Healthcare Organizations Have Misplaced Confidence on Their Ability to Secure PHI and Manage Data Sharing

Healthcare companies are confident they are securing regulated information and are taking care of data sharing. However, that confidence seems to be misplaced in a lot of cases as per the latest report from Netwrix.

If data is not required anymore, it must be deleted, although quite often sensitive information could stay hidden on networks for a long time. Documents that contain sensitive data could be saved in the wrong location where they are not protected from unauthorized access. Misplaced information could be exposed for months or weeks.

A current survey done by Netwrix has uncovered the severity of the issue. Netwrix surveyed 1,045 IT experts from a variety of industries for its 2020 Data Risk & Security Report and discovered that 91% were positive about the safe storage of their sensitive information. But one-fourth of the survey participants said they had discovered sensitive information stored outside the specified storage areas in the last year, proving the misplaced confidence. 43% of survey participants said they had found sensitive information in the wrong location exposed for days and 23% said it was exposed for weeks before being discovered.

Healthcare companies that participated in the survey were less convinced about the secure storage of all sensitive information. 52% of healthcare participants expressed their certainty that all regulated information was stored safely. Of the 52% that were sure they were keeping all regulated information safely, 24% stated they had found sensitive information in the wrong location in the last year.

65% of surveyed healthcare companies felt confident that their employees aren’t using cloud applications to share sensitive information to circumvent controls used by the IT division, however that confidence seems to be misplaced. 32% of survey respondents who were certain that there is no unauthorized data sharing taking place could not validate their claim since they don’t monitor data sharing by any means, and 17% could only monitor data sharing via a manual process.

Of all the surveyed industries, healthcare has the worst performance for controlling repetitive, outdated, and unimportant (ROT) files. 60% of CIOs from healthcare companies stated they have trouble identifying ROT files that must be cleared. It is easier to determine ROT with a data classification technology. 43% of healthcare providers that categorize their data claim it’s faster to determine ROT when compared to 13% that do not categorize their {records|information}.

Based on the study, just 20% of healthcare companies delete ROT data on a regular basis. The small number is because of the lack of a policy on data retention. 69% of healthcare companies have no such policy that would help them systematically remove data if it is not needed anymore. That number was the largest of all the surveyed industries.

HIPAA calls for the implementation of access controls to stop unauthorized people from viewing protected health information (PHI). Access rights need to be evaluated regularly. If access to regulated information is not required anymore, access rights should be kept up to date appropriately. Netwrix discovered that 55% of healthcare providers don’t often review PHI access rights consistently and 70% of healthcare providers don’t review access rights to archived information, thus violating HIPAA.

The HIPAA Right of Access grants patients to get a copy of their health records and the California Consumer Privacy Act (CCPA) gives people the right to access their information. 55% of healthcare companies said coping with data subject requests (DSARs) puts stress on their IT staff. The pressure could be eased by employing data classification technology. Companies that have used data classification technology and categorize information at collection say they could fulfill DSARs in 1/3 of the time.

Having the money to warrant budgeting for data classification technology can be challenging, as to be able to raise funds IT teams must have the security metrics to show the senior managers to rationalize costs. While 47% of companies expect higher budgets this year, merely 16% stated they possess the security metrics to rationalize the higher budget. Senior managers ask for metrics to explain expenses and to see a return on investment.

Cybersecurity management must look for more efficient ways to handle data security threats and present a return on investment to the executive team. Becoming more informed of the data, internal operations and user activity will allow them to prioritize their projects, offset security and compliance hazards more effectively, and validate the efficiency of their investment strategies.