Today Netskope, the leader in cloud security, announces the result of a Freedom of Information (FOI) request into cloud app use in the NHS, which found that almost half of Trusts do not monitor cloud app use by employees.
This new data was obtained by a FOI request, issued to 80 of the UK’s Acute NHS Trusts, with 43 organisations responding. Based on those responses, over half of NHS Trusts (53 per cent) believe all unsanctioned cloud apps are completely blocked, yet at the same time fewer than one in five NHS Trusts (19 per cent) confirmed that all cloud app use is monitored.
Taken together, these findings highlight the possibility of risk arising from a belief that all cloud app use has been blocked. Without ongoing monitoring, there is still a risk that sensitive data are being uploaded and/or shared via cloud apps being downloaded and used without IT’s permission.
This suspected lack of visibility into cloud app use was borne out by the other findings from the FOI request. For example, 30 per cent of respondents were unsure how many cloud apps – both sanctioned and unsanctioned – were used by employees. While a further 35 per cent were able to pinpoint a specific number of cloud apps in use, the figures given were extremely low at an average of just 10.4 cloud apps per NHS Trust. This is compared to the 824 cloud apps found on average in organisations across EMEA by the latest Netskope Cloud Report. The low figures given for cloud app use continue to suggest that NHS Trusts have very limited visibility into the cloud apps used by employees and therefore may also have restricted visibility into the data being uploaded/shared through cloud apps.
The findings revealed that this lack of visibility into cloud app use may be creating a certain level of complacency amongst NHS Trusts. Despite just 19 per cent of NHS Trusts monitoring all cloud app use, 35 per cent stated that absolutely no cloud apps were in use. Many Trusts assume staff are not using unsanctioned cloud apps but do not monitor use to guarantee this fact. This unfounded confidence is highlighted further by the fact that 75 per cent of the NHS Trusts that did not know whether they monitor cloud app use also stated that absolutely no cloud apps are in use.
Highlighting the potential threats posed by cloud app use, recent Netskope research found that, on average, 26 pieces of malware are found in cloud apps across a given organisation and 43.7 per cent of this malware has delivered ransomware. In addition, with the EU General Data Protection Regulation due to take effect in May 2018, Netskope research has identified that 75.4 per cent of apps in use are not GDPR ready. Despite the potential threats of unchecked cloud app use, almost half of all NHS Trusts (47 per cent) do not monitor all cloud app use by employees while more than one third (35 per cent) do not block unsanctioned cloud apps.
Commenting on these findings, Jonathan Mepsted, managing director UK at Netskope, says:
“While the NHS has shown great commitment to digitally transforming the patient experience, our data shows a concerning lack of awareness – both in terms of the potential security threats stemming from the cloud and also the data being stored and shared by employees through cloud apps. Given the NHS deadline to go paperless by 2020 and the resulting push towards a digital-first strategy, NHS Trusts will need to ensure the correct security controls are in place in order to remain vigilant to the possible threats posed by cloud apps and take proactive measures to secure data in the cloud.
“Although apps offer significant productivity benefits, when left unchecked they can also pose serious risks for organisations such as fines for non-compliance and reputational damage. The healthcare sector in particular handles a huge cross-section of sensitive data, including large amounts of personally identifiable information relating to citizens’ health. It is absolutely vital that this sensitive data is kept secure. An appropriate strategy around cloud app use is a vital piece of this security issue.
“With a growing appetite for sensitive medical data amongst cyber criminals, the healthcare industry needs to respond by ensuring IT teams have the tools they need not only to have visibility into employee app use and activity, but also to have deeper intelligence, protection, and remediation that can help them stop malware in its tracks. As the cloud threat landscape becomes increasingly complicated, steps must be taken to ensure that patient privacy and security remain a top priority.”
Methodology
Netskope issued a Freedom of Information (FoI) request to 80 UK Acute NHS Trusts, asking the following questions:
- Do you block the use of cloud apps not officially purchased or sanctioned by your department’s IT team? (Cloud apps are apps such as Dropbox, Box, Google Drive, iCloud, WeTransfer, etc., which operate in the cloud and therefore do not necessarily need to be downloaded to a PC/laptop/mobile device to be used.)
- How many cloud apps are in use by employees in your department? Please include both those apps purchased or sanctioned by IT, and unsanctioned apps i.e. used by employees without IT’s permission. If you do not know whether/how many unsanctioned apps are in use, please state this and provide the number of sanctioned/authorised cloud apps.)
- Do you monitor cloud app use by employees in either sanctioned or unsanctioned apps, for example by monitoring what data are uploaded and/or shared using cloud apps?
NB: Netskope received responses from 43 of the 80 NHS Trusts.