The healthcare sector’s information security could use a check up.
According to a new study by Varonis that tracked 3 billion files across 58 health care firms, one in five files were visible to all employees – including one in eight containing sensitive information. More than three-quarters of organizations in the sector had at least 500 accounts that expire, and even more than that had at least a thousand “ghost accounts” of former employees that were never closed.
“One of the foundations of trust is that if you’re providing information to somebody like a health provider, that they’re keeping safe,” said David Gibson, Varonis’ chief marketing officer, a former engineer and CISSP.
“When information that sensitive is open to every employee, or to too many accounts or too many users. It is not really keeping up with that trust.”
While there was substantial variation by the size of the company, risky account practices were pervasive across enterprises of all shapes and sizes. Small companies – those with 500 employees or fewer — had 22% of their files with sensitive information accessible by anyone with an account. Medium-sized companies, maxing out at 1500 employees, had 14% of files with sensitive information shared across the organization. Companies larger than that still had 11% shared to all employees — a still-hefty one in ten.
Around 70% of sensitive files open to all employees were “stale,” files that were inactive for months or years.
“Stale files represent risk and cost, but aren’t adding a lot of value,” said Gibson. “They are an opportunity for organizations to really reduce risk quickly. If nobody’s using this data, does it really need to be open to everybody in the company? Can I lock it down? Identifying those opportunities for risk reduction is an important thing.”
Enterprises were more likely to have 10,000 or more ghost accounts than to have fewer than 1,000, according to the study (22% of firms to 21% of firms respectively). And they were around twice as likely to have 1,500 accounts that never expire, versus fewer than 500 (43% to 23%).
Accounts that never expire, particularly service accounts, can be “juicy” targets for hackers, said Gibson, who pointed to ransomware gangs known to take advantage.
Gibson said this year’s statistics are in line with what the company has seen previously.
“About one out of every five folders are open to every employee is, is kind of a standard thing that we’ve seen,” he said. “And the only delta is that people keep creating data faster, and then more places.”