When the medical records of about 150,000 people in Patient Home Monitoring Corp.’s database were exposed in September, the breach may have seemed too small to merit the broad media coverage that Equifax received after hackers targeted the personal information of 145.5 million of its customers.
Kromtech Alliance Corp.’s security researchers discovered the breach of Patient Home Monitoring’s data, which included blood-test results, according to a news report from Fierce Healthcare in October. The Lafayette, Louisiana–based, company helps manage respiratory diseases, sleep apnea, and blood testing for patients on anticoagulants like Coumadin.
Although its database was quickly secured and the size of the group exposed relatively small, the report was startling in a different way. The Patient Home Monitoring data resided in Amazon.com’s cloud computing network, Amazon Web Services, and the repository was “misconfigured” in a way that allowed public access to confidential information, according to Fierce Healthcare and a blog on Kromtech’s website. While companies like Amazon Web Services provide cloud security, their corporate customers are responsible for their own data protection.
Todd Zehnder, chief strategy officer and head of investor relations at Patient Home Monitoring, declined to comment. An Amazon spokesman said the company wouldn’t comment on a specific incident or customer relationship. Amazon Web Services says that its repository has built-in security features, though.
Companies are counting on cloud computing service providers, such as Amazon Web Services, Alphabet’s Google, and Microsoft Corp.’s Azure to lead the way in cybersecurity. In a September blog, “Why Wall Street Is Moving to the Cloud,” Oliver Wyman partner Chris DeBrusk said that “the large cloud providers have hired some of the top security talent in the world, and invested heavily in supporting capabilities, which has allowed them to provide a level of security that in many ways exceeds that available to all but the largest corporations.”
As banks increasingly entrust their data to outside service providers, the breach of medical records at Patient Home Monitoring underscores basic principles that cannot be neglected: No computing infrastructure is ever perfectly secure, and neither providers nor users of a third-party infrastructure can afford to let their guards down.
Around 2010, Goldman Sachs Group and State Street Corp. were still outliers in the financial industry with their early adoption of cloud computing. Now the technology appears irresistible. Sensitive client data routinely goes into the cloud — almost without a second thought, but also with a desire for assurances.
“Security is a concern whether data is cloud-based or on-site,” says Oren Blonstein, head of product development at Tora Trading Services, an international supplier of order management and trading tools to buy- and sell-side firms. Tora recently went through a Service Organization Control 2 (SOC 2) examination, conducted by Deloitte & Touche, to certify adherence to security and trust standards. Blonstein says the certification increases Tora’s credibility with customers and partners who are vetting its management of data in the cloud.
To read the full article, click here.