15 July 2021

Human element poses most risk in cloud migration

Cloud Cyber Security

As healthcare services migrate to the cloud, it’s also creating new threat vectors, with the healthcare, manufacturing and finance sectors accounting for 62% of all cyber-attacks in 2020, according to a report from global services technology company, NTT.

Yet while cloud services could be made more secure, it’s the human element that could pose the greatest risk.

According to Kate Carruthers, adjunct senior lecturer in the School of Computer Science and Engineering, the move to the cloud can help healthcare providers modernise their services but it can also expose issues and weaknesses with their existing applications that they have often used for years in an on-premise situation.

“And as SaaS (Software as a service) services and third-party applications start offering health-related services, there will be vulnerabilities revealed,” added Carruthers, who is also chief data and insights officer at the University of New South Wales.

Finding the weakest link

While the cloud platforms may vary, the common factor will be applications that were not built with cloud and cloud security in mind. “Common attack vectors include phishing attacks on staff access and system administrators to lock up data via ransomware. The goal of the bad actors is typically to exfiltrate user data and then to ransom back the data. Now the bad actors are also often selling the data on the dark web even after a ransom has been paid,” Carruthers said.

The other significant line of weakness when it comes to data breaches in the healthcare sector is human error, whether it’s electronic data (email to the wrong distribution list) or paper documents going awry. The Verizon Data Breach Investigations Report found in 2020 that the healthcare industry was predominantly targeted by financially motivated groups, with the method of attack predominantly being ransomware. The main patterns of data breaches (85%) came from miscellaneous errors, web applications attacks and system intrusion attacks.

“These are particularly common in industries in which large mass mailings are a preferred method of getting information to the customer base, such as the healthcare sector,” according to Troy Heland, security engineering lead at the Verizon Asia-Pacific Security Operations Centre.

“Surprisingly, the type of data that was most compromised was personal data, not medical, and in some ways this is to be expected given the higher level of security required to be in place for medical data,” Heland added.

Can a cloud breach open the keys to the organisation?

Experts warn that the industry should be prepared for an attack. “Whether this translates to a major cloud health data breach remains to be seen,” Heland said. He advises all healthcare organisations to heed the statistics that they are financial targets of malicious external actors that are using credentials to gain access to cloud-based applications. “There is room for improvement in terms of implementing better controls,” he said.

Heland points out that most of healthcare’s breaches come from miscellaneous errors, basic web application attacks and system intrusion. However, its report found 32% of data losses in the healthcare sector include usernames and passwords that provide access to applications. “There needs to be particular care taken by healthcare organisations when implementing cloud-based services which are most at risk of attacks,” he said.

“Credentials remain one of the most sought-after data types within data breaches, particularly in attacks that are conducted by people outside the organisation. And with credentials often re-used across multiple cloud-based accounts, the likelihood of these data breaches can impact a greater range of services,” he added.

The risk is that the log-in and identification credentials provide the keys to an organisation, allowing potentially wide-scale data compromises. Verizon’s report found that credentials top the list this year, particularly so in cases where phishing is involved.

“Phishing attacks will use seemingly legitimate-looking emails or text messages that contain links which gather username and password details to access applications. These attacks typically target a victim’s credentials to gain further access to other applications and data within their chosen victim’s organisation,” he said.

UNSW’s Carruthers expects to see significant data breaches in the health sector now that they are moving to the cloud. “Of particular risk will be the SaaS cloud vendors in the health space. I recommend that health organisations develop strong third-party risk management practices and do proper due diligence prior to signing up for cloud-based services,” she said.

Carruthers noted that protections must be treated the same as on-premises, with encryption, multi-factor authentication, VPNs, password managers, data leakage prevention, privilege access management, but the human element remains an ever-present vulnerability. “Most of the time humans are the weakest link, so protection against phishing attacks is critical,” she said.