Vertical Markets

NHS in the cloud

by Mark Rowe

IT risk may arise from a belief that all cloud app use has been blocked, according to a cloud security product company, after Netskope‘s Freedom of Information (FOI) request into cloud app use in the NHS. That found that almost half of NHS trusts do not monitor cloud app use by employees. Without monitoring, there is still a risk that sensitive data are being uploaded and/or shared via cloud apps being downloaded and used without the IT department’s permission, it’s claimed.

This new data was obtained by a Freedom of Information (FOI) request, issued to 80 of the UK’s acute NHS trusts, with 43 responding. Based on those responses, over half of NHS Trusts (53 per cent) believe all unsanctioned cloud apps are completely blocked, yet at the same time fewer than one in five trusts (19 per cent) confirmed that all cloud app use is monitored.

This suspected lack of visibility into cloud app use was borne out by the other findings from the FOI request. For example, 30 per cent of respondents were unsure how many cloud apps – both sanctioned and unsanctioned – were used by employees. While a further 35 per cent were able to pinpoint a specific number of cloud apps in use, the figures given were extremely low at an average of just 10.4 cloud apps per NHS Trust. This is compared to the 824 cloud apps found on average in organisations across EMEA by the latest Netskope Cloud Report. The low figures given for cloud app use continue to suggest that NHS Trusts have very limited visibility into the cloud apps used by employees and therefore may also have restricted visibility into the data being uploaded/shared through cloud apps.

The findings suggested, the firm added, that a lack of visibility into cloud app use may be creating a certain level of complacency amongst trusts. Despite just 19 per cent of trusts monitoring all cloud app use, 35 per cent stated that absolutely no cloud apps were in use. Many assume staff are not using unsanctioned cloud apps but do not monitor use to guarantee this the firm says. This unfounded confidence is highlighted further by the fact that 75 per cent of the NHS Trusts that did not know whether they monitor cloud app use also stated that absolutely no cloud apps are in use.

Netskope says recent research found that, on average, 26 pieces of malware are found in cloud apps across a given organisation and 43.7 per cent of this malware has delivered ransomware. In addition, with the EU General Data Protection Regulation due to take effect in May 2018, Netskope research has identified that 75.4 per cent of apps in use are not GDPR ready. Despite the potential threats of unchecked cloud app use, almost half of all NHS trusts (47 per cent) do not monitor all cloud app use by employees while more than one third (35 per cent) do not block unsanctioned cloud apps.

Comment

On these findings, Jonathan Mepsted, managing director UK at Netskope, says: “While the NHS has shown great commitment to digitally transforming the patient experience, our data shows a concerning lack of awareness – both in terms of the potential security threats stemming from the cloud and also the data being stored and shared by employees through cloud apps. Given the NHS deadline to go paperless by 2020 and the resulting push towards a digital-first strategy, NHS Trusts will need to ensure the correct security controls are in place in order to remain vigilant to the possible threats posed by cloud apps and take proactive measures to secure data in the cloud.

“Although apps offer significant productivity benefits, when left unchecked they can also pose serious risks for organisations such as fines for non-compliance and reputational damage. The healthcare sector in particular handles a huge cross-section of sensitive data, including large amounts of personally identifiable information relating to citizens’ health. It is absolutely vital that this sensitive data is kept secure. An appropriate strategy around cloud app use is a vital piece of this security issue.

“With a growing appetite for sensitive medical data amongst cyber criminals, the healthcare industry needs to respond by ensuring IT teams have the tools they need not only to have visibility into employee app use and activity, but also to have deeper intelligence, protection, and remediation that can help them stop malware in its tracks. As the cloud threat landscape becomes increasingly complicated, steps must be taken to ensure that patient privacy and security remain a top priority.”

Methodology

Netskope issued a Freedom of Information (FoI) request to 80 UK acute NHS trusts, asking:

1. Do you block the use of cloud apps not officially purchased or sanctioned by your department’s IT team? (Cloud apps are apps such as Dropbox, Box, Google Drive, iCloud, WeTransfer, etc, which operate in the cloud and therefore do not necessarily need to be downloaded to a PC/laptop/mobile device to be used.)

2. How many cloud apps are in use by employees in your department? Please include both those apps purchased or sanctioned by IT, and unsanctioned apps i.e. used by employees without IT’s permission. If you do not know whether/how many unsanctioned apps are in use, please state this and provide the number of sanctioned/authorised cloud apps.)

3. Do you monitor cloud app use by employees in either sanctioned or unsanctioned apps, for example by monitoring what data are uploaded and/or shared using cloud apps?

NB: Netskope received responses from 43 of the 80.

Related News

  • Vertical Markets

    Crime Scene House

    by Mark Rowe

    A specialist ‘Crime Scene House’ has opened at Cranfield University’s Bedfordshire campus, on the 25th anniversary of the setting up of the…

  • Vertical Markets

    KHT tender opportunity

    by Mark Rowe

    Provision of CCTV Services to create a central control solution monitoring Knowsley Housing Trust sites. Knowsley Housing Trust (KHT) is tendering for…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing