UPMC security chief warns that many cloud computing vendors lack ability to appropriately secure health data
When security professionals at the University of Pittsburgh Medical Center were evaluating a cloud services vendor they managed to circumvent a particular vendor’s security. And when that cloud provider said “no you haven’t” UPMC’s IT team gave the vendor a customer’s data back.
The same thing happened on a second test and even a third.
“After the third time of not being able to secure their application they finally said, ‘listen, we’re a small company, we only have three developers and they don’t really understand security,’” according to John Houston, UPMC vice president of security and privacy and associate counsel.
Here’s the rub: This type of revelation is not limited to small cloud companies in Houston’s experience.
Houston, rather, has encountered several situations in which a company looked very credible and seemed to have its act together.
“But behind the scene they really don’t,” he said. “When evaluating a vendor, we find that they just simply don’t have the wherewithal, the ability to develop a solution that is in fact appropriately secure.”
What’s more, as customers of the cloud providers, it’s tough to derive what the vendors can do, even whether they can actually do what they claim.
“We might try to get audit information and other kinds of substantive information about their security postures, but often those organizations – from a security perspective – are black box,” he added. “We don’t know what goes on within those environments. And, often, those vendors aren’t willing to tell us either.”
UPMC spends considerable chunks of time and effort to really secure its data and Houston believes what’s needed now are standards that the vendors attest to using.
UPMC, for instance, uses HITRUST, the Health Information Trust Alliance. The organization’s Common Security Framework certification is aimed at reducing cyber threats and cyber crimes.
“My attitude is that vendors ought to do the same thing. I should be able to go to them and say where’s your latest HITRUST assessment and your latest HITRUST score?” Houston said. “And they should be able to give that to me.”
Securing health data in the cloud will be among the topics at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches