Word to the wise: Check your con­tract be­fore you put your data on the cloud

Modern Healthcare - - NEWS - By Joseph Conn

When it comes to buy­ing in­ex­pen­sive data-stor­age ser­vices, shop­pers might want to re­flect on an old say­ing from the Gip­per. “It was Rea­gan who said, ‘Trust but ver­ify,’ ” said Kirk Nahra, pri­vacy prac­tice chair at Wash­ing­ton, D.C.-based law firm Wi­ley Rein.

Pres­i­dent Ron­ald Rea­gan might have been talk­ing about weapons re­duc­tion agree­ments with the Soviet Union at the time, but, ac­cord­ing to Nahra, the con­cept trans­lates to cloud providers.

“If your goal is to get that ser­vice as cheaply as you pos­si­bly can, that’s es­sen­tially blind trust,” Nahra said, adding that to be safe, due dili­gence is nec­es­sary. “You should have some idea of what they’re do­ing.”

Gov­ern­ment agen­cies in Cal­i­for­nia, Kansas and Utah learned that the hard way re­cently when a com­puter hob­by­ist down­loaded the work­ers’ com­pen­sa­tion and li­a­bil­ity in­sur­ance records of about 1.5 mil­lion in­di­vid­u­als that were in a data-stor­age bucket at Ama­zon Web Ser­vices (AWS), a cloud-based provider of com­put­ing power and data stor­age.

A few years ago, the U.S. health­care in­dus­try be­gan em­brac­ing cloud com­put­ing for some uses, par­tic­u­larly de­ploy­ing mod­i­fied pri­vate clouds for in­di­vid­ual or­ga­ni­za­tions, or so-called “hy­brid clouds,” shared by sev­eral or­ga­ni­za­tions. Th­ese were the ear­li­est cloud forms adopted by some of the ma­jor elec­tronic health-record sys­tem ven­dors.

In 2013, health in­for­ma­tion tech­nol­ogy mar­ket re­searcher KLAS En­ter­prises noted that about a third of the health­care IT mar­ket had adopted “at­tributes of cloud com­put­ing,” mostly hy­brid clouds.

This sum­mer, Sys­tema Sys­tems, a Lark­spur, Calif.-based provider of claims-man­age­ment soft­ware, moved a copy of a data­base to the AWS bucket with­out bar­ring ac­cess to unau­tho­rized users, ac­cord­ing to a state­ment by Salt Lake County. The data­base con­tained in­for­ma­tion be­long­ing to the Utah county, which, along with its coun­ter­parts in Cal­i­for­nia and Kansas, hired Sys­tema to help han­dle their work­ers’ com­pen­sa­tion and third-party li­a­bil­ity claims.

“The files were com­pletely pub­licly ac­ces­si­ble by any­one in the en­tire world,” said Chris Vick­ery, an Austin, Texas, res­i­dent who says he found the un­pro­tected data us­ing Google and a few search com­mands. Vick­ery said it is com­mon knowl­edge among com­puter hob­by­ists that some data stored in the cloud are un­pro­tected.

Ama­zon has a “shared re­spon­si­bil­ity model” for data se­cu­rity with AWS—it’s Ama­zon’s job to pro­tect its data cen­ters and com­put­ers. But se­cur­ing the ap­pli­ca­tions and the data run­ning on them are the cus­tomer’s re­spon­si­bil­ity. Un­der this busi­ness model, Ama­zon’s cus­tomers can buy ad­di­tional se­cu­rity ser­vices such as data en­cryp­tion, user au­then­ti­ca­tion and ac­cess logs, but only if they choose to pay more.

“Why should Ama­zon care or go to the ex­tra ex­pense of pro­vid­ing se­cu­rity on the buck­ets” if the cus­tomer doesn’t care, asked Michael Mac McMil­lan, CEO of Cyn­er­gisTek, an Austin data-se­cu­rity con­sult­ing firm.

Sys­tema would not pro­vide an of­fi­cial to be in­ter­viewed for this story. But it did say in e-mails from its pub­lic re­la­tions firm that the root cause of the in­ci­dent was “a mis­con­fig­u­ra­tion of cer­tain per­mis­sions.”

Nei­ther Kansas nor Utah dumped Sys­tema over the in­ci­dent, pre­fer­ring in­stead to tighten up se­cu­rity through mu­tual agree­ments with the com­pany. They say they are con­fi­dent work­ers’ data were not ex­posed be­yond Vick­ery, who signed a le­gal doc­u­ment promis­ing he did not share the in­for­ma­tion.

Tim Keck, deputy chief coun­sel of the Kansas Health and En­vi­ron­ment Depart­ment, said the agency has con­sid­ered it­self to be a Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act-cov­ered en­tity. As such, the depart­ment re­quired Sys­tema to sign a HIPAA busi­ness as­so­ciate’s agree­ment and pro­tect Kansas’ in­for­ma­tion ac­cord­ing to HIPAA stan­dards.

Keck said he be­lieves its con­tract re­quired Sys­tema to keep au­dit logs on its data, which it wasn’t do­ing at the time of the breach. The agency in Utah also said an au­dit log func­tion was not on at the time of the breach. That agency noted that, at its sug­ges­tion, Sys­tema used Ama­zon’s billing logs, which doc­u­ment date, time and vol­ume of data mov­ing from its files, to con­firm that Vick­ery’s ap­prox­i­mately three-hour down­load was the only unau­tho­rized ac­cess to the data bucket.

In the wake of the in­ci­dent, Sys­tema is now us­ing au­dit logs on its data stor­age buck­ets, both Kansas and Utah re­port.

How else can cus­tomers pro­tect them­selves from fu­ture in­ci­dents on the cloud? First, McMil­lan said, is to con­tract with a “top-tier” cloud provider that pro­vides au­dit ser­vices. Next, in­sist on an au­dit re­quire­ment in the con­tract. Fi­nally, pe­ri­od­i­cally re­quest an au­dit re­port on who has ac­cessed data.

“If the func­tion­al­ity is there, they will be able to com­ply. If not … well, you know the an­swer,” he said.

“The (data­base) files were com­pletely pub­licly ac­ces­si­ble by any­one in the en­tire world.”

GETTTY IM­AGES

CHRIS VICK­ERY, who found the un­pro­tected data us­ing Google and a few search com­mands.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.