We can add yet another sensitive data breach to our lessons learned catalog. This one, involving a large volume of sensitive medical records exposed to the world, goes in the fat folder related to misconfigured storage services. A U.S.-based digital records management company stored this information in a large PDF file, which was then stored in an Amazon Web Services (AWS) Cloud S3 storage bucket. Anyone who had the unique URL associated with the S3 bucket could bypass Amazon encryption to access this privileged information.
Of course, this isn’t the first time an S3 bucket has exposed medical data to the public. Back in October 2017, the unsecured S3 bucket of an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) housed 47.5 GB of medical information, mostly stored as PDFs. The medical data in these files included the blood test results, physician’s names, case management notes, and personal information of 150,000 patients, including their names, addresses, and telephone numbers.
While cloud storage services like S3 have very good security foundations, properly configuring them is 100 percent up to the customer. In many cases, the customer is not an AWS expert or even a security practitioner, which creates a challenge. Due to increased business demands, application developers or IT managers are held responsible for these configurations. Although it’s a huge productivity gain for anyone in an organization to move workloads to a cloud infrastructure and optimize a business process, they are potentially creating a security risk, so you need to rethink your scope of security monitoring.
When I consult with organizations around their security approach, I often hear that they’re just conducting “research” or “experimentation” in AWS, Azure (Office 365), or Google Cloud. They’re storing non-production data. Anything worthwhile is kept in a separate AWS account or in a corporate data center. Unfortunately, that mindset is what gets most organizations into trouble. The cloud infrastructure is dynamic. New data (often sensitive business or customer data) is introduced every day by well-intentioned and innovative employees. It’s that non-production data that is most likely to be at the center of a security incident.
If your organization is leveraging cloud infrastructure (sanctioned or not), you need to put a foundational level of security and governance in place to ensure the baseline set of best practices are applied in every AWS Account or Azure subscription. Although cloud infrastructure providers have created secure platforms, using these platforms securely is a very complex challenge that you must take seriously.
Summary
When it comes to healthcare organizations specifically, failure to implement proper controls and configurations to cloud-stored data can lead to fines, HIPAA violations, and even possible lawsuits from patients. These organizations are held responsible for safeguarding the confidentiality and integrity of protected health information (PHI). The Office for Civil Rights (OCR) and state attorney generals are cracking down.
Getting input from a trusted security provider can help ensure you’re approaching the configuration process properly. They can help you detect any configuration gaps or anomalies. Also, make sure to invest in some cloud-first security solutions to provide 24×7 protection against mistakes that could put your business in a bad position.
For deeper insight into how you can configure your cloud environments to minimize the risk of a data breach, view our on-demand webinar, “Flying Blind: 2017 Cloud Configurations Gone Wrong.” You can also check out our white paper, “Preparing For Cyber Risks To Healthcare Operations,” to learn about best practices for maintaining healthcare operations, patient care, and business continuity in the event of an attack.