The average health care organization uses 928 cloud services, and just 7 percent of cloud services meet enterprise security and compliance requirements, according to a report from Skyhigh Networks, a cloud security vendor.
The findings are based on usage data for more than 1.6 million employees at health care providers and payers.
Just 15.4 percent of these cloud services support multi-factor authentication; 2.8 percent have ISO 27001 certification, and 9.4 percent encrypt data stored at rest.
The average health care employee uses 26 distinct cloud services, including eight collaboration services, four file-sharing services, four social media services, and four content sharing services.
The report found that 89.2 percent of health care organizations have exposure to compromised credentials.
While this number is lower than the overall average of 91.7 percent across all industries, 14.4 percent of health care employees have at least one compromised credential, compared with just 11.2 percent across all industries.
"Health care organizations store vast amounts of sensitive data, and these medical records are very valuable on the black market," Rajiv Gupta, CEO of Skyhigh Networks, told eWEEK. "In fact, stolen medical data is more valuable than credit card data on the black market. This makes health care companies prime targets for criminal attackers, and the stakes will only increase as more medical records move to the cloud."
In order to streamline their use of cloud services and applications, Gupta said the first step is to take stock of the cloud services currently in use and evaluate the risk of current user behavior.
"Then, security teams need to set policies – such as enforcing multi-factor authentication and recommending sanctioned services – to help employees use cloud services while minimizing risk to sensitive data," he explained. "This process includes coaching employees on which services are high-risk and alleviating collaboration silos by consolidating redundant services. How can employees collaborate efficiently when they use an average of 188 different collaboration cloud services?"
Gupta said one fundamental evolution in data security for health care organizations is a shift from network security to data security.
"These findings illustrate that even the most ostensibly locked down organizations have hundreds of cloud applications in use, many of which IT has attempted and failed to block," he said. "The focus needs to be on the movement of data to and from the cloud rather than maintaining an impermeable security perimeter, which is an impossible task in today’s workspace. If attackers have valid administrator credentials, encrypting data will not be your saving grace."
Gupta explained security teams need to catch these exfiltration attempts in progress and close the barn door faster.
"Furthermore, companies should not fear the cloud," he said. "Enterprise-ready cloud services have more security resources and have more at stake in the event of a breach than any single healthcare organization."