“According to Varonis, 41% of organizations had more than 1,000 sensitive files open to every employee, with data such as “credit card information, health records, or personal information subject to regulations like GDPR, HIPAA and PCI” readily available to anyone with access to the system.”
Last week, I came across this article by Jonathan Greig on Tech Republic. It discusses the 2018 Global data risk report by Varonis Systems.
A network with sensitive files open to every employee? For an healthcare provider – that’s weaving of a nightmare.
A computer network with global accessibility is a mistake that no healthcare provider can afford- Not only does it put our clients at-risk of violation of HIPAA’s minimum necessary rule; it puts their computer network at risk of malware and ransomware attacks, too. One single attack could cause major disruptions across their network, and result in theft of valuable PHI. [Not to mention the HIPAA penalties that would follow.]
P.S. Let’s not forget the EU GDPR regulations, too.
2018 Global Data Risk Report
Published by Varonis Systems, the 2018 Global Data Risk Report highlights their findings compiled from all the data risk assessments that they conducted last year. The report encompasses their assessments performed in more than 50 countries, 130 organizations, and across 30+ industrial sectors, including insurance, financial services, healthcare, pharma and biotech, IT and computer software, local, state and regional governments.
Here’s a five point synopsis of their 2018 Data Risk report:
- 41% of companies have over 1,000 sensitive files open to EVERYONE
- 21% OF ALL FOLDERS are open to EVERYONE
- 58% have over 100,000 folders open to EVERYONE
- 54% of data is stale, that’s information no longer necessary for everyday operations
- 34% of user accounts are ghost accounts (that’s stale accounts, which often belong to people who are no longer with the organization.)
Global accessibility, HIPAA, and the Minimum Necessary Rule
HIPAA restricts the healthcare organizations and their business associates from using or sharing more than “bare minimum” patient health information.
It’s the first thing we suggest to our clients after introducing them to the term PHI –
“Do you need this information to do your job?”
And if the person is at an executive position, we add –
“What is the least amount of information that your team needs to know to do their job?”
As per HIPAA, only those who have a “need to know” should be permitted to have access to health information. Healthcare organizations need to ensure that employees and contractors have access only to “bare minimum” information that’s necessary for them to perform their job.
PHI : Global Accessibility : NEVER
Hackers always look for the easiest way to get in and move around the network. Not dealing with ghost accounts, is like hanging your car-keys outside the garage door. Global accessibility is an equally foolhardy proposition. But obviously, attackers, once they have breached your network, look for unsecure and globally accessible folders.
Could you think of anything more damaging than having patient health information stored over such a network?
It’s a must for organizations dealing with patient information to avoid global accessibility features. Organizations (healthcare providers and business associates, both) need to replace global groups with tightly managed security groups. Moreover, it’s important that such organizations get in the habit of conducting periodic audits of their servers, too. This would help identify (and eliminate) any newly created data containers with global access.
Another important suggestion, from the Healthcare’s point of view, is to periodically recertify access to sensitive data (PHI) to spot users who no longer need to access the sensitive data.
Outdated permissions and ghost accounts are attack hotspots- an unnecessary security risk. Again, here too, the role of periodic audits becomes crucial. As Varonis suggests, procedures must be in place to ensure that all user accounts are active, governed and monitored, and slate accounts are deleted/disabled without delay. It’s necessary to avoid slate accounts with access to Patient Health Information.