When the medical records of about 150,000 people in Patient Home Monitoring Corp.’s database were exposed in September, the breach may have seemed too small to merit the broad media coverage that Equifax received after hackers targeted the personal information of 145.5 million of its customers.
Kromtech Alliance Corp.’s security researchers discovered the breach of Patient Home Monitoring’s data, which included blood-test results, according to a news report from Fierce Healthcare in October. The Lafayette, Louisiana–based, company helps manage respiratory diseases, sleep apnea, and blood testing for patients on anticoagulants like Coumadin.
Although its database was quickly secured and the size of the group exposed relatively small, the report was startling in a different way. The Patient Home Monitoring data resided in Amazon.com’s cloud computing network, Amazon Web Services, and the repository was “misconfigured” in a way that allowed public access to confidential information, according to Fierce Healthcare and a blog on Kromtech’s website. While companies like Amazon Web Services provide cloud security, their corporate customers are responsible for their own data protection.
Todd Zehnder, chief strategy officer and head of investor relations at Patient Home Monitoring, declined to comment. An Amazon spokesman said the company wouldn’t comment on a specific incident or customer relationship. Amazon Web Services says that its repository has built-in security features, though.
Companies are counting on cloud computing service providers, such as Amazon Web Services, Alphabet’s Google, and Microsoft Corp.’s Azure to lead the way in cybersecurity. In a September blog, “Why Wall Street Is Moving to the Cloud,” Oliver Wyman partner Chris DeBrusk said that “the large cloud providers have hired some of the top security talent in the world, and invested heavily in supporting capabilities, which has allowed them to provide a level of security that in many ways exceeds that available to all but the largest corporations.”
As banks increasingly entrust their data to outside service providers, the breach of medical records at Patient Home Monitoring underscores basic principles that cannot be neglected: No computing infrastructure is ever perfectly secure, and neither providers nor users of a third-party infrastructure can afford to let their guards down.
Around 2010, Goldman Sachs Group and State Street Corp. were still outliers in the financial industry with their early adoption of cloud computing. Now the technology appears irresistible. Sensitive client data routinely goes into the cloud — almost without a second thought, but also with a desire for assurances.
“Security is a concern whether data is cloud-based or on-site,” says Oren Blonstein, head of product development at Tora Trading Services, an international supplier of order management and trading tools to buy- and sell-side firms. Tora recently went through a Service Organization Control 2 (SOC 2) examination, conducted by Deloitte & Touche, to certify adherence to security and trust standards. Blonstein says the certification increases Tora’s credibility with customers and partners who are vetting its management of data in the cloud.
Cloud9 Technologies, which is using cloud systems to disrupt traditional approaches to trading-floor communications, obtained both the ISO 27001 certification (for information security management) and SOC 2. “It was a high bar for us,” says Gerald Starr, chief executive officer of the three-year-old start-up. It sends a message that Cloud9 “aims high” to instill users’ confidence in information protection.
Such certifications wouldn’t be in demand if the risks weren’t real and recognized. Yet security experts warn that the accelerating migration of apps, services, and workloads to the cloud only makes the target — known as the “attack surface” — larger.
“Remember that companies are still responsible for their assets in the cloud,” Skybox Security chief marketing officer Michelle Johnson Cobb said during the Black Hat USA 2017 conference in Las Vegas. “The cloud is a piece of the attack surface,” as are physical networks and assets, all requiring security management, she said.
The accelerating innovation tied to the cloud is creating new risks that traditional security can’t protect against, says Chetan Conikee, chief technology officer of ShiftLeft. The company has developed an automated application-security system for microservices, which are used to speed up software coding. In June, ShieldX Networks began offering APEIRO, a microservices platform for multi-cloud security. That same month, cloud security company Illumio said it completed a $125 million series D financing led by JPMorgan Chase & Co.’s asset management business, and that nine of the 15 largest U.S. financial companies were customers.
The following month, insurance company Lloyd’s of London announced that a malicious hack of a cloud service provider could result in as much as $53 billion in losses. For cloud users, and for the sake of global technology, the best advice is to trust but verify.