1. Business
  2. Medical marvels
March 30, 2021updated 29 Mar 2021 5:33pm

Sensitive healthcare files can be accessed by everyone, including ghosts

By Lewis Page

Most healthcare organisations are data time bombs waiting to explode, according to a new report into data risk in the sector.

According to security firm Varonis, huge numbers of sensitive files containing heavily regulated information such as personal health records can be accessed by inappropriately large groups of employees across healthcare. The report, which Varonis says covered 3 billion files across 58 organisations including hospitals, pharma companies and biotech firms, does give some startling numbers.

Across the organisations surveyed, some 31,000 highly sensitive files were open to everyone in their organisation. “Highly sensitive” in this context was defined as financial information, proprietary research or personal medical data falling under legal regimes such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and the General Data Protection Regulation (GDPR), which applies to the UK and the EU. Organisations found to have secured HIPAA data inadequately can be fined $1.5m per year: those found to have violated GDPR can be hit even harder, to the tune of €20m, or 4% of annual revenue.

The report said that more than one in 10 sensitive files were open to every employee, with an average employee having access to more than 11 million files in total. And there’s not just a problem with too many existing employees being able to view files. Three quarters of the organisations surveyed had more than 1,000 “ghost users” – inactive but still enabled user accounts – on their systems.

The Varonis report makes sobering reading, especially against the background of increasing data breaches in the healthcare industry. An earlier report into personal health data by GlobalData Thematic Research revealed that healthcare data breaches recorded annually by the US Department of Health and Human Services rose from fewer than 300 to more than 500 over the five years from 2015.

It would seem that any healthcare CIOs or data compliance officers reading this may want to review their policies, perhaps making a start with least privilege. There’s more on healthcare data in the latest issue of Verdict magazine, out now.