Extent of Unauthorized Cloud Service Usage by Employees Uncovered

How many cloud services is your organization using? According to a new report, if the figure is under 928 – the average number of cloud services used by healthcare providers – you may be underestimating the extent to which employees are using the cloud.

The data suggest employees are breaching security policies by using cloud services that lack the necessary security controls. If the data collected is representative of the healthcare industry as a whole, HIPAA violations are being committed on a daily, if not hourly basis by healthcare professionals.

Benefits of HIPAA-Compliant Cloud Services


There are a number of advantages to be gained from using cloud services. Healthcare providers and other HIPAA-covered entities can cut IT equipment and maintenance costs by hosting data in the cloud. Leveraging cloud services can also improve productivity, and speed up accessing and logging of patient data. A number of healthcare providers have been able to improve patient health outcomes by making use of cloud services.

Security Risks Being Taken by Employees


Skyhigh Networks has released a new report – Cloud Adoption & Risk in Healthcare – which examines the extent to which cloud services are being used by healthcare providers, often unbeknown to IT departments. The company compiled cloud usage data from over 1.6 million healthcare employees, including both healthcare providers and payers. Rather than rely on the responses of IT professionals, which have potential to contain inaccuracies, the study was conducted on usage data for greater accuracy.

Cloud Security Report Findings


The study shows employees are taking considerable risks by using unauthorized and untested cloud services. In many cases healthcare providers’ data security policies are either not being followed, are inadequate or have been misunderstood. The study suggests widespread use of unauthorized cloud services is putting a considerable amount of healthcare data at risk of exposure, and the extent to which it is happening means it is only a matter of time before a data breach is suffered.

In many cases IT departments are unaware of the extent that employees are downloading apps and taking advantage of cloud services on their devices. By analyzing actual usage data the researchers determined the average number of cloud services used by healthcare providers was 928.

Only 7% of Cloud Services in Use Meet HIPAA Standards


The Health Insurance Portability and Accountability Act (HIPAA) demands that covered entities implement the appropriate technical controls to keep data secure, yet when it comes to cloud service adoption, there were many potential HIPAA violations discovered.

The team determined that only 7% of the cloud services being used were protected to a level demanded by current healthcare legislation. Security controls were found not to be robust enough in a number of cases. Only 15.4% supported multi-factor authentication and only 9.4% of the services encrypted data at rest. Only 2.8% were found to meet ISO 27001 certification standards.

The risk that comes from a handful of employees downloading apps and uploading data may be relatively low, but when data is being uploaded to the cloud via apps by a high percentage of workers, the breach risk becomes significant. Researchers determined an average of 6.8 TB of data is being uploaded to the cloud every month by healthcare providers.

The range of cloud services being used varied considerably between healthcare employees, although Microsoft Office 365 and Gmail were two of the most commonly used collaboration services. Cloud development tools, content sharing, social media and file sharing services were also frequently used by employees. On average, 26 different cloud services were being used by each employee.

Signs of Insider Breaches Identified by 79% of Organizations


Unfortunately, even when secure cloud services are used there is always room for human error. Employee negligence is a constant threat, while insider data breaches are becoming more common. The value of the data and ease of access proves too tempting for many employees.

According to the report, a third of organizations surveyed by the company reported experiencing an insider breach within the past year. Alarmingly, the company reports 79% have witnessed behavior indicative of an insider threat in the past three months.

The cloud can be secure, but it would appear that for most healthcare providers and insurers, cloud usage by employees is anything but. In order to regain control of security of mobile devices action needs to be taken. The first step is to identify the extent of the problem and an internal audit may be the best starting point.

The full report can be downloaded here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.