Study Explains Healthcare Staff Have Unnecessary Access to Significant Amounts of PHI

A new study has pointed out extensive security breakdowns at healthcare institutions, which include inadequate access controls, few prohibitions on access to protected health information (PHI), and terrible password practices, which are placing sensitive information in jeopardy.

The study, done by Varonis, a data security and insider threat detection platform provider, analyzed about 3 billion files at 58 healthcare companies, such as healthcare providers, pharmaceutical corporations, and biotechnology organizations. The purpose of the study was to know whether security controls were put in place to safeguard sensitive data and to allow establishments to better recognize their cybersecurity weaknesses in the face of escalating threats.

The Health Insurance Portability and Accountability Act (HIPAA) demands access to PHI be confined to workers who must view PHI for work reasons. Whenever access is approved, the HIPAA minimum essential standard is applicable, and merely the minimum amount of PHI must be accessible. Each user needs to be given a unique username to track PHI access. Passwords are needed to check users, according to the HIPAA Security Rule.

The results of the Varonis research were circulated in the 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech. It revealed that an average healthcare staff has access to 31,000 sensitive records made up of PHI, fiscal, and proprietary information on their first day on the job. Those files were saved on sections of the network that all employees can access.

In general, 20% of each firm’s files are available to every staff, though in many occasions access is not necessary to carry out work tasks. 50% of companies investigated had over 1,000 sensitive data accessible to all staff, and one in four records at small healthcare companies can be seen by every worker. There were no controls on access to 1 in 10 records that had PHI or intellectual property.

It was discovered that smaller companies have an outrageous volume of exposed records, which include sensitive data files, intellectual property, and patient reports. On the first day at work, new personnel at small organizations have quick access to above 11,000 exposed data, and approximately one-half of them have sensitive details.

To lower risk, it is important to follow the principle of least privilege. When employees are granted extended access to sensitive details, there is a higher possibility for insider data theft. In case their credentials are compromised in a phishing attack, it gives external threat actors easy access to large volumes of information.

The issue is worsened by weak password practices. 77% of organizations studied for the research had 501 or more accounts having passwords that never expire, and 79% of institutions had over 1,000 ghost accounts. Hackers can make use of these accounts to get a quick way to access sensitive records and navigate networks and file structures unseen.

According to the Verizon Data Breach Investigations Report, there is a 58% rise in data breaches in 2020 and cyber attackers are actively targeting the healthcare, pharma, and biotech companies to steal sensitive information, intellectual property, and vaccine research files. The health care field has the largest data breach expenditures which the IBM Security Cost of a Data Breach Report stated as $7.13 million for each breach. Businesses that don’t control access to protected healthcare information can likewise face serious financial penalties as much as $1.5 million per annum, per violation classification.

To address significantly malicious and innovative cyberattacks, hospitals, pharmaceutic businesses, and biotech’s should double down on perfecting incident response processes and mitigation initiatives. Enforcing least privilege, locking down sensitive records, and controlling lateral movement in their networks are the utter basic minimum preventative measures that healthcare businesses must take.