The recent incident involving a Boston-area hospital incurring a six-figure HIPAA penalty due to staff using a web-based file-sharing site to host patient data serves as yet another data point on the “the cloud isn’t going anywhere; it needs to be secured” trend.
The fundamental question technology leaders are asking has changed from “Are we going to consider using cloud applications?” to “How do we deal with the reality of cloud applications – both sanctioned and unsanctioned?”
Massive Growth in Cloud Continues
Cloud-based collaboration continues to accelerate across all industries. In fact, in looking into the behavior of over 6 million users, CloudLock has seen a 4x increase in external collaboration via public cloud applications over the last year.
In this particular instance, it was unclear as to whether the collaboration platform was provisioned through the organization’s IT department, or self-provisioned by hospital staff – a growing trend in the workplace: over 2.5 million third-party cloud applications (cloud apps that “hook into” core, sanctioned cloud applications) have been self-enabled by employees in the past year alone.
Additionally, CloudLock has seen a 400% increase in the number of unique third-party applications enabled per organization, from 130 to 475. These applications act on behalf of the user and often have extensive permission sets, capable of viewing, editing, deleting, and – in some cases – externalizing corporate data.
It’s Not All Bad
There’s no question that adopting cloud applications afford organizations a wide range of benefits: dramatic reductions in total cost of ownership, increased flexibility and scalability, the transition from capital expenditure to operational expenditure, and a substantial boost to employee capabilities.
But as users and business adopt SaaS applications, and data assets – like patient information – move from traditional, on-premises data repositories to the cloud, information security concerns follow.
Cloud Security and Compliance Implications
The bottom line? The cloud isn’t going anywhere, and the responsibility of corporate IT and security leaders has transitioned from if to how – how to enable an agile and empowered business through the cloud.
While cloud application providers offer a range of native security capabilities, the variability from application to application does not allow for the consistent level of data protection sought by auditors and security professionals.
Additionally, organizations require protection from both malicious insiders and external attackers in a growing landscape of cyberthreats.
The attempt to bridge the gap between legacy data governance tools and the necessary level of visibility and control in the cloud is challenging, as traditional solutions are limited to traffic that traverses the network, missing the increasing volume of cloud-to-cloud traffic.
HIPAA and HITECH Compliance for Cloud Applications – Free Guide
For professionals concerned with HIPAA and HITECH, we’ve got you covered with our comprehensive guide to HIPAA and HITECH Compliance for Cloud Applications.
In the guide, we cover HIPAA and HITECH basics, as well as relevant stakeholders, the drivers to comply (including a breakdown of penalties), a technical review of cloud-relevant components of the mandates, and a path to compliance.