69% of healthcare providers plan to move more data to the cloud
Named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the US, Netwrix Corporation, provider of a visibility platform for data security and risk mitigation in hybrid environments, has released its 2018 Netwrix Cloud Security: In-Depth Report for Healthcare.
The report reveals most healthcare providers store patient sensitive data in the cloud, yet only a few have all round visibility into who is accessing that data.
In January of 2018, The National Health Service (NHS), the largest healthcare provider in the UK, officially approved the use of US-based cloud providers to store patient data, the report states. The company found that 84% of healthcare organisations already store data in the cloud, but the NHS is the first state healthcare organisation to give the go-ahead.
Although the NHS' decision was driven by commonly cited cloud benefits, such as better data security and reduced operating costs, in reality, only 19% of organisations surveyed said their security improved after cloud adoption the report continues.
- The telehealth market is immature and volatile, but is rich with potential, report finds
- UpGuard’s cyber risk team reveals how details of 40,000 patients have been exposed
- Can we end the healthcare data breach pandemic?
Last year, malware infiltrations and cyber-attacks grew in the healthcare, space, with variants such as NotPetya and WannaCry. The WannaCry attack resulted in disruptions at 37% of NHS trusts and resulted in thousands spent in extra costs to cover cancelled appointments and repair the damage to all existing data platforms. 68% surveyed have therefore named the risk of unauthorised access to be a key concern, as well as 61%, who claimed the risk of malware infiltration to be a dominant factor.
Healthcare is also the only industry surveyed which therefore named data encryption as a top cloud security concern at 45%. Encrypting all healthcare data handled can double or triple a cloud bill, hence smaller organisations without government support, tending to refuse the use of cloud technology.
Despite this, healthcare organisations have named employees as a top risk to cloud security, with 55% of respondents saying that the human factor plays the most important role. Third parties, external actors and cloud providers are seen as less of a threat.
“This year shows positive dynamics in cloud adoption by healthcare providers, as more organisations are willing to move their sensitive data to the cloud, or already store it there. Yet the major security concerns remain the same: Most organisations perceive employees as the main threat to their systems and data, while lack of visibility across the IT environment makes it more difficult to deal with potential risks,” explained Michael Fimin, CEO and co-founder of Netwrix.
Peloton vulnerable to cyber attacks, McAfee research finds
Peloton, the popular exercise bikes, were found to be vulnerable to cyber attacks in the latest research from McAfee.
Peloton is a brand of electric bikes that combines high end exercise equipment with cutting-edge technology. Its products use wi fi to connect to a large tablet that interfaces with the components of the exercise device, and provides an easy way for physical activity enthusiasts to attend virtual workout classes over the internet several times a week.
Peloton has garnered attention recently around the privacy and security of its products. So McAfee decided to take a look for themselves and purchased a Peloton Bike+.
Researchers looked at the Android devices and uncovered a vulnerability that could allow an attacker with either physical access to the Bike+ or access during any point in the supply chain to gain to hack into the bike’s tablet, including the camera, microphone and personal data.
For the person using it there would be no indication the Bike+ has been tampered with, potentially putting Peloton’s 16.7 million users at risk.
The flaw was found in the Android Verified Boot (AVB) process. McAfee researchers were able to bypass the Android Verified Boot process, which normally verifies all code and data before booting. They were then able to get the device to boot bypassing this step.
This could potentially lead to the Android OS being compromised by an attacker who is physically present. Even worse, the attacker could boot up the Peloton with a modified credential to gain privileges, granting them access to the bike remotely.
As the attacker never has to unlock the device to boot it up, there would be no trace of their access on the device. This type of attack could also happen at any point from construction to warehouse to delivery, by installing a backdoor into the Android tablet without the user ever knowing.
Given the simplicity and criticality of the flaw, McAfee informed Peloton while auditing was ongoing. The vendor was sent full details, and shortly after, Peloton confirmed the issue and released a fix for it.
Further conversations between McAfee and Peloton confirmed that this vulnerability had also been present on the Peloton Tread exercise equipment.
Peloton’s Head of Global Information Security Adrian Stone, commented on the research: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important.
"To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”