Study Shows Healthcare Workers Get Unnecessary Access to Massive Amounts of PHI

A new study has shown prevalent security problems at healthcare companies, which include bad access controls, few limitations on access to protected health information (PHI), and bad password practices, which put sensitive information in danger.

The study, performed by Varonis, a data security and insider threat detection platform provider, examined approximately 3 billion files from 58 healthcare companies, such as healthcare providers, pharmaceutical firms, and biotechnology companies. The goal of the study was to find out whether security controls were carried out to protect sensitive data and to enable establishments to better know their cybersecurity flaws in the face of growing risks.

The Health Insurance Portability and Accountability Act (HIPAA) calls for access to PHI to be restricted to workers who must view PHI for job requirements. If access is given, the HIPAA minimum required standard is applicable, and just the minimum amount of PHI ought to be accessible. Every user should be given a unique username to monitor PHI access. Passwords are needed to validate users, as per the HIPAA Security Rule.

The findings of the Varonis research were publicized in the 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech. It showed that an average healthcare employee gets access to 31,000 sensitive records that contain PHI, monetary, and proprietary information during their first workday. Those files were kept in areas of the system that all workers could access.

Typically, 20% of every company’s files are available to each staff, although in many instances access wasn’t necessary to accomplish work responsibilities. Half of the companies investigated had over 1,000 sensitive data available to all workers, and one in four records at small healthcare institutions can be viewed by every worker. There were no limitations on access to 1 in 10 records that enclosed intellectual property or PHI.

It was found out that smaller businesses have a surprising quantity of exposed information, such as sensitive data files, intellectual property, and patient files. On the first day on the job, new personnel at small firms get immediate access to more than 11,000 exposed data, and almost 50 % of them consist of sensitive details.

To minimize risk, it is essential to work under the rule of least privilege. When employees are provided extensive access to sensitive data, there are greater chances for insider data theft. In case their credentials are exposed in a phishing attack, it provides external threat actors quick access to massive volumes of records.

The situation is compounded by bad password practices. 77% of businesses surveyed for the report had at least 500 accounts using passwords that don’t expire, and 79% of companies had greater than 1,000 ghost accounts. Attackers can utilize these accounts to obtain an easy way to access sensitive information and enter networks and file structures undiscovered.

As per the Verizon Data Breach Investigations Report, there is a 58% increase in data breaches in 2020 and cyber threat actors are actively attacking the medical care, pharmaceutical, and biotech sectors to steal sensitive records, intellectual property, and vaccine research information. The medical care sector has the greatest data breach expenses which the IBM Security Cost of a Data Breach Report mentioned as $7.13 million for each breach. Companies that do not limit access to PHI can additionally face large financial penalties up to $1.5 million annually, per violation type.

To deal with progressively malicious and advanced cyberattacks, hospitals, drug firms, and biotech’s should double down on mastering incident response methods and mitigation work. Implementing least privilege, securing sensitive information, and limiting lateral movement in their systems are the definite basic minimum preventive measures that medical businesses should take.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at