A Freedom of Information request has revealed that nearly half (47%) of NHS Trusts don’t monitor all cloud app use, potentially exposing them to data security and compliance risks.
Cloud security firm Netskope sought info from 80 of the UK’s Acute NHS Trusts, just over half of which replied.
Of these, half (53%) claimed that unsanctioned cloud app use was blocked, but with only 19% confirming all usage is monitored, there’s a worrying lack of visibility into environments, according to Netskope.
Going further, 30% of responding Trusts were unsure how many sanctioned and unsanctioned cloud apps were used by employees, and of the 35% who did have visibility, they were only able to name 10.4 apps on average each. That compares to 824 cloud apps found in the average organization, according to the Netskope Cloud Report.
This kind of shadow IT could mean sensitive patient and other data being uploaded to and shared via the cloud without adequate protection.
There’s also the danger that downloaded apps could contain malware, according to Netskope.
The firm claimed that on average 26 pieces of malware are found in cloud apps across any given organization.
The findings come as UK companies prepare for the European GDPR, strict new data protection rules which could levy heavy fines for non-compliance and mandate breach notifications within 72 hours.
“While the NHS has shown great commitment to digitally transforming the patient experience, our data shows a concerning lack of awareness – both in terms of the potential security threats stemming from the cloud and also the data being stored and shared by employees through cloud apps,” argued Netskope’s UK managing director, Jonathan Mepsted.
“Given the NHS deadline to go paperless by 2020 and the resulting push towards a digital-first strategy, NHS Trusts will need to ensure the correct security controls are in place in order to remain vigilant to the possible threats posed by cloud apps and take proactive measures to secure data in the cloud.”
The NHS is trying to clean up its act, however, with news that its digital arm is set to work closely with the new National Cyber Security Centre (NCSC) to boost its security capabilities.
“While data stolen from a bank can quickly become useless once the attack has been discovered due to the changing of passwords and other security details, data from the healthcare industry can live a lifetime and as such it is one of the most sought after data sets that hackers look to steal,” explained Rob Norris, director of enterprise & cyber security EMEIA at Fujitsu.
“While the NHS continues to work with the NCSC, it should also be proactive to enable real-time threat reporting and fast solutions before a threat becomes a compromise. This should sit alongside a clear and well-rehearsed incident management plan, addressing internal and external communication in addition to containment and recovery activities.”