The healthcare industry was woefully underprepared for cyberattacks in 2020, with an average breach lifecycle of 329 days — the highest of any industry. The cost? An average data breach cost $7.13 million — a 10.5% increase over 2019. 2020 also marked the first year that a patient’s death was directly linked to a cyberattack. As healthcare continues to become more digitized, cyberattacks become more sophisticated and targeted. So it only makes sense that healthcare organizations should check the pulse of their data security. The 2021 Healthcare Data Risk Report issued by Varonis, a global pioneer in data security based in the US, examines data security status in hospitals, pharmaceutical firms, and biotechnology companies.
The 2021 Healthcare Data Risk Report is the second annual report issued by Varonis, analyzing industry-specific threats, trends, and solutions. Analysts focused on data security in the healthcare industry: hospitals, pharmaceutical firms, and biotechnology companies. The report intends to help healthcare and biotech organizations better understand their cybersecurity vulnerabilities in light of rising threats and insight into how healthcare companies can potentially reduce future risks of cyberattacks.
For insight into how exposed healthcare organizations are, analysts examined a random sample of Data Risk Assessments for 56 companies and over 3 billion files. Some of the key findings in the report which provide an alarming picture of overexposed and vulnerable sensitive data include:
- The average organization has 31,000 sensitive files (those containing HIPAA + financial + proprietary research) open to everyone.
- On average, every employee has access to over 11 million files — nearly 20% of the organization’s total files.
- For small and mid-sized organizations, employees have access to almost one out of every four files.
- Risk Potential: all it takes is one account to be compromised for a cyberattack to be successful.
77% of organizations have 501+ accounts with passwords that never expire.
- Ghost users — user and service accounts that are inactive but still enabled — give hackers an easy way to move through an organizations’ file structures undetected.
- Cyberattack Alert: Hackers often exploit this weakness to steal data or disrupt critical systems.
- Varonis data analysis reveals that the healthcare sector falls well below average when finding and fixing this vulnerability.
Compared to financial services companies, the average healthcare and biotech organization has about 75% less data.
- Although healthcare organizations have fewer files, they have a more significant number of files open to every employee.
- Risk Potential: Attackers that successfully compromise one authorized device could land and expand throughout the organization or encrypt massive amounts of data with ransomware.
More than half of hospitals, pharmaceutical companies, and biotech firms have over 1,000 sensitive files exposed to every employee.
- One-third of the organizations evaluated have over 10,000 files open to every employee.
- Enforcing the least privilege is an essential step every organization can take to protect data from theft and misuse while ensuring compliance with regulations.
Varonis Healthcare Data Risk Global Findings
The Continued Rise of Healthcare Cyberattacks
Recent cyberattacks toward the healthcare and biotech industries show maliciousness on an exceptional scale. While the plots of the hackers vary, the intent is always the same – grab sensitive data to steal, sell, or extort. Healthcare will only generate more data. The future of healthcare is digital. And it’s exactly why the healthcare industry will remain one of the most at-risk for malicious attacks.
Cyberattacks were also more sophisticated than anything in years prior. Over the last year, cybercriminals have unleashed robust ransomware variants on hundreds of hospitals (Maze and Ryuk). State-sponsored hackers also targeted pharmaceutical and biotech companies to obtain COVID-19 research. If 2020 outlines what the future holds, cyberattacks targeting the healthcare ecosystem will only worsen.
As noted in the introduction, the average cost of a data breach in the healthcare sector was $7.13 million in 2020. With an increased number of attacks exhibiting new levels of sophistication, overexposed data made healthcare one of the most at-risk sectors in 2021. To get ahead of increasing malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotechs need to double down on maturing incident response procedures and mitigation efforts. Analysts in the Varonis 2021 Healthcare Data Risk Report suggest that healthcare organizations enforce the least privilege, lock down sensitive data, and restrict lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.
Varonis is a pioneer in data security and analytics, specializing in software for data protection, threat detection and response, and compliance. Varonis protects enterprise data by analyzing data activity, perimeter telemetry, and user behavior; prevents disaster by locking down sensitive data; and efficiently sustains a secure state with automation.