top of page
Search
  • admin846750

Medical Cloud Software: Is Your Cloud Vendor Secure?


As a cyber security engineer and architect by day and investor in a dental practice by night, I've come to learn some interesting intersections between the cyber and medical worlds.


In my experience, one of the emerging issues plaguing the medical industry is the move into the "Cloud" and the unfair marketing gimmicks companies are willing to play to re-assure medical care providers their patient data is safe.


Even if only one medical professional reads this article, I just want to teach you how to ask the right questions and call BS to ultimately protect your practice and your business.


Even if only one medical professional reads this article, I just want to teach you how to ask the right questions and call BS and ultimately protect your practice and your business.

A Brief History of Technology in Medicine


History tends to repeat itself, and I feel we can learn a lot about where we are going if we look where we have been. So before we get into the nitty gritty, please humor me a bit and learn a bit about the history of technology in the medical industry. For any medical professional, you'll know this history but what you may not know is the evolution of cyber security and risk to your business.


History tends to repeat itself, and I feel we can learn a lot about where we are going if we look where we have been. Please humor me ...

History: Manual Processes and Paper Forms


In the early days, everything in healthcare was done manually and on paper. Doctors wrote patient notes by hand, and records were stored in large filing cabinets. Document cabinets had to be locked and private papers need to be securely shredded.


Security Perspective?


No one needed to worry about cyber attacks back then. However, some of the same threats and risks existed to a business on a much smaller scale. Practices still needed to "lock" sensitive documents away out of concern of privacy to the patient.


Practices still needed to protect social security numbers and bank account numbers on payments to avoid damaging the patient's life and the files needed to be protected from fire and natural disaster otherwise business continuity would be impacted.


Practices still needed to protect social security numbers and bank account numbers on payments to avoid damaging the patient's life and the files needed to be protected from fire and natural disaster otherwise business continuity would be impacted.

History: Digital X-rays and In Office Software


If you look hard enough, you can still find the history of wires in the walls of hospitals that tell the story of technology evolution.


X-rays were originally film-based, which meant you had to physically store them and could only view them in specific light conditions. Digital X-rays changed all that, allowing for images to be viewed on a computer screen, shared electronically, and even enhanced to see details better. Medical offices began to upgrade their office and run wires from the "x-ray" room back a "computer server room" which processed and stored the files on site for local access.


As computers got smaller and data transfer got faster on wires, then other devices and software emerged to help manage patients records, schedule patients, process payments and print documents.



Security Perspective?


Medical Office learned the hard way about medical device outages, denial of service and simple data corruption to patient records. If a system went offline or failed, companies had to divert to manual processes.


No one thought criminals would break into small offices and disrupt a hospital. Notably, the risk to your business is isolated to the location where the data and systems is located. To some extent the problem of data leakage, privacy breach and business disruption is isolated to your office and your branch where the cyber security incident occurs and your staff, that you hire which you let in the door. Meaning, under your control.


To some extent the problem of data leakage, privacy breach and business disruption is isolated to your office and your branch where the cyber security incident occurred


History: The "Fax Machine" and "Email"


Then came some initial steps towards digitization, kind of like when people started using fax machines. It was still based on paper, but you could send a copy of that paper over long distances. In healthcare, this was the era of early digital systems where information might be typed into a computer, but a lot of the processes were still pretty manual, and systems couldn't talk to each other.


The real game-changer came with the widespread adoption of Electronic Health Records (EHRs) and digital systems, similar to the switch from sending faxes to using emails. Suddenly, patient records could be accessed quickly and shared between departments or even different healthcare facilities with a few clicks. This not only made healthcare more efficient but also improved patient care by making vital information readily available to those who needed it.


Security Perspective?


At this point, you've already learned that your data records can be corrupted. So you need backups. You know we need to protect sensitive records, so you lock them up and store them on servers in a locked closet in your office. You know that these systems can fail, and luckily manual processes are still around to support breaking issues.


However, now your business data and your business services get "sourced" to other trusted partners who deliver technology services. Fax machines need the telephone company to deliver the communications and emails need the internet company and the "many parties in between" to help relay your mail much like a chain of post offices.


Then you learn that faxes are not encrypted and can be intercepted and "Read" by anyone tapping into the telephone line and emails are not encrypted and can be intercepted and read by anyone "in the middle" relaying your emailed documents. Not to mention, if one of these trusted services goes down, you cannot send or receive business communications.


Then you learn that medical faxes are not encrypted and can be intercepted and "Read" by anyone tapping into the telephone line and emails are not encrypted and can be intercepted and read by anyone "in the middle" relaying your emailed documents. Not to mention, if one of these trusted services goes down, you cannot send or receive business communications.


Medical in The Cloud: The Risks To Your Business


It's standard in our industry to teach the CIA Triad. Altho it's old hat , sometimes the classics sound just as good or even not better than the latest hits. The nice thing about this approach is anyone can use this and it applies to old technology and new technology.


Assessing true risk is a bit more complicated, because it's a factor of business impact and probability of a thing occurring. But for a novice running a small medical practice, I'm just going to help you keep it simple and think about these categories and then ask some simple questions based on these catagories.


To a novice, I'm just going to say, think about these categories and then ask some simple questions.


Confidentiality Risks to Patient Data


Learning from history, as medical companies began to depend more on internet companies, email services and telephone services there are "more people" and "more stuff" in the middle that ultimately could lead to your medical data being breached.

Learning from history, as medical companies began to depend more on internet companies, email services and telephone services there are "more people" and "more stuff" in the middle that ultimately could lead to your data being breached.

The same is true in the "Cloud" or in "Software As A Service" . Instead of running the computer in a locked room in your office like you did in the past, you move those computers to a big warehouse run by the likes of Amazon and Google, and then smaller companies build and install medical software on-the computers in that big warehouse.


From your perspective, you just see the slick application user interface and you see nothing else about the dirty plumbing.


So when it comes to confidentiality, you metaphorically moved old your data from "your house" to your neighbors "house" and they subcontract out to help them maintain their house. Only this time, Everyone is moving all their records to the same neighbors house and putting all their eggs in one basket. Then connect it to the internet and make it easily accessible to good people and bad people all over the world.


Think of the "Cloud" model like outsourcing, subcontracting and putting all the eggs in some-one else's basket where you as a practice owner give up control of your own house, your own doors, your locks, your own staff in exchange for better faster software.

Think of the "Cloud" model like outsourcing, subcontracting and putting all the eggs in one basket where you as a practice owner give up control of your own house, your own doors, your locks, your own staff in exchange for better faster software. Even if you don't understand what the cloud is, hopefully you understand this often introduces new "scenarios" or "threats" that could result in loss of confidentiality of your data.


Ask yourself this question. Where is my business data stored and processed? What is my business data? Who can access my business data? What would happen if the entire internet "world" could view/see it?

When you move into the cloud, there are modern approaches to help reduce the risk of the "entire world" can see your patient data and that an employee account will be taken over by a bad actor. But it's up to you to challenge the vendor and ensure they agree to take these steps.


Integrity Risks to Patient Records and Images


Integrity has to do with the quality of your records and images. And lucky for us, we have already learned valuable lessons from history. If someone, were to write the wrong name on a paper form, then the integrity of the document is compromised because we've put the wrong name with the wrong chart which can lead to improper prescriptions and medical treatment.


When you move your software to the cloud, you are moving your data to a highly complex "shared" environment. Not only do all the computer sit in a shared warehouse instead of your closet but also the software provider may store or process multiple hospitals and medical offices data "Right next to each-other".


In this world, your data may get corrupted and then be recovered with another hospitals that is not yours. Or the vendor may push out a change which modifies your records in ways that are similar to "the wrong name on patient record" or worse and IT Admin's account may be taken over by an attacker on the internet and make changes your files and records.


So if you want to know the "risk" of integrity issues to your business ask yourself.


Ask yourself this question. What would happen if the data on this document or image was changed? Does it put the patients or business continuity at some risk?

When you move into the cloud, there are many options that can be taken to improve integrity but it's your job to ask and push the vendors to take advantage of these options otherwise they often won't.


Availability


Patient Records / Payment Processing / Insurances Claims / Email Services


There has been more focus on this risk lately as Ransomware gangs seek to take over hospital systems and request ransoms. When thinking about the risk to your business simply ask "what business functions do I use to run my business" ?


Ask yourself this question. What business functions do I use to run my business? If it goes down, what risk would it pose to the patient or business continuity?

When you move to the cloud there are many benefits to continuity. Technical details that I won't get into. But there are so many ways services can be disrupted. Your internet provider can be taken down, your local wifi can be taken down, your Web App can be attacked, the "plumbing" in the cloud can be attacked and corrupted resulting in downtime ...


There are too many scenario's to list but as novice you can ask the vendor about single points of failure in their technology. Do they only rely on one payment processor, do you only rely on single insurance integrator, do they only use one cloud hosting solution, do they put cloud data backups in two locations in different hosting providers. The key is asking questions regarding "redundancy" . If this important thing goes down then do you have an options to flip over to another thing and keep the business running?"


The key is asking questions regarding "redundancy". If this important thing goes down then do you have an options to flip over to another thing and keep the business running?

Calling a Medical Cloud Vendor's BS


I'm going to let you in on a little secret in our cyber security industry, most of these companies can pay for "certification" and pay for a "good grade"

There are many emerging cloud medical providers in the market. From patient management software, to reputation management software to emerging AI software that helps charts, take notes and even diagnose.


All of these things living the cloud. Each one of them will tell you they are secure and compliant. Most of them will regurgitate a certification or audit report saying they passed. I'm going to let you in on a little secret in our cyber security industry, most of these companies can pay for "certification" and pay for a "good grade" without ever truly earning one. Just because someone is complaint doesn't indicate they are engineered securely.


What Different Vendors are Out There?


A lot and it's getting more complex. So let's first get a lay of the land as far as emerging companies. What are some technology domains and vendors you can expect to encounter over the course of the next few years while growing your medical practice?


Why is this important, because when crafting your questions to a vendor you want to ask yourself "What function does this software or technology provide" .. Then you can shape your cyber security questions in a way that will help you understand your risk to your medical practice.


Ask yourself "What function does this software or technology provide" .. Then you can shape your cyber security questions in a way that looks at the CIA triad. What would happen if my "diagnosis" data was open to the internet. What would happen if the diagnosis software data was corrupted or wrong?

Understanding the function of the software will help you better shape how it can be abused, what does it mean if that data is lost, when that data is breached, when that service is unavailable etc. etc. Only then, can we dig into the vendor themselves to understand the likelihood that a bad thing would happen.


General Business


Across the Business Industry, these are examples current players that will introduce new risks to your day-to-day business operations.


  • Google Workspaces (Email, Chat, Spreadsheets)

  • Office 365 (Email, Chat, Spreadsheets)

  • ADT (Accounting, Payroll)

  • Quickbooks (Accounting, Payroll)

  • Internet Service Providers

  • Telephone Providers

  • etc. etc.


Dental / Medical


In our Dental Industry, these are the current and emerging players that will introduce new risks to your practice and you patients.




Questions for Cloud Vendors and Yellow Flags






Where are your employees located and staffed? Do you subcontract?

If you need 24x7 support in event of an outage this may tell you whether they can provide "round the sun" support if a service is disrupted at night.


Or some countries may be at higher risk of war and cyber criminal activity and offer less secure internet services which increases the chance those subcontractors could be breached.


Cloud Vendor may be reluctant to share this, but it's important to press because you may not want all your medical data accessed from a country while they are at war or you may not want your medical data accessed in a country that is about to be overtaken by a dictator government regime. Or a location where cyber criminals are known for bribing IT staff for your medical records.


How do you ensure availability and disaster recovery?

You'll want to look for whether the vendor "doubles" up. For example do they use both Amazon and Google clouds technology, so if one goes down they can run independently of the outage.



Most vendors will have "some" redundancy within a cloud hosting service but typically will be all in one cloud hosting provider and not spread the risk across them.


You'll wan't to know if they run multiple "sites" in redundant regions and countries in multiple locations. For example do they run "hot" site in the east and a "hot" site in the west. Look for whether those site are actually active and serving requests "hot" or are they on "standby" bot not fully operating. This should tell you whether they can take an outage one region.


If they don't run "hot hot" and can't demonstrate they test failover then it's likely you will suffer downtime when one location goes down.

Look for single points of failure. For example in the Change Healthcare attack, patient management software would only have one insurance claim processor. This is single point of failure in the technology. So if the software integrates with third parties, ask if they can support multiple third parties or have backup plan if the third party goes down.


Single points of failure are common in software design and business operations. In our medical practice, the software was fully reliant on a single processor and had no means to fail over to another.



Do you use multi factor authentication (MFA) for for all human access ?

You want to look for whether the company uses strong authentication like an RSA token or Yubikey card. At minimum they should be using something like a OTP from a trusted provider like Okta or Microsoft. You want to know they use MFA to access their cloud, they use MFA to access their email, they use MFA to protect their access to computers. Company's will say they use MFA, and in some places they do but the key is understanding how much and where because if you only lock the front door but not the back then you know how the they're going to enter your home.

Most vendor cloud companies do not use MFA everywhere, they'll keep using single factor passwords on their cloud and for server access and ultimately these weaker passwords is what the attackers go after to get to your data

Do you encrypt my Data? And more importantly how and who has access to my key?

Encryption has gotten better over the years and most services will " encrypt your data" but the how matters. Just in medical, there may be many doctors who "could" extract a molar but "how" the doctor extracts a molar tooth will ultimately create more or less pain and trauma for a patient. Not all approaches are created equal.


Just in medical, there may be many doctors who "could" extract a molar but "how" the doctor extracts a molar tooth will ultimately create more or less pain and trauma to a patient

When you ask someone if your data is encrypted, ask how? In our world, we can encrypt while data is moving across wire and when it rests. And there are many ways to accomplish this...


You want to know if your HTTP traffic is encrypted, your server storage is encrypted, you want to know if your database storage is encrypted, you want to know if your object storage is encrypted. You also want to know whether they encrypt your data at the browser/endpoint or downstream on the server ...  And you wan't to know whether you get your own key or do they use the same key for everyone? And who has access to your key? and where are they located?


Do you want subcontractor in a high risk location access the key that can decrypt all your sensitive data? The point is, just because you have encryption does not mean it is effective. Often times, SaaS solutions may be compliant in their solution but ineffective at the same time which creates false sense of security.


The point is, just because you have encryption does not mean it is effective. Often times, SaaS solutions may be compliant in their solution but ineffective at the same time which creates false sense of security.

What kind of detective controls do you have?

I'm going to over simplify this, but you want to dig into whether they can "detect" when malware and attacks are happenings and detect "misconfigurations and security bugs" ... these may not be the same solution so it does get complex...


As a novice it's hard to ask these questions, but I'll try and help. Look for whether they have "EDR" not AntiVirus, you want it running on their laptop/desktops and importantly servers. These means they have an advanced technology that can detect threats on multiple type of computers.


Ask if they send security alerts to a 24x7 security staff to monitor for alerts and respond and contain them. Often times small and medium sized medical companies cannot staff security incident response teams which means attacks will go undetected for months until is causes an outage.


Ask if they send security alerts to a 24x7 security staff to monitor for alerts and respond and contain them.

As if they have any technology which detects common security bugs or common security errors in their code and on their cloud? You want to look for whether have any tool at all, is there a process for collecting that "bug" data and taking corrective action on it. Ask what kind of tool, ask what the process is, ask how frequently they patch 30,60,90 for critical, high, medium is standard. If they cannot answer this or show proof then you're in trouble.


Ask what kind of tool, ask what the process is, ask how frequently they patch 30,60,90 for critical, high, medium is standard. If they cannot answer these questions or show proof then you're in trouble.


From the Author


To start, I am not against the cloud and in fact both in my day-to-day job and in our medical practice, we use cloud technology. In some cases, it can in fact help you greatly to provide better patient experiences and be competitive in an ever changing environment where a strong online presence is necessary.


From my experience most small-medium medical software start-ups in the cloud simply do not have the expertise and the financial resources to pay for the advanced cyber security technology and staff needed. I've done many assessments of cloud and SaaS providers to find they lack in their ability to detect when they have breached or they have subcontracted out so much that they do not where their highest privileged administrators are located or whether they are using secure computer to provide support.


It's not a question of if your cloud vendor will be breached but when and what you did to reduce the risk to you and your patients

At the beginning, of this article I said I wanted to do one thing and that is empower a non technical person to ask some hard questions just to get a general feel for the risk they are taking and putting their patients in.


Just as in he medical practice, I would always recommend you find an experienced professional who lives cyber security day-to-day to help guide your through a HIPPA cloud assessment but if you are a small office you may not have the funds to pay for those services. So I hope I can empower enough non-technical people to at least be aware of these questions, be aware that they need to be asked and be aware that there is risk that business are taking on behalf of their patients.


At our practice, we perform a HIPPA assessment on new cloud technologies and validate audit findings, reports and certifications of cloud providers. We also provide patients information regarding the cyber risk, cyber attacks and the risk to their data so they can make an informed risk based decisions whether they wish to use our medical practice and our cloud based software.



Rick Sanders

Senior Cyber Security Engineer/Architect, Investor Floss & Fido Dentistry




Jacqueline Sanders, DDS (Owner Dentist)


11 views

Comments


bottom of page