Organization-Wide PHI Access is Commonplace at Most Healthcare Orgs

October 26, 2021 - On average, nearly 20 percent of files were open to every employee at a given healthcare organization starting on their first day of employment, pointing to troubling data security issues and poor PHI access controls, according to research conducted by Varonis.  

Two-thirds of organizations had 500 or more accounts with passwords that never expire. What’s more, 1 in 10 sensitive files containing proprietary research, PHI, and financial information were freely available to every employee.

Varonis researchers analyzed 3 billion files across 58 healthcare organizations, ranging from hospitals to pharmaceutical companies to the biotech industry. The report broke its findings down further based on organization size and discovered that employees at midsize and small companies had almost unlimited access to one out of every four files on average.

“COVID-19 provided fertile ground for attackers to sow confusion and take advantage of healthcare organizations on the front lines. From hospitals triaging patients around the clock to pharmaceutical companies developing advanced vaccines, cybercriminal groups targeted entities and systems under massive stress,” the report explained.

“Overexposed data, in tandem with an increased number of attacks exhibiting new levels of sophistication, made healthcare one of the most at-risk sectors in 2021.”

A terabyte contains 1.3 million files on average. About 2 percent, or 20,000 files contain sensitive information. An analysis of healthcare data per terabyte revealed that new employees at small healthcare organizations had instant access to over 11,000 exposed files, with nearly half containing sensitive data.

This occurrence broadens a bad actor’s potential attack surface and scope and increases the risk of noncompliance in the event of a data breach. Larger organizations tend to have less data available to all employees. However, researchers discovered that large companies experienced the most issues with permissions structures, leading to increased risk.

Under the HIPAA Privacy Rule, organizations are required to take measures to safeguard their data to avoid unauthorized access and data breaches. Organizations that neglect those duties can face exorbitant fines, reputation loss, and patient safety risks if attacked.

“More than half of hospitals, pharmaceutical companies, and biotech firms have over 1,000 sensitive files exposed to every employee,” the report continued.

“One-third of the organizations we evaluated have over 10,000 files open to every employee. Enforcing least privilege is a basic step every organization can take to protect data from theft and misuse while ensuring compliance with regulations.”

Unsecured passwords give hackers an easy entry point into an organization’s network as well. Researchers found that most organizations had hundreds of accounts with passwords that never expired. In addition, 79 percent of organizations had more than 1,000 ghost users enabled. Ghost users refer to accounts that are inactive but still enabled on the network.

While some cyber threats are nearly impossible to eliminate, healthcare organizations have a duty to practice cyber resilience and mitigate risk. Implementing multi-factor authentication is an extremely effective way to safeguard employee accounts. Encrypting files and keeping computers patched are both necessary steps to protecting sensitive health data from harm.