Was Hospital 'Cloud Breach' Really a Cloud Security Issue?

Aug 2013

Was Hospital 'Cloud Breach' Really a Cloud Security Issue?


The following is a guest post from Kevin Gibson, Marketing Specialist TheDataVault:

More and more we hear about healthcare-related security breaches, and the latest sign that it's become a "thing" is this headline from mHealthNews.com: 'Latest hospital data breach involves cloud services.' Uh-oh. Cloud security has been called out.

This will make ardent supporters of cloud-based backup and recovery solutions cringe without even reading the story. It will make those who scoff at cloud security as they pack up their data tape case for transport beam with vindication. But a closer look reveals something critically important: This wasn't a cloud security issue so much as it was an employee ignorance and poor administration issue.

The story correctly points out that the usual culprits in a healthcare data breach are lost or stolen smartphones, laptops, tablets or thumb drives. Clearly, that's not the fault of the media involved – it's the fault of a careless employee (or a vengeful one).

For example, if a company employee (let's call him "Dave") in, say, Chicago transports some files home to work on over the weekend on his prized Chicago Cubs logo flash drive, and that drive ends up falling down into the bleachers at Wrigley Field during the seventh inning stretch, no one's going to reprimand the flash drive. Or at least they shouldn't. Dave was careless and needs to be held accountable.

Now consider the details of this particular "cloud security breach": Oregon Health & Science University officials recently notified 3,000-plus patients that their private health records had been compromised after residents and physicians-in-training at the hospital used Google cloud services to share data.

Furthermore: "Officials said the university doesn't have a contractual agreement to use the cloud-based ISP."

Let's get this straight: Hospital employees took it upon themselves to share patient records on (we can only presume) Google Drive – and did so more than once, and in two different hospital departments, according to the story. Plus, it's the hospital's fourth HIPAA violation since 2009, and somehow it's a "cloud security" problem?

Cue "fail" trombone sound effect: Wah-wah-waaaaaaah.

This problem is about poor administration, not cloud security. If administration at OHSU were fearful of cloud usage, they should have had policies in place specifically stating cloud services were not to be employed for storing or sharing HIPAA-regulated information, and also should have made sure all employees were aware of those policies.

Furthermore, if cloud-based backup services were to be utilized at such a healthcare facility, administrators could have done minimal research and learned that, ta-da, a service such as Asigra is fully FIPS 140-2 Certified and secure. We're talking more than 20 years of backup and recovery with zero data breaches or compromised systems.

All data protected by Asigra is encrypted and password-protected, and in addition to HIPAA compliance Asigra is compliant with regulations like Sarbanes Oxley, Gramm-Leach-Bliley and more. Your IT professionals will have the tools to securely manage your data at all times and identify risks.

In short, Google Drive is fine for your family photos and iTunes library, but if HIPAA is involved - no, more importantly, if any critical and private information is involved - it's irresponsible and reckless to not seek out a solution like Asigra.

Cloud security isn't the problem in this case. The problem is cloudy policy and administration.

Spice IT Email Post

For more information

Get insights about cloud backup and recovery direct to your inbox every month.
Subscribe to our Newsletter
Stay connected to the latest data protection insights – subscribe to our blog.
Subscribe to our blog
Got questions for one of our recovery specialists?
Need Answers to your Questions?
Print this page
Email this page