HC3 Calls Attention to Cloud Security Concerns, Mitigation Tactics

August 15, 2022 - The HHS Health Sector Cybersecurity Coordination Center (HC3) released an analyst note detailing cloud security risks. The note addressed issues with shadow IT, misconfiguration, cloud hijacking, and more.

Healthcare organizations have been rapidly adopting cloud technologies, with their main selling points being scalability, flexibility, and often security. According to Vantage Market Research, the healthcare cloud computing market is expected to reach $128.19 billion by 2028, growing at a CAGR of 18.74 percent from 2021 to 2028.

“Threats facing the cloud can vary, but the biggest concerns exist with internal threats such as human error, external threats from malicious actors, and the infrastructure itself,” the analyst note stated.

“Since the cloud exists off-site the conventional methods of protection aren’t always effective. When protecting the cloud, we are attempting to secure the network, recover data, minimize human error, and reduce the overall impact of a compromise.”

Securing the cloud must begin with an understanding of what is being secured and the system that is managing the cloud services, HC3 noted. The note emphasized that cloud security is a shared responsibility between cloud providers and their clients. The level of responsibility for each party depends on whether organizations are using software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS).

“These security measures are configured with the intent to protect data and customer privacy as well as setting up proper authentication rules for the individual users and devices,” HC3 continued.

“Through this, cloud security can be configured to meet the specific needs of a business. Since these rules can be configured and managed in one place, teams have increased availability to focus on other needs in their department.”

Improper cloud security measures can lead to data breaches, ransomware, and phishing attacks. HC3 pointed at misconfiguration, such as unsecure API keys, unrestricted inbound and outbound ports, and disabled logging capabilities, as a leading cause of cloud security issues.

Additionally, threat actors have been known to use cloud applications in phishing attacks since users are now accustomed to cloud-based email services sending them links to confirm their identity. Threat actors have leveraged this development to phish for credentials.

Shadow IT also poses a significant risk to cloud security, the note suggested.

“Shadow IT is the use of information technology services, software, or devices that aren’t approved by an IT department for use. Shadow IT has risen over the years through the use of public cloud services and as employees saw the short term benefit versus the long term security impacts,” the note said.

“If a department is unaware of an application, then they won’t have the ability to secure it properly.”

Cloud hijacking, lack of cloud visibility, and identity and access management (IAM) issues can also be cause for concern.

Despite these concerns, cloud technology can have great benefits to healthcare organizations. The key is to balance these benefits with carefully considered security measures to mitigate risk. When organizations think about securing the cloud, HC3 recommended that they:

• Use a cloud service provider that encrypts  
• Conduct compliance audits
• Implement a Zero Trust model
• Set up your privacy settings
• Use Two-Factor Authentication
• Establish and enforce security policies
• Maintain cloud visibility
• Understand cloud compliance, requirements, and regulations
• Install updates to your operating system
• Avoid using public Wi-Fi

HC3 suggested that organizations look for cloud service providers (CSPs) that value the security practices mentioned above.