blackboard - stock.adobe.com
Healthcare Providers Overconfident in Data Sharing Controls, Security
Healthcare providers received the worst marks for controlling data ROT, or redundant, obsolete, and trivial files, as well as data sharing controls and security, among all other sectors.
The majority of healthcare providers are overconfident in their ability to control data sharing and the security of their data storage, according to a new report from Netwrix.
Netwrix surveyed 1,045 global IT professionals from a wide range of sectors, including healthcare, to get a sense of how organizations treat data during its lifecycle and identify security gaps that could potentially put sensitive data at risk.
Researchers discovered some damning findings from the healthcare sector, such as a widespread and false sense of security. Fifty-two percent of healthcare organizations said they were certain their regulated data was securely stored.
However, of 24 percent of those respondents, actually discovered data outside of its dedicated locations within the last 12 months. The findings mirror repeated reports from IntSights that show an estimated one-third of healthcare databases stored locally and in the cloud are leaking sensitive patient data.
What’s more, researchers determined healthcare organizations reported more confidence over its data sharing controls among employees compared with all other sectors. But 65 percent of respondents claimed their employees don’t share data through cloud apps to circumvent IT controls – without the ability to verify the claim.
This is due to 32 percent of those respondents failing to track data sharing at all – and only 17 percent can manually perform the process.
What’s more, the healthcare sector also received the worst marks for controlling data ROT, or redundant, obsolete, and trivial files.
“Healthcare providers gather a substantial amount of personal data about their patients, and HIPAA requires them to retain certain types of documents (e.g., privacy policies and dispositions of complaints) for six years after creation,” researchers wrote.
But about 60 percent of organizations find it challenging to identify ROT that should be purged.
Researchers explained that data classification can help those organizations, with 43 percent of respondents reporting that ROT is easily identified with the classification, compared with 13 percent of those that don’t use the tech.
What’s more, just 20 percent of healthcare organizations delete ROT on a regular basis. The report showed it may be caused by the lack of data retention programs, which could help organizations methodically delete information when it’s no longer needed: Sixty-nine percent of providers do not have this type of program.
Again, healthcare had the highest result in this area across all surveyed industries.
Healthcare organizations also struggle with regularly reviewing access rights to data: 55 percent of providers do not routinely review data access rights, and another 70 percent fail to do so for archived data. Both of which are in violation of HIPAA.
What’s concerning is that while 47 percent of organizations expect to see an increase in their budgets and 69 percent anticipate a 24 percent jump this year, just 16 percent of respondents have security metrics that could justify investments to senior budget.
Without those metrics, researchers explained that justifying a budget increase could prove difficult.
“Developing meaningful KPIs to prove the effectiveness of security efforts will be a key focus in 2020,” researchers wrote. “30 percent of organizations say that their management teams are already requesting more data security reports than they did a year ago.”
Lastly, 88 percent of healthcare organizations believe that insecure data sharing poses a risk to digital transformation.
“Even as cybersecurity budgets grow, data breaches continue to increase in both number and size,” Steve Dickson, CEO at Netwrix, said in a statement. “Cybersecurity leaders need to find more effective ways to manage data security risks and show return on investment to the executive team.”
“Gaining more visibility into data, internal processes and user activity will enable them to prioritize their efforts, mitigate security and compliance risks more efficiently, and prove the effectiveness of their investments,” he added.