By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    improving patient experience
    6 Ways to Improve Patient Satisfaction Within Hospitals
    December 1, 2021
    degree for healthcare job
    What Are The Health Benefits Of Having A Degree?
    March 9, 2022
    custom software development is changing healthcare
    Digital Customer Journey Mapping and its Importance for Healthcare
    July 21, 2022
    Latest News
    Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
    May 16, 2025
    Learn how to Renew your Medical Card in West Virginia
    May 16, 2025
    Choosing the Right Supplement Manufacturer for Your Brand
    May 1, 2025
    Engineering Temporary Hospitals for Extreme Weather
    April 24, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Can Thinking Younger Make You Live Longer?
    April 20, 2011
    Image
    Obesity’s Outlook Unchanged
    June 13, 2011
    When It’s An Emergency Elderly Not Treated As Well in Hospitals
    July 16, 2011
    Latest News
    Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
    May 18, 2025
    The Critical Role of Healthcare in Personal Injury Recovery: A Comprehensive Guide for Victims
    May 14, 2025
    The Backbone of Successful Trials: Clinical Data Management
    April 28, 2025
    Advancing Your Healthcare Career through Education and Specialization
    April 16, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: 8 Mistakes to Avoid when Securing Cloud Services
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > 8 Mistakes to Avoid when Securing Cloud Services
eHealth

8 Mistakes to Avoid when Securing Cloud Services

ShahidShah
Last updated: July 27, 2012 9:00 am
ShahidShah
Share
10 Min Read
SHARE

 

 

There’s solid demand these days for services like DropBox.com or Box.net that allow easy but secure file sharing to occur with proper privacy restrictions and audit tracking. I was pleasantly surprised to learn that there are a few companies, such as FolderGrid, trying to solve the problem of HIPAA-compliant file sharing. What FolderGrid is doing, though, is quite unique in healthcare – creating infrastructure software for other health IT developers to build on top of. I reached out to Eric Simmerman, CTO at FolderGrid as well as head of IT and Chief Security Officer at Pascal Metrics, a Patient Safety Organization (PSO). I asked Eric to give us some lessons he’s learned and what mistakes we should avoid while both building and evaluating cloud services for the healthcare marketplace. Here’s what Eric wrote back:

In the race to avail yourself of the many benefits of cloud computing, don’t leave behind security as you pursue the convenience of ubiquitous availability. It’s tempting to equate newer technology and services with better fundamentals. But as recent headlines have demonstrated even the most established firms have been caught using inadequate and in some cases negligent practices when securing their customers’ sensitive data.

More Read

Make Your Blog Your Brand’s Patient Ed HQ
Crowdsourcing Citizen Superheroes
Ebola or Epic: Which Do US Hospitals Fear More?
Are We Ready to Celebrate People Who Choose to Be Sick in Public?
10 IT Initiatives Your Hospital Should Undertake in 2012

If you are an engineer building a new cloud service or a prospective user evaluating the security policies of a service provider – the following eight commandments are meant to help you avoid some of the vulnerabilities that have already led to account compromises and sensitive data disclosures. No such list could hope to be comprehensive and this one is meant only to establish what should actively be avoided as a bare minimum. If your service requires higher than standard security measures, such as those subject to HIPAA or PCI compliance, you should run kicking and screaming from any vendor who fails to adhere to these simple tenets.

1. Don’t forget to salt your passwords

A cryptographic salt is a string added to your password before it is encrypted using a one-way function. It is a vital element in protecting passwords as LinkedIn learned to their dismay this June when 6.5 million of their users’ passwords were posted to a Russian user forum. Because these passwords had not been salted over 60% of them were cracked immediately using simple dictionary attacks or similar techniques. Salting passwords is a trivial act (on both the implementation and operational fronts) and not salting the passwords of a modern system is simply negligent.

2. Don’t use MD5 hashing for password encryption

When chip maker Nvidia admitted up to 400,000 users of its forums had their encrypted passwords compromised in early July, the passwords were revealed to have been unsalted and encrypted as MD5 hashes. MD5 was declared “dead” by reknowned security expert Bruce Schneier over seven years ago and is now widely regarded as dangerously insufficient. Best practices mandate the use of a significantly more complex cipher such as bcrypt.

3. Don’t expose sensitive data through lazy design

Sloppy construction of a modern user interface can lead to a platform that leaks data unintentionally. As the use of “AJAX” technologies has grown, web and mobile applications commonly “push” large amounts of data to the end user’s device where it can be used to support multiple views and operations without the need to issue a new request. This leads to generally better user experience and perceived application performance.

Unfortunately, careless use of these techniques can leak sensitive information leaving seemingly well protected systems hugely vulnerable.

4. Don’t use a common key for encrypting multiple users data

You wouldn’t rent an office in a building where every door used the same lock and every tenant was issued the same key. Likewise you should insist that distinct keys be used for encrypting your sensitive data in the cloud. Using a common encryption key for multiple users’ data subjects all of those users to additional risk of compromise. If just one object encrypted with that common key is successfully attacked – every other object encrypted with the same common key is potentially vulnerable.

On a multi-tenant platform this is even more important since there is a very real possibility that one or more of your users or tenants could act maliciously to intentionally compromise the common key and thereby gain access to other tenants’ data.

As an example of proper design, Amazon’s Server Side Encryption Support uses a unique key for every object stored. Unfortunately, it seems that not every vendor offering to encrypt sensitive data at rest adheres to this policy.

5. Don’t use reset token without expirations

Every service with human users and passwords needs some form of password reset process. These are typically implemented using a “reset link” or “temporary password” which is emailed to the email address of record for a user requesting a reset. Unfortunately, most services fail to adhere to the best practice of expiring these temporary credentials after a short period.

As this month’s compromise at Yahoo demonstrates, email accounts are prime targets for virus propagation, malware distribution, and identity thieves. Well designed cloud services should avoid storing a valid password in an email any longer than is absolutely necessary to support the password reset process. Expiration after 15 minutes is a good rule of thumb.

6. Don’t save user passwords on mobile devices or shared workstations

In the Yin versus Yang battle of security and usability, security concerns often give way to the usability demands of end-users. When a cloud service installs an app on a shared workstation or a mobile device, users often expect that they’ll only be required to login to that service once. Unfortunately, for an app to keep a user authenticated indefinitely it must persist the user’s password in an insecure way rendering the security of the service dependent upon the security of the device.

If the app can store and read the password after a restart or a sign-out then an attacker with access to the device can do the same. Evidence abounds that you should not equate physical possession of a device with authorization for a service.

7. Don’t persist authentication tokens

The last commandment dealt with the storing of a user’s password and ensuring that the password could not be misappropriated by a malicious user with access to the same workstation. This commandment is similar but reminds us that protecting the password while permitting authentication through other persisted means is equivalent to “kicking the can down the road”.

Dropbox suffered some embarrassing and unwanted publicity for failing to adhere to this one after users discovered they could surreptitiously access all the files in anyone’s account by simply copying one file from the victims computer.

8. Don’t fail to support integration with modern workflows

There’s an old security adage that states “The more secure you make something, the less secure it becomes”. Why? Because when security gets in the way, well-meaning users develop workarounds that defeat the security. Hence the prevalence of doors propped open by wastebaskets and of passwords pasted on the front of monitors.

When we translate that lesson to the realm of cloud services it implies that you must support the needs of your users with modern tooling and workflow integration. If you don’t want users downloading sensitive files from your service and emailing them to colleagues then your service must provide a convenient means of distribution and collaboration. If you don’t want your users to share a common set of credentials then make credentialing and delegation as simple as possible.

These are early days for cloud service providers and unfortunately many are cutting corners in their push to market. When you’re evaluating a service provider’s security policy a bit of due diligence today can save you significant pain tomorrow. And if you’re building the service itself, you should need no further convincing that adhering to these eight commandments is a good start.

TAGGED:cloud computing
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Clinical Expertise
Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
Health care
May 18, 2025
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Health
May 15, 2025
Learn how to Renew your Medical Card in West Virginia
Learn how to Renew your Medical Card in West Virginia
Health
May 15, 2025
Dr. Klaus Rentrop Shares Acute Myocardial Infarction heart treatment
Dr. Klaus Rentrop Shares Acute Myocardial Infarction
Cardiology
May 13, 2025

You Might also Like

Mobile HealthTechnology

The Cloud Is Revolutionizing Healthcare

December 20, 2013

ATA Looks to New Forum to Connect the Telemedicine Dots

August 31, 2012

Changes to HIPAA Impacting Healthcare Covered Entities & Business Associates

March 12, 2013

Gamification and Government Health Care

June 7, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?