Worried about BYOD? Just wait for its cloud-based spin-off

Many hospital CIOs may finally have given in, and given over, to the bring-your-own-device trend, and could be searching for solutions to partition, virtualize, or otherwise secure patient data on personal devices.

What they may not be ready for--technologically or philosophically--is a new, even scarier, trend on the horizon: Bring-your-own-cloud (BYOC).

The movement has been gaining momentum in a host of other businesses where mobile workers use commercially available cloud storage, such as Microsoft SkyDrive, Google Drive, Dropbox and others, to stash information while on the go, rather than keep it on their mobile devices.

And the trend may soon hit healthcare, although not in a good way, according to an article in Becker's Hospital Review. The piece predicts that busy healthcare workers may even now be storing patient data in commercial "clouds," despite hospitals' best security efforts.

"You would probably expect that anything a hospital would store in a cloud server would be encrypted so that even though access may be easy, not just anyone could open the file and read it. However, given the immediate availability of cloud service tools, if someone wanted to move data for any reason--lawful or not, reasonable or not--the ability to do so is very real," Alan Brill, senior managing director of security firm Kroll Advisory Solutions tells Becker's.

If you're feeling a bit queasy, there's good reason. Some of the biggest companies in the world are wrestling with this issue as we speak. CloudTweaks reports that IT heavyweight IBM recently prohibited its employees from using iCloud or Dropbox on any device that stores company data.

CloudTweaks even notes there is a new software that just came on the market that allows IT officials to detect when cloud-based services are running on their networks, and on which devices they've been installed.

Becker's brings the question back home to healthcare, though, with some security tips for CIOs worried about BYOC headaches joining their existing BYOD ones, including:

  • Conduct regular data inventories: Knowing where your data is stored can help identify places it should (or shouldn't) be, Becker's notes.
  • Create device-agnostic, but device-aware, policies: Keep track of the different type of devices accessing your network, and what storage apps, etc., might be available to them.
  • Create network-level blocks of unauthorized storage sites: Sometimes its important to disable USBs, block certain sites, or otherwise prevent users from indulging in workarounds that could endanger patient data. They might not be happy about it, but the entire enterprise will be safer.
  • Train users about cloud storage, and its security weaknesses: If you're going to block a certain site, or prohibit certain transaction types, your employees need to know that, Becker's reports. Often being aware of the prohibition is enough to discourage the behavior.

Overall, the BYOC trend is one that could present even more security dangers for hospital CIOs, if not managed properly. The old adage is true--once something is posted on the Internet, it's there forever. And even the most industrious CIO won't likely be able to "remote wipe" an entire cloud.

But I want to know what you think. Has anyone found users secretly stashing data online? If so, let me know how it's impacting your security priorities and policies. - Sara