The effectiveness of access controls in clinical data exchange

Uri S
January 17, 2022

Sharepoint or not. Hint – not.

Transferring a dump of clinical trial data?

 It was recently suggested to us by a data manager, that he could share the clinical data using their Sharepoint server.  

This is a very bad idea. It’s possible that the data manager’s IT manager has secured their Sharepoint server with best practices but its highly unlikely that the security threats have been mitigated.    

Sharepoint has a large number of vulnerabilities. As of writing  – 67 spoofing vulnerabilities, 59 information disclosure, and 250 remote code execution vulnerabilities.

We gently suggested using SSH. After hearing that the data manager’s IT group did not permit installing software like WinSCP – we gently suggested sending a password-protected zip file via wetransfer.

Why access control is a bad security countermeasure for your clinical data

With all due respect to Varonis and access controls in general (Just the area of Sharepoint is a fertile market for data security), the problem of internally-launched attacks is that they are all done by the “right” people and / or by software agents who have the “right” access rights.

There are 3 general classes of internal attacks that are never going to be mitigated by access controls:

Trusted insider theft

A trivial example is a director of new technology development at a small high-tech startup who would have access to the entire company’s IP, the competitive analyses, patent applications and minutes of conversations with all the people who ever stopped in to talk about the startup’s technology. That same person has access by definition but when he takes his data and sucks it out the network using a back-door, a proxy, an HTTP GET or just a plain USB or Gmail account – there is no way an Active Directory access control will be able to detect that as “anomalous behavior”.

Social engineering

Collusion between insiders, gaming the system, taking advantage of friends and DHL messengers who go in and out of the office all the time with their bags.

Side channel attacks

Detecting data at a distance with acoustic or Tempest attacks – for example. or watching parking lot traffic patterns….

 

In summary:

When you send clinical data sets to a supplier, partner or person outside your organization, think about trusted insiders and whether you can trust internal systems like Sharepoint.

Secure file copy using SSH public keys is the best, simplest and most secure way to protect your clinical data, your project, your investors and your career.

More Articles