NHS trusts ‘complacent’ on cloud app security risks
Do we block unsanctioned ones? Well half of us think we do...
Almost half of NHS Trusts make no attempt to monitor cloud app usage, according to the results of a Freedom of Information request.
The same FOI by cloud security firm Netskope also revealed that fewer than one-fifth of NHS Trusts have visibility into all cloud app use, leaving sensitive data vulnerable to both risky apps and malicious behaviour.
The FOI request was issued to 80 of the UK’s Acute NHS Trusts, with 43 organisations responding. Just over half of NHS Trusts (53 per cent) who responded believe all unsanctioned cloud apps are completely blocked, yet at the same time fewer than one in five NHS Trusts (19 per cent) confirmed that all cloud app use is monitored.
A third (30 per cent) of respondents were unsure how many cloud apps – both sanctioned and unsanctioned – were used by employees. While a further 35 per cent were able to pinpoint a specific number of cloud apps in use, the figures given were extremely low at an average of just 10.4 cloud apps per NHS Trust. This is compared to the 824 cloud apps found on average in organisations across EMEA in studies outside healthcare.
The findings of the FOI fall against a backdrop of a push to make more use of mobile apps and wearable technology as a source of patient data combined with a growing appetite for sensitive medical data amongst cyber criminals.
Jonathan Mepsted, managing director UK at Netskope, said: “While the NHS has shown great commitment to digitally transforming the patient experience, our data shows a concerning lack of awareness – both in terms of the potential security threats stemming from the cloud and also the data being stored and shared by employees through cloud apps. Given the NHS deadline to go paperless by 2020 and the resulting push towards a digital-first strategy, NHS Trusts will need to ensure the correct security controls are in place in order to remain vigilant to the possible threats posed by cloud apps and take proactive measures to secure data in the cloud.”
Failure to get a handle on apps leaves hospitals at risk of breaching data compliance rules, Mepsted warned.
“Although apps offer significant productivity benefits, when left unchecked they can also pose serious risks for organisations such as fines for non-compliance and reputational damage. The healthcare sector in particular handles a huge cross-section of sensitive data, including large amounts of personally identifiable information relating to citizens’ health,” he added. ®