Summary: Healthcare organizations are increasingly at risk of exposing sensitive data, with a significant percentage of both publicly and privately shared files containing Personally Identifiable Information (PII). The rise in data breaches within the healthcare sector highlights the urgent need for improved data security measures and data loss prevention (DLP) tools.
Threat Actor: Metomic | Metomic
Victim: Healthcare Organizations | Healthcare Organizations
Key Point :
- 25% of publicly shared files and 68% of privately shared files in healthcare contain PII.
- Stale data access permissions create vulnerabilities, increasing the risk of data breaches.
- The healthcare industry faced a record number of data breaches in 2023, exposing over 133 million records.
- Ransomware attacks, such as the one on Change Healthcare, are costing the industry billions.
- 1% of publicly shared files contain PCI information, indicating potential financial data exposure.
Healthcare organizations continue to put their business and patients at risk of exposing their most sensitive data, according to Metomic.
25% of publicly shared files owned by healthcare organizations contain Personally Identifiable Information (PII). 68% of private files that have been shared externally (giving access to people outside of the organization) contained PII and 77% of private files shared internally.
Publicly shared files often leak sensitive data
While publicly shared files that contain highly sensitive data pose the biggest risk for healthcare organizations and underscore the need for data security and DLP (data loss prevention) tools, many of the access permissions for private files are never updated or removed. This leads to “stale data” living in places like Google Drive where multiple people continue to have access to files they no longer need or should not be able to retrieve, creating high-risk environments that could easily lead to a data breach.
Often sensitive data is exposed in publicly shared files due to employee oversight. For example, staff sharing files with others in the company on this setting and then forgetting to revoke permissions. In some cases, employees may not have been told that they shouldn’t do this, leading them to incorrectly assume that the cloud provider will take care of any security issues automatically.
Metomic’s findings are extremely alarming considering the spiraling trend of data breaches happening across the healthcare space, a highly regulated industry that must follow strict data standards and legislative policies such as HIPAA and GDPR.
According to The HIPAA Journal, the healthcare industry experienced more data breaches in 2021 than any previous year. That upward trend has continued to rise. Not only did 2023 see a record number of data breaches, but also a record number of the “most breached records” with more than 133 million records exposed.
Data breaches cost healthcare millions
This year, the ransomware attack on Change Healthcare wreaked havoc across the industry, disrupting payments to hospitals, pharmacies, and healthcare providers for more than a week. UnitedHealth claims the attack will likely cost the company between $1.35 billion and $1.6 billion by the end of the year.
“The healthcare industry is plagued by rampant data breaches that are costing organizations millions of dollars and putting highly sensitive patient data and financial information at risk. After digging into these findings, it’s clear that healthcare security leaders need more resources, DLP solutions, and data security tools to overcome the vast number of data security challenges they face day-to-day,” said Rich Vibert, CEO, Metomic.
“Healthcare organizations need data security and DLP platforms that not only help protect highly sensitive information, but also provide tools to ensure employees are not inadvertently sharing data or giving access to files that put the organization at risk,” added Vibert.
Another concerning trend is the amount of PCI information, such as credit card numbers and banking information, that is saved in publicly shared and external files.
According to Metomic’s research, 1% of publicly shared files owned by healthcare organizations contain PCI—a number that, at first glance, seems relatively tiny, but 1% means that there are easily accessible files that contain highly vulnerable financial data.
Source: https://www.helpnetsecurity.com/2024/07/30/healthcare-sensitive-data