Varonis 2021 Healthcare Data Risk


Analysing the state of data security across hospitals, pharmaceutical firms & biotech companies

COVID-19 provided fertile ground for attackers to sow confusion and take advantage of healthcare organisations on the front lines. From hospitals triaging patients around the clock to pharmaceutical companies developing advanced vaccines, cybercriminal groups targeted entities and systems under massive stress.

Recent attacks against the healthcare and biotech sector demonstrate maliciousness on an unprecedented scale. While their methods vary, their goal is the same: grab sensitive data to steal, sell, or extort.

In 2020, cybercriminals unleashed potent variants of ransomware like Maze and Ryuk on hundreds of hospitals. State-sponsored actors zeroed in on pharma and biotech companies to harvest COVID-19 research. Insider threats continued to tax the healthcare sector, while simple human errors left vulnerable information exposed — posing additional risk in a year like no other. 2020 also marked the first year that a patient’s death has been directly linked to a cyberattack.

Hospitals, biotech firms and pharma companies are entrusted to protect sensitive information — from personal patient data to valuable proprietary research– which makes them a prized target for skilled adversaries looking to steal, sell, or extort sensitive data.

As the saying goes, hackers only need to be right once. One successful phishing email can set off a ransomware chain reaction that encrypts every file it touches. A single insider with unrestricted access to file shares can copy, change, or delete thousands or even millions of documents.

To shine a light on data security in the life sciences space, Varonis developed the 2021 Healthcare Data Risk Report. The research examines the state of data security – on-premises, cloud, and hybrid environments – for healthcare organisations including hospitals, biotech and pharmaceutical firms. Varonis analysed a random sample of 3 billion files across 58 healthcare organisations – to determine how data in the industry is exposed and at risk.

The report aims to help healthcare and biotech organisations better understand their cybersecurity vulnerabilities in the face of increasing threats and provides insight into how healthcare companies can mitigate future risk.

Global findings: As Industry Threats Increase, Healthcare is Underprepared

Healthcare sectors have their work cut out for them: Varonis found that on average, every employee within an organisation can access one out of every five files. This overexposed data, in tandem with an increased number of attacks exhibiting new levels of sophistication, makes healthcare one of the most at-risk sectors in 2021.

Key findings summary:

  • 1 in 5 files are open to every employee in healthcare organisations, on average. This increases to 1 in 4 when examining small and mid-sized organisations.
  • 31,000 sensitive files (HIPAA + financial + proprietary research) are open to everyone, on average.
  • Over 50% of organisations have more than 1,000 sensitive files open to every employee, on average
  • 77% of organisations have 500+ accounts with passwords that never expire
  • Every healthcare employee has access to over 11 million files overall — all it takes it one account to be compromised to let a hacker in

Organisation-wide exposure of personal health information (PHI) and intellectual property represents an existential risk.

Compared to financial services companies, the average healthcare and biotech organisation has about 75% less data. While healthcare entities have fewer files, they have a greater number of files open to every employee. Attackers that successfully compromise one authorised device could land and expand throughout the organisation or encrypt massive amounts of data with ransomware.

More than half of hospitals, pharmaceutical companies, and biotech firms have over 1,000 sensitive files exposed to every employee. One-third of the organisations evaluated have over 10,000 files open to every employee. Enforcing least privilege is a basic step every organisation can take to protect data from theft and misuse while ensuring compliance with regulations.

“Ghost users” — user and service accounts that are inactive but still enabled — give hackers an easy way to move through an organisations’ file structures undetected. Hackers often exploit this weakness to steal data or disrupt critical systems.

Varonis data analysis reveals that the healthcare sector falls well below average when finding and fixing this vulnerability.

77% of the companies we surveyed have 501 or more accounts with passwords that never expire, while 79% have more than 1,000 ghost users still enabled.

Varonis discovered that smaller organisations in particular have a shocking amount of exposed data, including sensitive files, intellectual property and patient records. On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data. This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach.

Larger organisations tended to have the most problems in their permissions structures, increasing the risk of data breaches stemming from cyberattacks.

When data is overexposed and underprotected, organisations can quickly lose control as employees copy, share, delete or change even the most sensitive information. Unprotected information is an easy target for cybercriminals who only need to compromise one end user to gain a foothold into healthcare environments.

State of the industry and mitigating future risk

If 2020 portends what the future holds, cyberattacks targeting the healthcare sector will only worsen.

While medical professionals made COVID-19 vaccination breakthroughs at an astounding rate, confirmed data breaches also increased by a staggering 58% as bad actors targeted vaccine research and high-priority intellectual property.

The industry was woefully underprepared for these attacks. A mere 23% of healthcare organisations have fully deployed security automation. The result of this is an average breach lifecycle of 329 days — the highest of any industry — and an average data breach cost of $7.13 million in 2020 — a 10.5% increase over 2019.

Cyberattacks were also more sophisticated than anything in years prior. Examples include a global intrusion campaign that trojanised SolarWinds Orion business software updates to distribute a new type of malware called SUNBURST. This attack still has wide-ranging consequences and continues to affect government, consulting, technology, telecom entities.

To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotechs need to double down on maturing incident response procedures and mitigation efforts. Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organisations need to take.

View the full report here