HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk.

The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats.

The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to PHI to be tracked. Passwords are required to authenticate users, with the HIPAA Security Rule requiring HIPAA-regulated entities to implement, “procedures for creating, changing, and safeguarding passwords.”

The Varonis study, the results of which were published in its 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech, revealed an average healthcare worker has access to 31,000 sensitive files containing PHI, financial, and proprietary data on their first day of work. Those files were stored on parts of the network that can be accessed by all employees.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

On average, 20% of each organization’s files are open to every employee, even though in many cases access was not required to complete work duties. 50% of organizations investigated had more than 1,000 sensitive files open to all employees, and one in four files at small healthcare organizations could be accessed by every employee. There were no restrictions on access to 1 in 10 files that contained PHI or intellectual property.

“We discovered that smaller organizations have a shocking amount of exposed data, including sensitive files, intellectual property, and patient records. On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data,” explained Varonis in the report. “This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach.”

To reduce risk, it is vital to operate under the principle of least privilege. If employees are given broad access to sensitive information, not only does that increase the opportunity for insider data theft, if their credentials are compromised in a phishing attack, external threat actors will have easy access to huge volumes of data.

The problem is made worse by poor password practices. 77% of companies studied for the report had 501 or more accounts with passwords set to never expire, and 79% of organizations had more than 1,000 ghost accounts. Ghost accounts are inactive accounts that have not been disabled. These accounts give hackers an easy way to access sensitive data and traverse networks and file structures undetected.

According to the Verizon Data Breach Investigations Report, data breaches increased by 58% in 2020 with cyber threat actors actively targeting the healthcare, pharma, and biotech industries to steal sensitive data, intellectual property, and vaccine research data. The healthcare industry has the highest data breach costs which, according to the IBM Security Cost of a Data Breach Report, are $7.13 million per breach. Organizations that fail to restrict access to protected healthcare information can also face heavy financial penalties, which under HIPAA/HITECH are up to $1.5 million per year, per violation category.

“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotech’s need to double down on maturing incident response procedures and mitigation efforts,” said Varonis. “Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.