Cloud Services Put Patient Information at Risk

Updated on September 17, 2017

Cloud ServicesBy Shaun Murphy

The cloud is the new normal for enterprise apps, with 70% of all organizations having at least one app in the cloud today according to IDG’s Enterprise Cloud Computing Survey, 2016. Telehealth, big data management in research and patient management systems at doctors offices are all driving explosive adoption of cloud services in the healthcare industry in particular. The market research group, MarketsandMarkets, said the health care industry spent $3.73 billion on cloud services in 2015 and predicts that number to grow to almost $9.5 billion by 2020.

It is not surprising that more businesses are now using cloud services. In general, daily business functions such as storing emails and documents and sharing files between collaborators is easier. Files merely need to be dragged and dropped to a shared folder.

Paying to store backups in the cloud can also be more affordable than investing in physical servers. Overall, cloud services can improve daily workflow and productivity.

They can also make patient care more efficient. Telemedicine applications can be used in a variety of care environments so that patients receive the monitoring and care provider feedback they need without having to visit an office.

The question that remains is at what cost. Electronic patient records are highly valuable to hackers looking to profit from stolen identities. Storing these files in the cloud or even transmitting them can increase the risk for a cyber attack.

Healthcare organizations that deploy cloud services are at the mercy of the service providers security. While cloud storage services use many layers of encryption to protect user¹s information, that data is relatively exposed when it is being transferred to and from the service. Additionally, there is the risk of inside threats or employee errors that can lead to hackers having access to user’s log-in information.

For example, Dropbox reported a potential breach in 2016 that was believed to have occurred in 2012. Dropbox reported that 68 million accounts might have been affected by the breach, but the company was not able to confirm what, if any, files might have been accessed by the attackers. Users whose accounts were involved in the breach were notified and advised to update their passwords.

Changing a password will prevent hackers from accessing a breached account in the future; however, it cannot undo damage that might have already been caused if files were downloaded when the breach initially occurred. Healthcare organizations do not need to avoid using cloud services because the benefits of enhanced patient care and more efficient business functions outweigh the risks of a security breach. However, IT departments and key decision makers should be aware of and work to mitigate the risks of using this technology.

For starters consider this, if the cloud log-in process is simple for you, the user, it will also be easy for a hacker to replicate the steps. If all you need is a user name and password to access your content that is all a hacker will need too. If the cloud provider sends you an authentication email or asks you to enter a security code after you type in your password that is better. But, employees at the cloud provider or hackers who have breached the provider’s system can bypass these secondary authentication measures. A cloud account that requires you to keep a local encryption key in addition to the above authentication items is ideal, but outside of a few messaging-type apps there are not many cloud services that offer this next generation of protection.

Even if a local encryption key is not an option, understanding what level of encryption your cloud provider does offer is essential. There are a few common types that services use including in-transit, at-rest and end-to-end. In-transit encryption means that when you move a file to the cloud between your device and the service provider’s servers your document is protected from intercept. But, once your file is on the service provider’s network anyone who has access to the network can look at the contents. Using a cloud service that only offers this level of encryption leaves your data at the mercy of the service provider’s employees. You have to trust that they do not and will not in the future attempt to read your files or use them for personal gain. Also consider that hackers who break into the network would be able to freely read anything you have saved to the cloud.

At-rest encryption means that when the cloud provider saves your data to their storage devices it is encrypted such that if someone were to steal that storage device they would not be able to access your content. The company itself, and anyone that hacks into the company, can still access this data however.

Finally, end-to-end encryption means that the content you share is protected from the device you send it from to the recipients’ devices with no way for the cloud service company or any outside threat to view it. Ideally you want your cloud provider to implement all three types of encryption but, again, only some messaging apps do this. The most popular cloud storage providers typically only offer in-transit and maybe at-rest encryption.

Obviously when you are making your data publically available to third-parties by storing and sharing it in the cloud encryption is important. The biggest threat risk for organizations however is known as “Shadow IT”. This term refers to situations where employees in health care organizations use whatever application or cloud service they want without any company oversight. Allowing employees to download personal software on devices also used for business creates a situation where the health care organization no longer has the ability to intervene or control its own data. Unauthorized services can violate regulatory compliance and leave sensitive data vulnerable to hackers.

Overall, as the use of cloud computing services continues to increase it will create more opportunities for cyber security problems. Health care providers that are not ready or able to manage these risks can consider using a hybrid cloud solution. Hybrid cloud solutions provide a way for internal teams to rapidly work on local content. If and when you’re ready to adopt the cloud, it will seamlessly integrate with your local environment. Current cloud providers take an all-or-nothing approach, you either upload your data into the cloud or you don’t access it. We’re starting to see success in hybrid cloud approaches, for organizations that need to store and access massive amounts of data but don’t want to upload everything to the cloud. Whether a hybrid or traditional cloud service is right for a health care organization, the most important step in keeping data safe is to thoroughly research and understand the terms of services and privacy policy of a service before uploading any documents.

Shaun Murphy is CEO of

Throughout the year, our writers feature fresh, in-depth, and relevant information for our audience of 40,000+ healthcare leaders and professionals. As a healthcare business publication, we cover and cherish our relationship with the entire health care industry including administrators, nurses, physicians, physical therapists, pharmacists, and more. We cover a broad spectrum from hospitals to medical offices to outpatient services to eye surgery centers to university settings. We focus on rehabilitation, nursing homes, home care, hospice as well as men’s health, women’s heath, and pediatrics.