Case Study: Health Care Sector

AT A GLANCE

1. Unstructured data on unclear infrastructure
2. Failed Data Loss Prevention Program.
3. Lack of data understanding and regulatory clarity.
4. Overly broad access privileges.
5. Unknown exposure to ransomware attacks.
6. Unencrypted sensitive data.
7. Ineffective data protection policies.
8. Low internal data protection awareness.

‍

OVERVIEW

Healthcare providers and national health services have recently been the frontline victims of aggressive and damaging cyber-attacks. Cyber criminals are now using double extortion ransomware to target healthcare providers, where they steal and encrypt sensitive operational data and sell this data to the highest bidder.

The only way for a healthcare provider to find, understand and protect this data is to use advanced Al and machine learning at scale.

A major cahllenge for a large Hospital is to find its data, understand it and help protect this data whilst keeping the data operational for the provision of its services.

This type of exercise has historically been impossible to do, the amount of data and its dynamic nature alongside the accuracy needed was prohibitive, but Getvisibility's Al based solution has now made this possible.

‍

ABOUT THE CLIENT

Our client is a mid-sized European hospital, with over 10TB of unknown unstructured data and more than 30 million files. This hospital is subject to GDPR and has had issues with potential ransomware attacks.

Given the sensitive nature of our case study, we have accommodated their request to anonymise all names and places.

‍

Industry:

Healthcare

Location:

Europe

Business Objectives Supparted:

• Data Discovery
• Data Classification
• Data Risk Score
• Data Loss Protection
• Integration

‍

CHALLENGES

• Vast amounts of unstructured data across a broad, poorly understood infrastructure.
• A Data Loss Prevention Program that had failed as its configuration rendered normal operational service unworkable.
• No clear definition of the type of data it held, what it was responsible for under regulations.
• Access privileges that were very board, as the data was not under- stood access was over granted.
• Exposure from ransomware attacks not understood
• None of the potential unstructured sensitive data was encrypted or protected as the dataitself was not understood.
• No effective data protection policies as the data itself was not under- stood.
• Internal data protection awareness or data compliance was low as there was no data classification framework.

‍

THE PROBLEM

IDENTIFYING PHI AND PII INFORMATION

Following news that 550 patient records were leaked from Irish hospitals, a hospital wished to lock down PII and PHI from the outset to avoid a data breach. Massive fines for European hospitals already existed, with the biggest in Switzerland of CHF1.5M, payable by Lausanne University Hospital (CHUV) following a data leak incident in 2013 that affected over 100,000 patients.

Our client did not have a data breach, but also they did not want to risk having one. Hospitals and healthcare organisations deal with huge amounts of sensitive data - information about patients, employees, researchers, and other business-related content. With a high number of staff and a growing amount of research being performed by hospital staff, it is becoming increasingly difficult to manually track and manage sensitive data and its access rights.

Identifying sensitive and regulated data on its own is a complex task. The most popular approach to controlling sensitive data is to create an internal policy, that requires end-users to store sensitive and regulated data in specific locations. However, if anyone copies data from a folder that contains PHI/PII data, it gets spread across the entire organisation, meaning the hospital did not have any visibility into their PHI and PII data

‍

The hospital undertook a thorough search for PHI and PII in order to ensure the security and privacy of patient information in its many unstructured data stores, across multiple platforms, after which, Getvisibility revealed a lot of shocking findings.

‍

OVER 2,000 FILES CONTAINING PHI WERE SHARED WITH THE EVERYONEGROUP

Data shared with Everyone group allows any user access to the data. Even a guest user can access such data if there is a network connectivity to a file share. This is the number 1 risk in any organisation until the Everyone group share access is removed. Everyone encompasses all users who have logged in with a password as well as built-in, non-password protected accounts such as Guest and LOCAL SERVICE. Which means any user has access to the critical data that contains subjects' information from the above files.

‍

OVER 25,500 FILES ARE ACCESSIBLE WITH DOMAIN ADMINISTRATOR ACCESS

Administrators have access to most of the sensitive data; however this does not mean that the IT adminis- trators need to have access to the protected medical information. It is a widely adopted practise not to give admins access to all available data on the file servers and manage the access to the file servers via the group memberships and following the least privilege model.

• No files were encrypted.
• 12,937 files with PHI were older than 5 years and not archived
• 17,521 files with PHI were older than 7 years and not archived.
• - 30% of files were duplicates.
• No files were protected by DLP.
• The organisation scored 7 on its 0-10 risk score.
• There was no risk management framework.

‍

USERS HAD DIRECT ACCESS TO MORE THAN 8 MILLION FILES

Following the least access privilege model, it is highly recommended to share access rights only via group memberships and only the minimal privileges need to be granted for the users to complete their tasks

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

THE SOLUTION

OUR APPROACH

Before Getvisibility, the hospital was unable to effec- tively identify who had access to regulated data stored in a multi-tier legacy storage infrastructure. Data for electronic patient records were stored on centralised servers, along with other types of data, which made it difficult to identify where specific data was located. The network had turned into a patchwork quilt of different machines and protocols. This made it extremely time-consuming to correlate personal data with its owner and manage access rights.

In addition, after installing Getvisibility, the hospital found that many access right permissions were set inappropriately, leading to excessive exposure of PII and PHI information. The hospital's risk exposure from cyberattacks such as ransomware and malware was extended beyond the perimeter to unstructured data silos in every department. Getvisibility has an out-of-the-box Machine Learning model for identifying PHI and PII information. Our software is proven to be efficient at a high scale complex on premise, cloud and environments.

We were able to scan 11TB of data within a week and turn around with complete visibility around critical and sensitive data including PHI and PII. A hospital used Getvisibility Focus for legacy data discovery and classi- fication. It is a solution that can be deployed in less than two hours and ready to go with out-of-the-box Al engine to find and classify regulated information. This saves hundreds of hours in configuring a solution and in verifying the results comparing to the alternative solutions.

‍

IMPACT

• Enhanced value from Data Loss Prevention Solution.
• Regulatory compliance.
• Reduction in time taken to mitigate areas of high data risk.

‍

TECHNOLOGIES IN USE

• Servers.
• Document Management System.
• Cloud Storage.

‍

IMPROVEMENTS

• Create a data taxonomy to suit the organization.
• Implementing comprehensive data management practices, which include conducting a thorough data inventory, cataloging, classification, monitoring access, tracking usage, defining retention policies, and identifying data duplication, can help establish effective controls over both Protected Health Information (PHI) and Personally Identifiable Information (PII).
• Identifying PHI and PII regulated data across multiple storage locations.
• Protecting PII, PHI, and other sensitive information against cyber-attacks.
• - Minimising attack surface despite increasing use of shared drives and remote connectivity.
• Restricting user access to PII and PHI information, to protect patient data.
• Enabling Least Privileges.
• Implementing Data hygiene policies.
• Integration and operationalising DLP.
• Implementing risk management and reporting.

‍

REMEDIATION

Create a complete register of all PHI and PII data across all data silos.

Find and remediate PHI and PII data shared with the Everyone Group.

Implement the least access privilege model.

Find and remediate files with direct domain administrator access.

Improve the Active Direc- tory Hygiene by:

• Disabling inactive users
• Finding users who never changed pass- words
• Removing users with direct administrative access

‍

THE RESULTS

OUR APPROACH

Data Taxonomy and Comprehensive Management:

• Successfully created a data taxonomy tailored to the organisation's needs.
• Implemented comprehensive data management practices, including conducting data inventory, cataloguing, classification, access monitoring, usage tracking, retention policy definition, and data duplication identification.

Identification and Protection of Regulat ed Data:

• Identified and effectively managed Protected Health Information (PHI) and Personally Identifiable Information (PII) across multiple storage locations.
• Implemented measures to protect PII, PHI, and other sensitive information against cyber-attacks.

Minimise Attack Surface and Controlled Access:

• Successfully minimised the attack surface despite the increasing use of shared drives and remote connectivity.
• Implemented restrictions on user access to PII and PHI information to ensure the protection of patient data.
• Enabled the Least Privilege access model to ensure appropriate access privileges.

Data Hygiene and Risk Management:

• Implemented data hygiene policies to maintain data integrity and quality.
• Integrated and operationalized Data Loss Prevention (DLP) measures for proactive data protection.
• Implemented risk management practices and established reporting mechanisms.

‍

About Getvisibility:

Getvisibility is a trusted leader in data visibility and cybersecurity, providing organisations with the tools they need to safeguard their data and digital assets. With a focus on AI-driven solutions, Getvisibility empowers organisations to proactively manage cybersecurity risks and ensure compliance.

For more information about how we can transform your organisation's data security check out our cybersecurity use cases or contact us today for a demostration and indepth details on our products.

‍

References

• https://www.hipaajournal.com/2022-healthcare-data-breach-report/
• https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/