In the Ermetic study, security officers were asked the major risks posed to the cloud. The top 3 were security misconfiguration, lack of insight into access settings and access management, and permission errors. Access appears to be as much of a risk in the cloud as it is in traditional environments.
“Anyone who works in security understands excessive access is the biggest risk to data today,” Ariel said. ‘They can’t steal what they can’t access. Practices need to make sure the crown jewels are sealed off.”
Understanding who has access to different systems can be a challenge in the cloud. It is not easy to create least privilege access for staff (that is, ensuring people can only get into systems they are required to use and only see the data they need).
Determining who has access to what systems can be done manually using tools in a cloud environment, but it is difficult to do on a large scale, Ariel said. Ermetic has a product that can analyze staff policies and audit logs to show the data access they have. It also can be used to reduce excessive permissions.
Cloud environments are complicated, and Ariel said clients are consistently surprised when the product shows all of the places where staff has excessive access to data. Staff need only the minimum amount of access to get their jobs done. This may be to keep employees out of records they should not be seeing. More importantly, this limits the information a hacker can access if they infiltrate a system through an employee’s credentials.
Putting information in the cloud can be a good move for a physician’s practice if done well. But it is important to choose a good partner with which to share the responsibility. Understanding whether someone is a true expert is the challenge. Ariel recommends asking vendors whether they support the levels of encryption needed for healthcare and if they log and audit data access and take measures to make sure the audit logs are not compromised.
Practices also should consider whether an organization offers certification to vendors, which some of the major cloud providers, like Azure, do. It is also important to ask for references for any vendor that will be working with PHI.
This article originally appeared on Renal and Urology News