{"id":2432,"date":"2018-06-12T08:35:21","date_gmt":"2018-06-12T08:35:21","guid":{"rendered":"https:\/\/www.empowerbpo.com\/blog\/?p=2432"},"modified":"2023-01-27T08:11:26","modified_gmt":"2023-01-27T08:11:26","slug":"global-accessibility-and-healthcare","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/global-accessibility-and-healthcare\/","title":{"rendered":"Global accessibility &#8211; A Mistake Healthcare Providers Cannot Afford"},"content":{"rendered":"<blockquote><p><i><span style=\"font-weight: 400;\">\u201cAccording to Varonis, 41% of organizations had more than 1,000 sensitive files open to every employee, with data such as &#8220;credit card information, health records, or personal information subject to regulations like GDPR, HIPAA and PCI&#8221; readily available to anyone with access to the system.\u201d<\/span><\/i><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><i><span style=\"font-weight: 400;\">By <\/span><span style=\"font-weight: 400;\"><a href=\"https:\/\/www.techrepublic.com\/article\/report-41-of-companies-have-1000-sensitive-files-open-to-every-employee\/\" rel=\"nofollow noopener\" target=\"_blank\">Jonathan Greig, Tech Republic<\/a><\/span><\/i><i><\/i><\/li>\n<\/ul>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Last week, I came across <\/span><a href=\"https:\/\/www.techrepublic.com\/article\/report-41-of-companies-have-1000-sensitive-files-open-to-every-employee\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">this article<\/span><\/a><span style=\"font-weight: 400;\"> by Jonathan Greig on Tech Republic. It discusses the 2018 Global data risk report by Varonis Systems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A network with sensitive files open to every employee?<\/span><span style=\"font-weight: 400;\"> For an healthcare provider &#8211; that\u2019s weaving of a nightmare. \u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A computer network with global accessibility is a mistake that no healthcare provider can afford- Not only does it put our clients at-risk of violation of HIPAA\u2019s minimum necessary rule; it puts their computer network at risk of malware and ransomware attacks, too. One single attack could cause major disruptions across their network, and result in theft of valuable PHI. [Not to mention the HIPAA penalties that would follow.]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">P.S. Let\u2019s not forget the EU GDPR regulations, too. \u00a0<\/span><\/p>\n<h3><b>2018 Global Data Risk Report<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Published by Varonis Systems, the <\/span><a href=\"https:\/\/info.varonis.com\/hubfs\/2018%20Varonis%20Global%20Data%20Risk%20Report.pdf\" rel=\"nofollow noopener\" target=\"_blank\"><i><span style=\"font-weight: 400;\">2018 Global Data Risk Report<\/span><\/i><\/a><span style=\"font-weight: 400;\"> highlights their findings compiled from all the data risk assessments that they conducted last year. The report encompasses their assessments performed in more than 50 countries, 130 organizations, and across 30+ industrial sectors, including insurance, financial services, healthcare, pharma and biotech, IT and computer software, local, state and regional governments. <\/span><\/p>\n<h3><b>Here\u2019s a five point synopsis of their 2018 Data Risk report:<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">41% of companies have over 1,000 sensitive files open to EVERYONE<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">21% OF ALL FOLDERS are open to EVERYONE<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">58% have over 100,000 folders open to EVERYONE<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">54% of \u00a0data is stale, that\u2019s information no longer necessary for everyday operations<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">34% of user accounts are ghost accounts (that\u2019s stale accounts, which often belong to people who are no longer with the organization.) <\/span><\/li>\n<\/ul>\n<h3><b>Global accessibility, HIPAA, and the Minimum Necessary Rule<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">HIPAA restricts the healthcare organizations and their business associates from using or sharing more than \u201cbare minimum\u201d patient health information. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">It\u2019s the first thing we suggest to our clients after introducing them to the term PHI \u2013<\/span><\/p>\n<p style=\"padding-left: 30px;\"><i><span style=\"font-weight: 400;\">\u201cDo you need this information to do your job?\u201d <\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">And if the person is at an executive position, we add \u2013 <\/span><\/p>\n<p style=\"padding-left: 30px;\"><i><span style=\"font-weight: 400;\">\u201cWhat is the least amount of information that your team needs to know to do their job?\u201d<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">As per HIPAA, only those who have a \u201cneed to know\u201d should be permitted to have access to health information. Healthcare organizations need to ensure that employees and contractors have access only to \u201cbare minimum\u201d information that\u2019s necessary for them to perform their job. <\/span><\/p>\n<h3><b>PHI : Global Accessibility : NEVER<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Hackers always look for the easiest way to get in and move around the network. Not dealing with ghost accounts, is like hanging your car-keys outside the garage door. Global accessibility is an equally foolhardy proposition. But obviously, attackers, once they have breached your network, look for unsecure and globally accessible folders. <\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">Could you think of anything more damaging than having patient health information stored over such a network? <\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">It\u2019s a must for organizations dealing with patient information to avoid global accessibility features. Organizations (healthcare providers and business associates, both) need to replace global groups with tightly managed security groups. Moreover, it\u2019s important that such organizations get in the habit of conducting periodic audits of their servers, too. This would help identify (and eliminate) any newly created data containers with global access.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Another important suggestion, from the Healthcare\u2019s point of view, is to periodically recertify access to sensitive data (PHI) to spot users who no longer need to access the sensitive data. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Outdated permissions and ghost accounts are attack hotspots- an unnecessary security risk. \u00a0Again, here too, the role of periodic audits becomes crucial. As Varonis suggests, procedures must be in place to ensure that all user accounts are active, governed and monitored, and slate accounts are deleted\/disabled without delay. It\u2019s necessary to avoid slate accounts with access to Patient Health Information. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cAccording to Varonis, 41% of organizations had more than 1,000 sensitive files open to every employee, with data such as &#8220;credit card information, health records, or personal information subject to regulations like GDPR, HIPAA and PCI&#8221; readily available to anyone with access to the system.\u201d By Jonathan Greig, Tech Republic &nbsp; Last week, I came [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":2434,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[157,158,77,94,156,126,155,159],"class_list":["post-2432","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hipaa","tag-business-associates","tag-ghost-accounts","tag-hipaa","tag-information-security","tag-minimum-necessary-rule","tag-patient-health-information","tag-phi","tag-slate-accounts"],"_links":{"self":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/2432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/comments?post=2432"}],"version-history":[{"count":0,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/2432\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media\/2434"}],"wp:attachment":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media?parent=2432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/categories?post=2432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/tags?post=2432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}