{"id":11880,"date":"2016-01-20T14:00:46","date_gmt":"2016-01-20T22:00:46","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=11880"},"modified":"2022-04-06T00:10:24","modified_gmt":"2022-04-06T07:10:24","slug":"healthcare-organizations-how-to-get-ahead-of-unapproved-cloud-based-file-sharing-tools","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2016\/01\/healthcare-organizations-how-to-get-ahead-of-unapproved-cloud-based-file-sharing-tools\/","title":{"rendered":"Healthcare Organizations: How to Get Ahead of Unapproved Cloud-Based File-Sharing Tools"},"content":{"rendered":"<p>Cloud-based file-sharing tools such as Box, Dropbox, SugarSync and Google Drive can cause major security issues for healthcare organizations. And as a former security lead for a hospital, I found that, even if you have an approved cloud file-sharing website, unless you block access to non-approved file-sharing sites, medical practitioners will use whatever they personally prefer to share protected health information (PHI) with colleagues. Your organization may be deploying Box for internal hospital use, for example, but some doctors will still prefer to use Dropbox to store and share PHI \u2013 it\u2019s not enough to deploy one approved tool and then hope for the best.<!--more--><\/p>\n<p>Once you upload PHI data to a popular cloud file-sharing sites, it\u2019s very easy to (mistakenly) configure it to be accessible to everyone on the Internet. As you can see in this screenshot of the free version of Dropbox, users do not have the ability to restrict access to specific users. The only option for controlling view access to their file is to select \u201cAnyone with the link\u201d as shown below. This means that if the link is posted to a Reddit conversation or another public forum, anyone would be able to download the files.<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1.png\"><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:61.6%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-11881 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1-500x308.png\" alt=\"healthcare1\" width=\"500\" height=\"308\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1-500x308.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1-230x142.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1-487x300.png 487w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1-65x40.png 65w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/01\/healthcare1.png 818w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/a><\/p>\n<p>Palo Alto Networks is often asked to perform free proof-of-concept exercises at hospitals and other healthcare organizations, and I have found that it is quite common to find web access is enabled to unapproved cloud file-sharing sites.<\/p>\n<p>When I led the effort to disable access to cloud file-sharing sites in my former role, I knew that I couldn\u2019t simply block all access without a careful plan. If I had done so, I would have been inundated with tickets from angry doctors wondering what was going on. The reality is that there are likely to be business processes that impact patient care that rely on access to these sites. For this reason I recommend the following high-level plan to decommission access to unapproved cloud file-sharing sites while making sure that clinical processes are not impacted:<\/p>\n<ol>\n<li>Confirm CISO\/CIO support of your effort to block cloud file-sharing sites.<\/li>\n<li>Verify that you have approved alternatives to commonly used, but insecure cloud file-sharing sites. Users will need help to migrate their processes to the approved solution.<\/li>\n<li>Determine the users who are accessing cloud file-sharing sites (if you have the capability).<\/li>\n<li>Email users a warning that access to cloud file-sharing sites will be blocked on such and such a date.<\/li>\n<li>Instruct users to open a ticket with the IT Security team to understand approved file-sharing alternatives.<\/li>\n<li>Document a process for approving exceptions, and ensure that exceptions are revisited at least every six months. Require CISO approval for exceptions.<\/li>\n<\/ol>\n<p>Healthcare organizations can safely enable access to sanctioned cloud file-sharing sites with careful planning and the right security tools, but any such website that is not explicitly approved by the organization should be blocked to avoid HIPAA-reportable incidents \u2013 as soon as possible.<\/p>\n<p>Learn more about Palo Alto Networks <a href=\"https:\/\/www.paloaltonetworks.com\/sase\/saas-security\" target=\"_blank\" rel=\"noopener\">solutions for sanctioned SaaS applications<\/a> and <a href=\"https:\/\/www.paloaltonetworks.com\/industry\/healthcare\" target=\"_blank\" rel=\"noopener\">next generation security in healthcare organizations<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cloud-based file-sharing tools such as Box, Dropbox, SugarSync and Google Drive can cause major security issues for healthcare organizations. And as a former security lead for a hospital, I found that, even &hellip;<\/p>\n","protected":false},"author":142,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[89,113,138],"tags":[467,1694,149],"coauthors":[1355],"class_list":["post-11880","post","type-post","status-publish","format-standard","hentry","category-ciociso","category-cloud-computing-2","category-healthcare","tag-phi","tag-protected-health-information","tag-saas"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/11880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/142"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=11880"}],"version-history":[{"count":2,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/11880\/revisions"}],"predecessor-version":[{"id":11883,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/11880\/revisions\/11883"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=11880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=11880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=11880"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=11880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}