- March 2, 2022
- Rashmi T K
- 0 Comments
- 157 Views
- 2 Likes
- HIPAA
Organization-Wide PHI Access
Organization-Wide PHI Access is Commonplace at Most Healthcare Orgs
Overexposed data, loose PHI access controls, and unsecured passwords are common practices at healthcare organizations, posing serious data security risks, research shows.
According to research,on an average, nearly 20 percent of files were open to every employee at a given healthcare organization starting on their first day of employment, pointing to troubling data security issues and poor PHI access controls,.
Two-thirds of organizations had 500 or more accounts with passwords that never expire. What’s more, 1 in 10 sensitive files containing proprietary research, PHI, and financial information were freely available to every employee.
Researchers analyzed 3 billion files across 58 healthcare organizations, ranging from hospitals to pharmaceutical companies to the biotech industry. The report broke its findings down further based on organization size and discovered that employees at midsize and small companies had almost unlimited access to one out of every four files on average.
“COVID-19 provided fertile ground for attackers to sow confusion and take advantage of healthcare organizations on the front lines. From hospitals triaging patients around the clock to pharmaceutical companies developing advanced vaccines, cybercriminal groups targeted entities and systems under massive stress,” the report explained.
“Overexposed data, in tandem with an increased number of attacks exhibiting new levels of sophistication, made healthcare one of the most at-risk sectors in 2021.”
This occurrence broadens a bad actor’s potential attack surface and scope and increases the risk of noncompliance in the event of a data breach. Larger organizations tend to have less data available to all employees. However, researchers discovered that large companies experienced the most issues with permissions structures, leading to increased risk.
Under the HIPAA Rule, organizations are required to take measures to safeguard their data to avoid unauthorized access and data breaches. Organizations that neglect those duties can face exorbitant fines, reputation loss, and patient safety risks if attacked.
Enforcing least privilege is a basic step every organization can take to protect data from theft and misuse while ensuring compliance with regulations. Unsecured passwords give hackers an easy entry point into an organization’s network as well. Researchers found that most organizations had hundreds of accounts with passwords that never expired. In addition, 79 percent of organizations had more than 1,000 ghost users enabled. Ghost users refer to accounts that are inactive but still enabled on the network.
While some cyber threats are nearly impossible to eliminate, healthcare organizations have a duty to practice cyber resilience and mitigate risk. Implementing multi-factor authentication is an extremely effective way to safeguard employee accounts. Encrypting files and keeping computers patched are both necessary steps to protecting sensitive health data from harm.
Bottomline: Convenience and insensitivity towards to your organization’s HIPAA compliance can lead to bigger repercussions.