The number of sensitive data files in healthcare, pharma and biotech accessible to every employee should leave us alarmed according to data security company Varonis, after a report highlighted the data risk in several industries a year after the implementation of GDPR.
The Global Data Risk Report from the Varonis Data Lab suggested that in the healthcare industry, 15% of sensitive files were exposed to all network users, and 18% of folders were open to all users.
Matt Lock from Varonis told Digital Health Age: “A single file can potentially have tens or hundreds of thousands of personal health records in it, so these numbers don’t fully capture the magnitude of the problem facing most healthcare organisations.
“To some 15% and 18% are low numbers, but these are alarming. These regulatory violations should make not only CISOs but any member of the leadership team with overexposed sensitive data files is troubling.”
Despite the numbers, Lock predicts there will be improvements going forwards as healthcare organisations take the opportunity to implement better controls.
“I think healthcare organisations are doing well with data privacy procedures, but not data security controls. Healthcare organisations understand that PHI should be private and should only be accessible to the patient and authorised users, but lack the proper data security controls to limit internal users.”
Healthcare, pharmaceutical and biotech firms found the most exposed sensitive files in each terabyte that they analysed, with 4,691 terrabytes worth of data showing as exposed.
Lock explained the enormity of the leak, saying: “The average laptop has about a terabyte of data on it, and companies like the ones we studied have the equivalent of thousands of laptops worth of data. Each one has more than 4,000 files that are not only sensitive but open to everyone. That’s staggering since a leak of just one of those files would be a major issue for any organisation, let alone ones like in healthcare where the data is so valuable and the penalties for loss, theft, or misuse are so high.
“There are intelligent ways of managing access that increase security without impacting productivity. It starts with putting more intelligent controls in place and then making the right people accountable for them. These steps are important, though clearly not happening fast enough.
“Awareness training is also necessary to bolster the culture of accountability. From the doctors, nurses, patient coordinators, to the billing department, training on the data security controls requirements is a critical step.”