HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Organizations are Overconfident About Their Ability to Protect PHI and Control Data Sharing

Healthcare organizations are confident they are protecting regulated data and are controlling data sharing, but that confidence appear to be misplaced in many cases according to a recent report from Netwrix.

Data has a life cycle. When it is no longer required it should be deleted, but oftentimes sensitive data can remain hidden away on networks for long periods of time. Documents containing sensitive information can be stored in the wrong place where they are no longer subject to the protection measures organizations have implemented to keep confidential information secure and prevent unauthorized access. Misplaced data can be exposed for weeks or months.

A recent survey conducted by Netwrix has revealed the extent of the problem. For its 2020 Data Risk & Security Report, Netwrix surveyed 1,045 IT professionals from a wide range of industries and found that the 91% were confident that their sensitive data was stored securely. However, a quarter of respondents said they had found sensitive data stored outside designated storage locations in the past 12 months, indicating that confidence is misplaced. 43% of respondents that said they had discovered sensitive data in the wrong place said the information had been exposed for days and 23% said it was exposed for weeks prior to discovery.

Healthcare providers who took part in the survey were less confident that all sensitive data was stored securely. 52% of healthcare respondents said they were certain all regulated data was stored securely. Out of the 52% that were certain they were storing all regulated data securely, 24% said they had discovered sensitive data in the wrong place in the past 12 months.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

65% of surveyed healthcare providers were confident that employees do not using cloud apps to share sensitive data to bypass controls put in place by the IT department, but that confidence appears to be misplaced. 32% of respondents who were adamant that unauthorized data sharing does not take place were unable to verify their claim as they do not track data sharing at all, and 17% can only track data sharing through manual processes.

Out of all industries surveyed, healthcare performed the worst for controlling redundant, obsolete, and trivial (ROT) files. 60% of CIOs at healthcare organizations said they find it difficult to identify ROT files that need to be purged. Data classification technology makes it easier to identify ROT. 43% of healthcare organizations that classify their data say it’s easy to identify ROT compared to 13% that don’t classify their data.

According to the study, only 20% of healthcare organizations regularly delete ROT data. The low figures can be explained by the lack of a data retention policy. 69% of healthcare providers do not have such a policy in place to help them methodically delete data when it is no longer required. That percentage was the highest out of all industries surveyed.

HIPAA requires access controls to be implemented to prevent unauthorized individuals from accessing protected health information and those access rights must be reviewed regularly. When access to regulated data is no longer required, access rights must be updated accordingly. Netwrix found that 55% of healthcare organizations do not regularly review access rights to PHI regularly and 70% of healthcare organizations do not review access rights to archived data, in violation of HIPAA.

The HIPAA Right of Access allows patient to obtain a copy of their health information and the California Consumer Privacy Act (CCPA) gives consumers the right to access their data. 55% of healthcare organizations said handling data subject requests (DSARs) puts pressure on their IT teams. The burden can be eased by using data classification technology. Organizations that have implemented data classification technology and classify data at the point of collection say they are able to satisfy DSARs in 1/3 of the time.

Finding the money to justify allocating budgets to data classification technology could prove difficult, as in order to increase funds IT teams need to provide security metrics to senior managers to justify expenditure, While 47% of organizations expect budget increases this year, only 16% said they have the security metrics to justify budget increased to senior managers. Senior managers are increasingly asking for metrics to justify expenditure and need to see there will be a return on any investment.

“Cybersecurity leaders need to find more effective ways to manage data security risks and show return on investment to the executive team,” said Netwrix CEO, Steve Dickson. “Gaining more visibility into data, internal processes and user activity will enable them to prioritize their efforts, mitigate security and compliance risks more efficiently, and prove the effectiveness of their investments.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.