CASBs in Healthcare

By Rich Campagna, Vice President/Products & Marketing, Bitglass

Initially a laggard in cloud adoption, the healthcare industry is now adopting public cloud applications en masse, with adoption of cloud based productivity apps like Office 365 and Google Apps. Adoption is up from 8% in 2014 to over 36% in 2015, with no signs of slowing down! This rapid change hasn't come without plenty of healthcare CISOs losing sleep - not only does Protected Health Information (PHI), an ever more attractive target for hackers, need to be protected, but the accessibility of the public cloud makes even inadvertent data leakage as easy as clicking the "share" button. Pair all of this with the fact that over 90% of healthcare professionals use BYOD and you have a serious disease without a cure.

Or is there? Increasingly, healthcare organizations are turning to Cloud Access Security Brokers (CASBs) to get a handle on public cloud security & compliance challenges. The four CASB functions employed most often are (1) unmanaged device access control, (2) external sharing controls, (3) visibility and (4) identity controls.

1. Unmanaged device access control - with premises applications, it's relatively easy to contain access only to managed devices. Since the public cloud is available from anywhere, the ability to restrict access to only certain devices becomes much more difficult. That aside, most organizations realize that they no longer have a choice but to support BYOD, the question is on what terms? It's difficult to manage employee devices with tools like MDM, and on the healthcare provider side, with 30-40% not employees but independent clinicians, it may not be possible at all. A CASB can help solve this problem by providing controlled access from unmanaged devices. This Fortune 50 healthcare organization uses Bitglass to provide full access from managed devices and restricted access from unmanaged devices. When a user attempts to access a protected application, Bitglass Device Profiler determines whether the device is managed or unmanaged. For unmanaged devices, the policy configured allows for restricted web and activesync access, but this organization has chosen to block access from file sharing clients like OneDrive. The rationale is that they don't want large quantities of PHI and other sensitive data synchronized to unmanaged devices, but they are okay with web and Activesync with DLP applied to control the flow of PHI to the device. For example, they scan files being downloaded with Citadel DLP and any file with a large number of instances of PHI will either be blocked or encrypted on download.
2. External sharing controls - File share and sync apps can be a great productivity boon, and if you're a Google Apps or Microsoft Office 365 customer, chances are you have tons of "free" storage "included" in your enterprise license. That said, fear of the share button holds many back from using these applications. A CASB can allow you to scan data-at-rest in these applications, looking for sensitive data like PHI. From there, a number of response actions are possible including quarantine for investigation, share removal and encryption. This gives you the ability to allow your employees to share data, but without the risk of data leakage.
3. Identity - Leading CASBs have integrated identity and access management functionality directly into the platform. In addition to saving you the hassle and expense of dealing with yet another vendor, integrated identity can provide for value-added functionality such as step-up authentication when suspicious activity is detected. Since phishing and credential compromise was the main attack vector in high profile breaches like Premera and Anthem, the ability to thwart this activity can be worth millions. For example, let's say that a user logs into Office 365 from the East Coast of the United States. Five minutes later, someone logs into Salesforce with that user's credentials from somewhere in Eastern Europe, or from an IP that is known as a ToR endpoint. A CASB can not only detect this suspicious activity across these disparate cloud apps, but it can take action - forcing, for example, multifactor authentication on both devices mid-session.
4. Visibility - With HIPAA compliance requirements, detailed, audit-level logging is a must have for healthcare organizations. CASBs provide this, but a much larger set of visibility functions that can provide great value to the organization. From activity dashboards to alerts and user behavior analytics, a CASB is your one-stop shop for suspicious activity detection, compliance verification, and more. For example, if a user's personal mobile device is lost or stolen, it's a couple of clicks in the CASB dashboard to identify exactly which files (and whether or not those files contain PHI) are resident on the device in question. As a bonus, if you've been smart enough to choose Bitglass as your CASB, you can selectively wipe that data off of the stolen device, even if you've never installed any agents or software to manage the device.

These functions and more are enabling leading healthcare providers to rapidly adopt the public cloud. Learn more about Bitglass' solutions for healthcare organizations here. Or better yet, reach out to us for a free demo of the Bitglass solution