Much of the healthcare industry now use secure cloud storage services to store files of electronic protected health information (ePHI) and to host web applications. But the cloud does not guarantee there won’t be any data breach. It also does not guarantee HIPAA-compliance even with a Business Associate Agreement. When cloud storage services are misconfigured, sensitive data may leak and get exposed without the user being aware of it.
HIPAA-covered entities must first get a signed business associate agreement from the cloud storage service provider. This is an essential element of HIPAA compliance that must be met prior to uploading any ePHI to the cloud. But this alone is not a 100% guarantee that ePHI won’t be exposed. It is the covered entity’s responsibility to make sure that internal processes and programs are in place and align with HIPAA and the HITECH Act. Account configuration must be correct to secure all ePHI. If not, data exposure could easily occur hence violating HIPAA rules.
Many organizations using cloud storage believe that it is secure. But in reality they are leaving data exposed. According to a report by RedLock, a cloud threat defense firm, more than half of businesses using cloud storage services made configuration mistakes that exposed sensitive data. The report also mentioned that many organizations fail to follow established security protocols like using multi-factor authentication for account users. Furthermore, many businesses do not monitor their cloud services, so data exposure happens without being detected.
The analysis for Q2 by RedLock showed 40% of businesses had at least one of their cloud storage services misconfigured. This percentage jumped to 53% for the period of June to September 2017 indicating that the problem is growing worse. Here are the key findings of RedLock’s report:
- 53% of businesses had misconfigured at least one cloud storage service
- 37% of databases are accepting inbound connection requests from suspicious IP addresses
- 38% of users had exposed data because of compromised administrative user accounts
- 64% of databases are not encrypted
- 81% of businesses are not able to manage host vulnerabilities in the cloud
- 45% of Center of Internet Security (CIS) compliance checks failed
- 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks failed
- 250 organizations using cloud environments on internet-facing web servers were found to be leaking credentials