Budget constraints hinder cloud security efforts

Despite concerns about threats from employees, only 14 percent of respondents have visibility into the activity of business users and just 21 percent have visibility into the activity of IT staff.

Jeff Rowe | Apr 27, 2018 12:00 am

The need to manage vast amounts of health data has led healthcare organizations to the cloud, and that movement is going to grow.

That’s according to a recent survey from Netwrix, an IT security provider, which found, among other things, that 84 percent of responding healthcare organizations stored Protected Health Information (PHI), Personally Identifiable Information (PII), or financial data in a cloud environment, with 69 percent planning to move more sensitive data.

At the same time, however, respondents voiced considerable concern about cloud security, with 68 percent naming unauthorized access and 61 percent naming malware infiltrations as their top concerns.

In a blog post accompanying the survey’s release, Jeff Melnick, manager of sales engineering for Netwrix, noted “another interesting finding of the Netwrix survey is that healthcare was the only industry that named data encryption as a top cloud security concern. Healthcare compliance standards often mandate data encryption, but encrypting all the data handled by a healthcare provider can double or triple its cloud bill. As a result, smaller healthcare organizations, especially those without government support, tend to resist cloud migration, or at least avoid storing PHI in the cloud.”

Interestingly, less than a third of surveyed companies reported being able to rely on adding security solutions to their toolkit for mitigating risk in the cloud, due to “lukewarm support from executives” and inadequate budgets.

Consequently, said Melnick, “for 50 percent of healthcare organizations, increasing employee training and tightening security policies are the key measures to improve cloud security.”

He said these strategies might seem like a valid response to the high security risk associated with employees, but poor visibility into user activity makes it impossible to measure success.

“Moreover,” he suggested, “relying on humans to do the right thing because of training or policy is more like wishful thinking than a sound strategy.”