By Pavel Novik
Cloud solutions have entered even conservative industries. They are widely used in manufacturing and finance, and now healthcare is not an exception either. Cloud-based tools help care providers reduce costs on maintaining computer systems, servers, and other equipment, so providers’ interest is steadily growing.
The healthcare cloud computing market is to reach over $64bn in 2025, rising from $28.1bn in 2020 at a CAGR of 18.1%. However, there’s a thorny question looming around: are cloud solutions secure enough? Unconditional security is a non-existent concept. However, certain efforts may ensure security of healthcare clouds.
Quality assurance remains the best prevention measure in healthcare IT. When it comes to cloud testing, it’s not only about security tests per se. Testing engineers can touch upon certain security aspects during functional testing too.
For example, providers tend to employ multifactor authentication to make sure only legit users may log in. This type of access controls is quite efficient, as credentials alone won’t let a user into the system. The system requires verification via a personal mobile device, and malicious actors rarely have them available at hand. There’s another protective feature in place — remote wiping, protecting sensitive data in case a mobile device gets lost or stolen.
Nevertheless, testing these two features from the functional perspective doesn’t cover security comprehensively. Walking the extra mile with dedicated security tests wouldn’t hurt. After all, certain malware types are designed to break into clouds specifically, and security experts are the ones knowing relevant prevention tactics.
Cloud security testing doesn’t start with testing itself but with the test scope definition. At this preparatory stage, it is vital to keep in mind these two points:
- Third-party tools are always off-limits unless a provider got a written permission from the third-party representative.
- If one system within a cloud has to integrate with another system, and security experts have no permission to cross-check both systems, the cloud is tested only partially. The situation may turn hazardous: the integration point may have a vulnerability that will remain unrevealed.
To ensure full-scale protection, care providers should obtain written permissions from all third-party vendors whose apps are integrated with their cloud solutions.
The scope defined, security experts can proceed with vulnerability scanning. During this type of testing, experts explore the cloud and try to find any weak points that malicious actors may exploit. This testing type also looks for configuration flaws that may result in a digital intrusion.
After that, the team delivers a remediation report that lists the detected vulnerabilities and provides some actionable tips to fix them. The provider may then pass this paper to their developers for further analysis and improvements.
There is yet another important type of security testing — penetration testing. Here testers fully mimic hackers or other malicious actors: they try to break into the system. Penetration testing is the most efficient way to test a provider’s readiness to face the attack and nip it in the bud.
As we know, the key targets for cybercriminals are internal processes, technologies, and employees. To exploit an organization’s vulnerabilities when it comes to processes and systems, hackers use bots that surf the internet in search of any loopholes. When a vulnerability is detected, malicious actors proceed with the actual attack.
With employees, the strategy is different. Getting to them may require another set of skills — social engineering. Luckily, there is an effective prevention strategy in place. It’s employee training.
About a third of data breaches in healthcare happen due to basic human errors, Verizon reports. Besides, the same source states that phishing is still among the top cybersecurity threats. This is where social engineers take the stage.
Well-versed in psychology, social engineers try to talk employees into sharing their credentials. They rarely do so in person. They target an employee with spear phishing, a phishing attack tailor-made for a particular individual. In this case, engineers try to manipulate a user and make them download malware, promoting it as an effective protective app. When downloaded and installed, this tool may wreak havoc across all the system components the user has access to.
It makes sense to train employees to follow email hygiene practices. It involves three key points:
- No credentials sharing, even if the one who asks for it passes themselves as a provider’s authority figure.
- No link clicking. It may unleash malware.
- Attention to senders. However hard malicious actors try to hide their intentions, there are always some subtle tell-tale signs—typos. They may be anywhere—in the domain spelling, the email address, or the name of the sender.
To protect PHI and other sensitive information, providers should motivate their employees to stay attentive when checking their work emails.
Deploying a secure healthcare cloud is not an easy task. Nevertheless, it’s manageable. It requires well-coordinated work of internal and external security teams and a good understanding of the tasks to perform. Besides, users’ alertness is as important for secure cloud operation as cybersecurity controls in place. It’s users who can detect and prevent the damage before an attack happens.
Pavel Novik is QA Unit Manager and the Head of the Mobile Testing Center of Excellence at a1qa.