Mitigating and avoiding cloud storage threats in healthcare

In November, the global healthcare cloud market was valued at $63.55 billion and was projected to grow to $197.45 billion by 2032. Healthcare workers heavily rely on the cloud for various day-to-day operations, including data storage. Cloud storage provides several significant advantages to healthcare organizations while also introducing risks related to data security and privacy, regulatory compliance, and service reliability.

Today, the cloud remains a primary target for cyberattackers who may want to access patients’ protected health information (PHI). Cloud storage vulnerabilities can create serious consequences for healthcare providers, patients, and their PHI. Given that such threats exist today, healthcare organizations need to understand more about cloud storage and how to avoid any threats and/or the aftermath in case they do occur.

Need to know: HIPAA compliant email: The definitive guide

Cybersecurity threats to healthcare

The Health Insurance Portability and Accountability Act (HIPAA) sets the rules and regulations surrounding access to and disclosure of PHI. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of electronic PHI (ePHI). To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.

HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone.

Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.

See also: How to be HIPAA compliant without worrying about HIPAA compliance

Cloud storage and healthcare

Cloud-based data centers, run by cloud-based providers, handle data management and storage for other businesses and organizations. In general, such third-party organizations offer healthcare organizations flexibility, scalability, and cost-efficiency. The volume and variety of healthcare data are enormous, growing exponentially and making healthcare data perfectly suited for the cloud.

While cloud storage enables greater collaboration and data sharing, it also increases the risk of unintentional exposure of sensitive information. Cloud data storage is accessible via the internet, which makes it vulnerable to unauthorized access. For healthcare organizations, understanding where the data is stored and having appropriate data access controls are crucial for compliance.

The switch to digital records and digital ties

In 2025, technology has become a part of healthcare. Since the early 1990s, EHRs have replaced paper records, giving providers and patients real-time access to information. According to the Centers for Medicare & Medicaid Services (CMS), EHRs hold the “key administrative clinical data relevant to that person’s care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports.”

More recently, we saw the growth of telemedicine. A national study with 36 million working-age individuals with private insurance claims showed that telemedicine encounters increased 766% in the first 3 months of the pandemic, from 0.3% of all interactions in March to June 2019, to 23.6% of all interactions in the same period.” Despite the numerous benefits, the rapid digitization of healthcare also introduces new challenges, particularly concerning patient privacy, data security, and regulatory compliance.

Why are there cloud storage risks?

While cloud data storage provides some advantages, it also introduces risks related to data security, privacy, technical challenges, and service reliability. If the storage is not properly secured, attackers can gain access to sensitive health data. Key risks associated with cloud data storage include:

• Greater attack surfaces for unauthorized access
• Increased data breaches
• Shared responsibility issues over security
• Accidental data deletion
• Uncontrollable service downtime
• Data ownership and control issues
• Collaboration challenges

Data breaches can occur if cloud providers’ security and an organization’s measures are not robust. Effective risk management in a cloud storage environment involves implementing security measures to circumvent possible risks. Organizations must understand their role and obligations, particularly regarding the security of data stored in the cloud. They must implement strict access controls to prevent unauthorized data sharing.

A real-world cloud breach: Blackbaud

Blackbaud is a cloud service customer relationship management (CRM) platform for 35,000 educational institutions, nonprofits, and healthcare organizations. In 2020, a ransomware attacker found an entry point into Blackbaud’s system, compromising the data of several companies that use its services. Data accessed included personally identifiable information (PII) and PHI of individuals related to the Northern Light Health Foundation, the Children’s Hospital of Pittsburgh Foundation, and Trinity Health, among others.

The company decided to pay the ransom to get confirmation that all data copies had been destroyed. Ransomware has unfortunately become the dominant force behind healthcare data breaches. A recent study even estimates that ransomware attacks have exposed or stolen the health data of at least 375 million individuals over the past 15 years, a number that continues to grow.

As stated numerous times by the FBI, paying a ransomware attacker does not necessarily mean Blackbaud’s copied data was destroyed. In the aftermath, Blackbaud paid $3 million in a civil penalty to the Securities and Exchange Commission (SEC), along with $50 million in a state attorney-led lawsuit. Moreover, affected individuals never received complete reassurance that their information was safe.

Consequences of cloud storage threats

The consequences of a successful cloud attack can be severe, leading to financial losses and damage to an organization's reputation. Medical records stored on the cloud can also lead to identity theft, financial losses, and reputational harm for patients. Patient privacy is compromised, and healthcare organizations may face legal repercussions, financial penalties, and damage to their reputation

Organizations can face hefty fines and penalties for HIPAA violations and reputational damage that can affect patient trust and long-term viability. HIPAA violations can result in civil monetary penalties, ranging from $141 to $571,162 per violation, with an annual maximum of $2,067,813 for violations. The severity of the penalty depends on the level of negligence involved.

Related: What are the penalties for HIPAA violations?

The aftermath: mitigating cloud storage vulnerabilities

The reality is that cloud-related breaches do occur. When they do, healthcare organizations must know what to do to mitigate the situation. Healthcare providers need to continuously monitor their systems after a breach for anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI.

They can continuously update and then implement more rigorous security measures to secure cloud access, such as training employees, using advanced access controls, regularly updating their systems, and developing incident response plans. They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further. After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media.

Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again. Proper mitigation can keep more patient data from being exposed and protect a healthcare organization from committing a HIPAA violation.

Avoiding cloud storage threats in healthcare with HIPAA compliance

HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid cloud threats include:

1. Establishing up-to-date email policies and procedures
2. Using business associate agreements (BAAs) when working with third parties
3. Ensuring that cloud providers use defensive and offensive strategies
4. Obtaining patient consent when storing information on the cloud
5. Using continuous employee awareness training, especially on cloud use
6. Ensuring proper technological safeguards, such as data encryption
7. Utilizing strong access controls like mandatory passwords and MFA
8. Categorizing data based on sensitivity and confidentiality and applying correct controls
9. Creating data backup and disaster recovery plans in case of an incident
10. Regularly auditing and monitoring systems
11. Having an incident response plan ready in case it is needed

HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.

Final thought: Finding the right HIPAA compliant storage solution

FAQs

What is a business associate?

A person or entity that performs certain functions or activities on behalf of covered entities.

Can healthcare organizations use any cloud storage provider for storing PHI?

Healthcare organizations can use cloud storage providers for PHI, but they must ensure the provider signs a BAA and complies with HIPAA's security and privacy rules.

How do cloud storage locations affect HIPAA compliance?

The location of cloud storage directly impacts HIPAA compliance because data stored in the cloud must adhere to HIPAA regulations regardless of where it is physically located.

Are there specific requirements for storing PHI in cloud storage?

Yes, PHI stored in cloud storage must be encrypted both at rest and in transit, and access controls must be in place to restrict unauthorized access.

What are the consequences of using noncompliant cloud storage for PHI?

Using noncompliant cloud storage for PHI can result in HIPAA violations, potential fines, legal actions, reputational damage, and loss of patient trust. It is necessary for healthcare organizations to carefully vet cloud providers to ensure compliance with HIPAA regulations.