A Ponemon Institute survey has found that a lack of emphasis on the protection of data among US healthcare and pharmaceutical companies is leaving employees with greater access to sensitive patient data than they need to do their jobs.
When employee activities are not tracked or audited, an insider or outside attacker that hijacks an employee account can exploit these weaknesses with impunity, leading to devastating consequences.
It’s not a small issue: According to numbers from the US Health and Human Services Department for Civil Rights, there have been more than 290 public disclosures of major health data breaches in the country over the past two years. The attractiveness of sensitive health data to hackers is due to its inclusion of powerful tools for identity theft such as Medicare IDs and social security numbers.
The statistics paint an ugly picture. A full 56% of IT practitioners and 51% of end users said they believe their organizations place just a moderate to low priority on the protection of company data, or no priority at all; 79% of IT personnel said their organization either partially enforces a least-privilege model for data access or does not enforce one at all.
In terms of information access, 65% of employees believe they have access to sensitive data they don't need to do their jobs, with 51% believing they see this data at least frequently. About three-quarters (73%) of employees said they have access to sensitive or confidential information about patients—higher than respondents from any of the other major sectors included in the survey (retail, financial services and public sector employees). Of those employees, 41% report that they and their co-workers can see "a lot of" sensitive data—also more than employees from the other major industries surveyed.
"As healthcare companies increasingly find themselves victimized with data leaks that impact potentially millions of patients and customers, we continue to learn that most of these attacks begin with the compromise of a few employee credentials,” said Yaki Faitelson, co-founder and CEO of Varonis, which sponsored the report. “The damage can be greatly reduced by managing data-access permissions, making sure employees only have access to the data they need to do their jobs, and by monitoring for unusual activity.”
Carmine Clementelli, security expert with PFU Systems, a Fujitsu company, told Infosecurity that forward-thinking healthcare institutions can avoid data breaches with a minimum of investment in some additional areas.
"We believe that [Ponemon’s] statement that ‘most healthcare organizations are still unprepared to address this rapidly changing cyber-threat environment and lack the resources and processes to protect patient data’ is really only half right,” he said in an email. “In fact, there are three simple, inexpensive and resource-light steps that any organization can take to protect PHI: prevention, ongoing self-assessment and hygiene.”
He added that waiting shouldn’t be an option. "The latest spate of security breaches took months and more to detect—with the odds of misuse increasing daily. In fact, the main reason that medical records are so valuable is largely because health and insurance sector breaches take so long to detect, while banking and credit fraud is (sometimes) discovered quickly.”