Access granted: How providers aren’t locking down their files

A new security report finds the average institution leaves terabytes of sensitive information exposed to unauthorized parties.
By Benjamin Harris
12:02 PM
Share

Nearly a quarter of files in a given institution, on average, are available for everyone to see, according to this year's annual Global Data Risk Report from Varonis.

Half of the organizations surveyed had exposed thousands of sensitive files to all of their employees as well- and both trends showed a marked incline over last year.

Employee and patient data were left open for anyone to see through wrong or broken permissions, Varonis found, and for each terabyte of data there were tens of thousands of files, on average, that were improperly exposed, had the wrong permissions on them, or weren’t updated with adequate permissions.

Organizations do little to monitor their data as well, the report shows. The audit determined that more than half of most companies files contained "stale" information: data no longer needed or relevant, inactive user accounts and non-expiring passwords.

WHY IT MATTERS
Regulations such as HIPAA, California's Consumer Privacy Act, and the EU's General Data Protection Regulation all apply to sensitive information and can carry stiff fines when a breach or theft occurs. Keeping patient data safe means both controlling access as well as cleaning out stale files that are no longer needed and can be expensive to store.

Employees with a role in data oversight take several hours per file to audit and correct access problems, making it effectively impossible to do a file by file review. Organizations who don’t routinely check up on and purge dormant accounts with non-expiring passwords leave themselves open to a greater likelihood of intrusion, and if they don't expunge stale data they risk even larger amounts of sensitive data being stolen.

THE LARGER TREND
Organizations that perform regular risk assessments and that proactively control access to their data are likely to save money and benefit from tighter security. Varonis recommends routine audits and tightly managed groups where users are only able to access the data they need.

Purging stale data and paring down access are critical steps to take in an industry where end device access is still highly insecure.

Breaches and incidents of hacking continue to affect more and more people, meaning that as long as providers are entrusted with patient information they will have to be more proactive in their management and protection of data.

ON THE RECORD
"Today, most CISOs assume that it's just a matter of time before their security perimeter will be breached, which underscores the importance of data protection," said Varonis Field CTO Brian Vecci, in a statement. "The level of sensitive data exposure and oversubscribed access that most organizations are living with should set off alarm bells for corporate boards and shareholders."

Benjamin Harris is a Maine-based freelance writer and and former new media producer for HIMSS Media.
Twitter: @BenzoHarris.