Our blind faith on big cloud | Hospitals and Ransomware
CyberInsights #142 - Snowflake Data Breach | London Hospital hit by ransomware attack
Cloud breaches are an attack vector of serious consequence
Trust your cloud service provider, but know the difference between security-of-the-cloud and security-in-the-cloud
Ticketmaster and Santander were breached.
The data was stored on their cloud service provider - Snowflake.
It is like watching an old re-run of a familiar whodunnit. Data is stored in the cloud. The customer (sort of) believes that the cloud service provider has taken care of data security. After all, they have a web page that is full of security certification logos. The service provider, in their documentation, explains about security-of-the-cloud and security-in-the-cloud; a concept that roughly translates into “there is only so much we can do to protect your data if you decide to start acting like fools…”
Snowflake says that the data may have been breached, but it was not because of their security issues. It was more likely because the customer did not implement 2FA in their systems.
Take action:
Cloud service providers say “cloud security is a joint responsibility”. Read this post from AWS to understand more about it [LINK].
Remember the famous saying - “There is no cloud. It’s just someone else’s computer” and you are trusting them to do their bit, while you do your bit.
Another hospital ransomware attack…
… another service provider.
Services run by 2 NHS trusts (7 hospitals) have been affected by a ransomware attack.
Another day, another dollar. Ransomware attack at a hospital. Service provider breached. It’s not very new, is it?
This time round, the ransomware started at Synnovis, the pathology partner of NHS. Evidently, this is the third ransomware attack on the Synlab (parent of Synnovis) group.
Take Action:
If you are in healthcare cybersecurity, remember that you are a softer target for ransomware and protect accordingly.
If you are in cyber insurance, are you underwriting healthcare with the appropriate risks?