Yet another non-password protected cloud database has come to light, this time exposing a raft of highly personal information on healthcare workers and traveling nurses – including drug tests and arrest records. The incident showcases the unfortunate reality that cloud data security remains a persistent challenge for businesses of all kinds.
Jeremiah Fowler, a researcher at Security Discovery, found the database, which he said contains 957,000 records from Freedom Healthcare Staffing in Aurora, Colo. Included was “intimate” details on employees, various internal communications, job seeker and recruiter data, IP addresses, ports, pathways and storage data that cybercriminals could exploit to move deeper into the network.
The database was set to be publicly accessible, and anyone could edit, download or delete data without administrative credentials, he said. That’s worrying given the sensitive nature of the information he found.
“In a sampling of the documents I read for verification purposes, I saw failed drug tests (without prescriptions for those drugs), a nurse being accused of taking a patient’s painkillers, complaints about a hospital’s illegal interference in nurses trying to unionize and many more complicated situations,” he wrote in a posting on Tuesday.
“In one document, a manager referenced a news article of a nurse who was arrested and then instructed an employee to check if that nurse’s name was in their system or had ever worked for Freedom Healthcare Staffing. These notes were so detailed that several records I saw even contained Social Security Numbers in plain text.”
Freedom Healthcare Staffing has since secured the database after Fowler notified the company of the issue.
Cloud Security Continues to Lag
As cloud misconfigurations like the one at Freedom Healthcare Staffing continue to make headlines, enterprise views on cloud security have yet to catch up. Research from the Ponemon Institute released on Tuesday shows that although nearly half (48%) of corporate data is stored in the cloud, only a third (32 percent) of organizations admit they employ a security-first approach to that data storage.
Surveying over 3,000 IT and IT security practitioners in Australia, Brazil, France, Germany, India Japan, the United Kingdom and the United States, the data shows that nearly half (48 percent) of organizations have a multi-cloud strategy, with Amazon Web Services (AWS), Microsoft Azure and IBM being the top three. The study found that, on average, organizations use three different cloud service providers, and more than a quarter (28 percent) are using four or more.
The research also found somewhat schizophrenic attitudes towards security in the cloud. For instance, nearly half of survey respondents (46 percent) believe that storing consumer data in the cloud makes them more of a security risk; and more than half (56 percent) also noted that it poses a compliance risk. However, only 23 percent say security is a factor in selecting a cloud provider.
Perhaps most worryingly, organizations aren’t embracing the shared responsibility model, which dictates that cloud providers should offer secure facilities, but it’s up to the customers to make use of the security mechanisms available. The survey found that 35 percent of organizations believe that cloud service providers bear the most responsibility for sensitive data in the cloud; ahead of shared responsibility (33 percent); and themselves (31 percent).
“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Not knowing this information makes it essentially impossible to protect the most sensitive data –ultimately leaving these organizations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”
Meanwhile, organizations are also finding their cloud-housed data under active attack, underscoring even further the need for better security hygiene. For instance, a primary health organization (PHO) in New Zealand, Tū Ora Compass Health, yesterday disclosed a security breach that led to the exposure of medical and personally identifiable information (PII) of roughly 1 million people.
According to Ministry of Health officials, there were four intrusions, all by different threat actors. Two were “hacktivists” and two were “more sophisticated…and that’s the extent of the information we have,” they said in a press conference.
“Amassing hundreds of thousands of patient records in a single database increases the risk of compromising patient data should a breach occur,” said Paul Edon, senior director (EMEA) at cybersecurity company Tripwire, in an emailed statement. “To ensure patients’ care and safety, healthcare organizations must go beyond simply being compliant with security frameworks and ensure that their environment is duly protected against unauthorized changes and misconfigurations which can make their environment susceptible to a cyber-attack.”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.