When it comes to buying inexpensive data-storage services, shoppers might want to reflect on an old saying from the Gipper. “It was Reagan who said, 'Trust but verify,' ” said Kirk Nahra, privacy practice chair at Washington, D.C.-based law firm Wiley Rein.
President Ronald Reagan might have been talking about weapons reduction agreements with the Soviet Union at the time, but, according to Nahra, the concept translates to cloud providers.
“If your goal is to get that service as cheaply as you possibly can, that's essentially blind trust,” Nahra said, adding that to be safe, due diligence is necessary. “You should have some idea of what they're doing.”
Government agencies in California, Kansas and Utah learned that the hard way recently when a computer hobbyist downloaded the workers' compensation and liability insurance records of about 1.5 million individuals that were in a data-storage bucket at Amazon Web Services (AWS), a cloud-based provider of computing power and data storage.
A few years ago, the U.S. healthcare industry began embracing cloud computing for some uses, particularly deploying modified private clouds for individual organizations, or so-called “hybrid clouds,” shared by several organizations. These were the earliest cloud forms adopted by some of the major electronic health-record system vendors.
In 2013, health information technology market researcher KLAS Enterprises noted that about a third of the healthcare IT market had adopted “attributes of cloud computing,” mostly hybrid clouds.
This summer, Systema Systems, a Larkspur, Calif.-based provider of claims-management software, moved a copy of a database to the AWS bucket without barring access to unauthorized users, according to a statement by Salt Lake County. The database contained information belonging to the Utah county, which, along with its counterparts in California and Kansas, hired Systema to help handle their workers' compensation and third-party liability claims.
“The files were completely publicly accessible by anyone in the entire world,” said Chris Vickery, an Austin, Texas, resident who says he found the unprotected data using Google and a few search commands. Vickery said it is common knowledge among computer hobbyists that some data stored in the cloud are unprotected.
Amazon has a “shared responsibility model” for data security with AWS—it's Amazon's job to protect its data centers and computers. But securing the applications and the data running on them are the customer's responsibility.
Under this business model, Amazon's customers can buy additional security services such as data encryption, user authentication and access logs, but only if they choose to pay more.
“Why should Amazon care or go to the extra expense of providing security on the buckets” if the customer doesn't care, asked Michael Mac McMillan, CEO of CynergisTek, an Austin data-security consulting firm.
Systema would not provide an official to be interviewed for this story. But it did say in e-mails from its public relations firm that the root cause of the incident was “a misconfiguration of certain permissions.”
Neither Kansas nor Utah dumped Systema over the incident, preferring instead to tighten up security through mutual agreements with the company. They say they are confident workers' data were not exposed beyond Vickery, who signed a legal document promising he did not share the information.
Tim Keck, deputy chief counsel of the Kansas Health and Environment Department, said the agency has considered itself to be a Health Insurance Portability and Accountability Act-covered entity. As such, the department required Systema to sign a HIPAA business associate's agreement and protect Kansas' information according to HIPAA standards.
Keck said he believes its contract required Systema to keep audit logs on its data, which it wasn't doing at the time of the breach. The agency in Utah also said an audit log function was not on at the time of the breach. That agency noted that, at its suggestion, Systema used Amazon's billing logs, which document date, time and volume of data moving from its files, to confirm that Vickery's approximately three-hour download was the only unauthorized access to the data bucket.
In the wake of the incident, Systema is now using audit logs on its data storage buckets, both Kansas and Utah report.
How else can customers protect themselves from future incidents on the cloud? First, McMillan said, is to contract with a “top-tier” cloud provider that provides audit services. Next, insist on an audit requirement in the contract. Finally, periodically request an audit report on who has accessed data.\
“If the functionality is there, they will be able to comply. If not … well, you know the answer,” he said.