We like to think that when we go to the doctor, our data is going to be as well-protected as our health is. New technologies and new laws have gone a long way in protecting our data. But a set of new reports suggests that our data may not be as safe as we'd hoped, and even healthcare employees aren't convinced organizations are doing all that can be done.
Just how big the problem actually is was spelled out with a report from the U.S. Health and Human Services Department for Civil Rights, which noted that, over the last two years, there have been over 290 disclosures of health data breaches, or nearly three a week. This is in large part due to the attractiveness of such data to thieves, which often includes things like social security numbers and Medicare ID numbers, among other personally-identifiable information.
The revelation of almost three breaches a week for the last two years would be bad enough, but the news gets worse. A Ponemon Institute study, commissioned by Varonis Systems and called “Corporate Data: A Protected Asset or a Ticking Time Bomb?”, examined the issue deeper and found significant problems. For instance, the study found that 56 percent of IT practitioners in the field, and 51 percent of end users, believed that organizations placed either a “moderate” or a “low” priority on protecting data, if any priority was placed at all. Seventy-nine percent of IT respondents noted that a least-privilege model was either partially enforced or not enforced at all. Sixty-five percent believed that there was too much access available, with sensitive data not necessary to do the job on hand, and 51 percent believed that this information was seen “at least frequently” over the course of a normal operation. Just to round it out, 73 percent said that access to sensitive or confidential data was available, and of those, 41 percent believed that “a lot of” this data was available.
Basically, the problem here seems to be that there's too much data on hand, and too much of that data is desirable to thieves. Supply is easy to obtain, by the direct admission of a great many people in the industry, and demand is brisk, so it's the perfect-storm recipe for a thriving market. The problem, of course, is that this is the last market many want to see thriving, especially the people whose data was taken for resale. As to how to actually fix the problem, a good look at that came from Varonis Systems' co-founder and CEO Yaki Faitelson, who noted that the companies systems offered “insight into who has access and who actually does access the data, who abuses their access, which files are sensitive and exposed to risk, and who from the business should be involved.” Keeping these points straight reduces opportunity, improves accountability, and in general cuts down on the numbers who could get access to these vital systems.
Controlling access is the first step to better data security, and Varonis is working to make these protections happen. We need a system of reliable security in order to be able to trust healthcare organizations, and the sooner that happens, the better for all concerned.
Edited by
Dominick Sorrentino
