not having access to critical data can cause for your facility.
In a note to their clients, the company said that an incident had occurred and that the cloud provider was working to remediate the situation. They did NOT mention specifics as to who was impacted, what specifically was accessed, how the data was being recovered and a timeframe as to when clients would expect their data back online. It’s not even certain if they had any clue as to whether or not all the data was recoverable.
Organizations that use cloud-based platforms need to be extra careful to evaluate that security standards—to your liking—are being taken in vendor facilities (if you have any doubts, best to double check). Here are a few things you should consider doing as soon as possible if you rely on cloud vendors for any part of your organizational operations:
Business Associate’s Agreement—Before signing the dotted line, make sure you have a business associate’s agreement (BAA) in place with this organization to ensure they are following your security standards. Be forewarned that simply having a BAA with a vendor will not completely protect you from any fines or judgements later on. If the cloud vendor doesn’t offer a BAA upfront that’s a sure warning sign that it does NOT regularly service healthcare organizations and might not be the best fit for you.
Are They Following A Security Standard— Even with a BAA in place, organizations might not use any security framework to run their operations. As to see their security framework (most good cloud providers use NIST 800 as a standard—which is what HIPAA and TEFCA are based). Ask to see their policies and procedures—related to HIPAA or cybersecurity—to make sure they at least have guidelines for their staff to follow.
Can You Assess Their Network Before Signing Up—If they tell you they run a secure facility, they should put their money where their mouth is. Most cloud vendors will at minimum provide you with a recent audit of their network to provide evidence that they are doing their due diligence to keep clients like you safe. If they do not have an audit, ask if you can get a third party to perform a security assessment (make sure the third party signs appropriate legal documents, such as an non-disclosure agreement).
Ransomware and phishing attacks are still on the rise in 2019. They are targeting healthcare and those working with healthcare. Where ever your data lies, including cloud vendors, be forewarned that criminals have their eyes peeled and are on the hunt for anyone storing it.
Cybercriminals are increasingly targeting cloud providers because compromised accounts on these systems can be leveraged to conduct extremely targeted campaigns on your facility as well. Nearly 36 percent of phishing attacks today are rooted from spoofed emails from some sort of cloud vendor. We just want to make sure you, your team and your organization’s data is secure. If you have any doubts, consider a ransomware vulnerability assessment
