Several healthcare entities have reported data breaches after being notified of a “privacy incident” by Med-Data, a vendor providing revenue cycle services to hospitals, healthcare systems, and their patients. This privacy incident involves a leaky cloud service and has exposed the personal information of thousands of individuals, since at least December 2020.
But the culprit is not the cloud service you would normally expect (yes, I am talking about the usual suspects: AWS S3 or Microsoft Azure). In this case, a former Med-Data employee uploaded the information to personal folders within multiple public repositories in… GitHub, a cloud service that, in theory, is not supposed to be used as a storage for PHI.
Why a SaaS meant to support code development could end up leaking PHI is still a mystery to me. I could argue that users tend to (ab)use the services there are more familiar with even for improper purposes. In any case, this incident reminds us all of the risks of cloud misconfigurations from which no service is theoretically immune: cloud services provide a boost in agility and productivity, but they can also expose organizations to new risks without the proper controls.
How Netskope mitigates this threat
The Netskope Next Gen SWG provides granular control for GitHub (and thousands of additional cloud applications) in terms of adaptive access control, DLP, and Threat Protection. Netskope can recognize a dozen of activities for GitHub (such as upload, download, create and share), and in this specific case can prevent the upload of PHI by an employee via one of the predefined DLP profiles.
Additional controls are possible via the API protection in the CASB module. For example, an organization can be alerted if a repository is made public. Simple configurations to mitigate the risks of data breaches and leaky cloud services.