Study Reveals Healthcare Organizations Are Overexposing Sensitive Data

Limiting access to protected health information (PHI) is one of the fundamental requirements of the Health Insurance Portability and Accountability Act (HIPAA) Rules, but a recent study conducted by Varonis has shown many healthcare organizations are not fully compliant and provide broad access to files containing sensitive data such as PHI, even to healthcare employees that do not need to access PHI to complete their work duties.

The study found that, on average, around 20% of files at healthcare organizations, pharma, and biotechnology firms are accessible to all employees from their first day of employment. The study found 1 in 10 files that contained sensitive data, be that PHI, financial information, or proprietary research, could be accessed by all employees.

For its 2021 Data Risk Report, Varonis analyzed more than 3 billion files at 58 healthcare organizations including hospitals, pharmaceutical firms, and biotechnology companies.  The report broke down the findings based on organization size, with large healthcare organizations performing the best, but they still had large quantities of sensitive files available to all employees. Larger firms were also more likely to have issues with their permission structures, which led to increased risk.

Mid-sized organizations and small healthcare organizations had more overexposed data, with 1 in 4 files containing sensitive information accessible by all employees. That equates to around 11,000 accessible files from the first day of employment, around half of which contain sensitive information.

“Overexposed data, in tandem with an increased number of attacks exhibiting new levels of sophistication, made healthcare one of the most at-risk sectors in 2021,” explained Varonis in the report. “More than half of hospitals, pharmaceutical companies, and biotech firms have over 1,000 sensitive files exposed to every employee.” One-third of organizations had more than 10,000 files available to all employees.

When broad permissions are provided to employees and access is given to files that are not needed to complete work duties, risk is increased. Malicious insiders could steal large amounts of sensitive data which could be sold to competitors or identity thieves. Broad access also significantly increases the attack surface. The theft of even low-level employees’ credentials could allow external threat actors to steal large quantities of sensitive data. The failure to restrict access to PHI also places organizations at risk of substantial fines for non-compliance with the HIPAA Rules.

The study also found that access controls were insufficient and there were issues is password policies. The majority of organizations studied had hundreds of accounts with passwords that were set to never expire, which is a risky practice that leaves accounts open to brute force attacks. 79% of studied organizations had more than 1,000 ghost accounts, which is also a major security risk. Ghost accounts are inactive accounts that are still enabled on the network. If the passwords of those accounts are compromised, they could be used by threat actors to access data on the network undetected.

One of the most important principles of cybersecurity is least privilege, which means only providing employees with access to systems and data that are needed to complete work duties. While the advice on the frequency of enforced password changes has been updated and frequent password changes are no longer a security best practice, passwords should not be set to never expire. Accounts that are no longer in use should be deactivated, and multifactor authentication should be implemented on all accounts.

“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotechs need to double down on maturing incident response procedures and mitigation efforts,” concluded Varonis. “Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.”