Virtually every person on the planet, excluding babies, knows something about cloud computing, just as they do about computers themselves. That’s because it’s ubiquitous in the digital world. Previously, computing relied heavily on on-premises infrastructure and mainframe time-sharing. Organizations typically owned their own physical servers and software, managing everything themselves.

All of this began changing relatively early in the 21st century and before long it exploded. Cloud computing is superior to traditional IT systems because it relies on the Internet, replacing the need to install and maintain proprietary framework, and offers greater flexibility, scalability, cost-effectiveness, and accessibility.  

It has also been improving, as has cloud security, its foundational pillar, attracting more companies and organizations. According to Precedence Research, the global cloud security market, which grows in tandem with cloud computing, swelled to more than $36 billion last year and is on track to grow to $41 billion this year and a whopping $121 billion by 2034. The United States, the biggest cloud security market globally, has ballooned to $8 billion and is projected to surpass $27 billion by 2034.

But as good as all this sounds, this is no time for a celebration. Cloud security has a huge, persistent problem: It isn’t nearly as secure as it should be, and the biggest culprit of all appears to be the life sciences and healthcare industries, especially considering the sheer number of records exposed.

Why is this? These conservative sectors were slower than others to incorporate innovative digital technologies such as cloud computing, the Internet of Things (IoT), and artificial intelligence into their operations. While this changed markedly during the early days of the Covid-19 pandemic, the slowdown nonetheless undermined their pace of change and still does somewhat. Despite today’s cloud security issues, pre-cloud architectures are still less secure because of fewer sophisticated tools at their disposal and more cumbersome manual processes.

A much bigger issue has been the substantial differences between how the life sciences and healthcare industries go about their business in comparison to other industries.

For example, advanced scalability and organizational agility make it far easier for employees to work remotely and collaboratively, and to share data. Cloud technology also helps life sciences and healthcare industries collate data for supply chain operations much more efficiently. Most important, unlike other industries, life sciences and healthcare have been under growing pressure to develop vaccines and therapies and to work with collaborators.

These are mostly positive developments.  But they also increase cybersecurity risks. Here are some examples of how rapid cloud adoption has been outpacing security maturity:

+ “Lift and Shift” mentality. Many organizations, especially in healthcare, initially rushed to the cloud often spurred by the pandemic, simply moving existing applications and data (“lift and shift”) without following cloud security best practices. This transfers vulnerabilities directly to the cloud.  While this is less common today, fixing it is still expensive and time consuming.

+ Lagging security investment. Historically, healthcare in particular, has invested less in cybersecurity compared to other industries. While it has embraced cloud security and the additional costs it entails, cybersecurity budgets and skilled personnel still tend to fail to keep pace with rapid technological changes, leaving security gaps.

+ Cultural resistance. Predictably, healthcare and life science professionals focus on patient care and scientific discovery. While they also embrace the cloud security learning curve, they still have skill gaps with IT teams focused on cloud security, in part because of their higher priority.  

+ Worst of all, perhaps, healthcare data is highly valuable on the black market. While a credit card might fetch $5 on the black market, a full medical record is believed to easily sell for hundreds of dollars each. And while a credit card number can be canceled quickly, Personally Identifiable Information (PII) , such as names, social security numbers, and health insurance details have a much longer “shelf life” that cannot be easily changed.

While life science and healthcare present the biggest cloud security nemesis, it shouldn’t suggest that other industries don’t also share serious cloud security threats. While numbers vary, IBM, as an example, stated that 82%of data breaches overall were stored in the cloud. Every industry has ample room for improvement.  

In cloud security writ large, the biggest problem – and a long-standing one – is cloud misconfigurations. This refers to any error or mistake in the setup, configuration, or management of cloud resources that creates a vulnerability that can lead to a security breach. According to Gartner, 99% of cloud security failures are the fault of customers, who primarily handle this.

While this puts customers in a bad light, these failures aren’t totally their fault. Navigating cloud security tends to be highly complex. As organizations enhance their cloud security, they typically encounter new challenges, cloud security experts say. This perpetrates a cycle of continuous adaptation, problem-solving, and plenty of headaches. More help is needed.  

Also noteworthy is that some employees are curtailed by budget constraints and/or coordination breakdowns across departments, which, in turn, can lead to a breach.  Yet another troublesome issue revolves around DevSecOps, short for Development, Security, and Operations, a software engineering approach that integrates security throughout the software development cycle. It’s supposed to emphasize collaboration and communication but may be more about disagreements between the importance of security and speedy technical development.

Clearly, several issues need to be flushed out. In the interim, strong access control policies must be adopted and obeyed, continuous monitoring and threat detection must be prioritized, and encryption must be widespread.  Regular security audits must also be standardized. While none of these is an outright solution, these steps can stop a breach in its path or at least mitigate the attack.