November 4, 2019

How do you protect access to patient data that multiplies in size and is saved across disparate locations across your organization? Within any healthcare trust, sensitive information will regularly find its way into spreadsheets, slides and other unstructured formats that are then saved in a variety of file stores such as SharePoint, NAS devices and cloud storage. This continuously happens as people and even software bots run nightly reports, while others explicitly copy and paste data into documents and presentations. In addition, hard copy documents are regularly scanned, digitised and stored electronically. These activities create a sea of files, also referred to as ‘unstructured data’. If left unmanaged, healthcare trusts run the huge risk of exposing patient information. 

So how can healthcare trusts prevent losing this data through inappropriate access? Here are six ways in which data is typically exposed.

Ignoring Open Access

Open repositories, such as folders and containers that have little or no access controls, are a natural spot for data to accumulate. In many cases, this will include highly sensitive information. This data is easy to use and easy to share. Furthermore, this data is a natural target when automated processes are used to share data. The longer these data files exist, the more uses people find for them. All of this leads to the first big miscalculation – overlooking where sensitive data resides.

Never checking an account’s access paths

User access to file folders is commonly managed in a variety of ways, with well-intentioned policies and access groups quickly giving way through nesting and misuse into a clutter of tangled access paths that resembles spaghetti. Thus, removing the user from one spot often doesn’t have any effect on their actual access. This leads to the second common oversight – presuming there’s only one way to gain access.

Manually reviewing all access events

Leaving no stone unturned becomes impossible when you’re talking about covering mountains of event data including file modifications, access changes and folder renames. Without using identity information and common sense to filter out regular traffic, examining every event activity becomes impossible. This means high-risk activity may slip by and go unchecked or worse, discovered long after the activity occurred. Misstep number three is simply trying to boil the ocean by not using identity context to filter out the low-risk event data.

Manually reviewing all access events

Leaving no stone unturned becomes impossible when you’re talking about covering mountains of event data including file modifications, access changes and folder renames. Without using identity information and common sense to filter out regular traffic, examining every event activity becomes impossible. This means high-risk activity may slip by and go unchecked or worse, discovered long after the activity occurred. Misstep number three is simply trying to boil the ocean by not using identity context to filter out the low-risk event data.

Treating all folders equally

A folder containing sensitive data and a folder containing your favourite downloaded articles do not contain the same risk, yet many healthcare organisations treat all folders equally. This means that you aren’t focusing your governance time and dollars where they will have the most effect. Instead of classifying the type of data located on file folders, identifying open access material, and prioritising efforts around content with the highest levels of activity, the fourth mistake is not prioritising access to file folders based on sensitivity of content.

Making IT review all of the access

Who better to review access to files than IT – right? After all, IT is responsible for the infrastructure and ensuring access is secure and appropriate.  Add to that, no one else has the time. That may not be how some healthcare organisations feel or think, but it is how many act. The reality is that IT does not possess the contextual knowledge of users, the data stored and the location of sensitive information. It is the business users who have this context and are pivotal to ensuring only the right people gain access. Yet often, the burden of protecting patient data and other sensitive information falls on IT and security teams. Error number five is not sharing responsibility across all departments.

Using as many different tools to enforce your governance policies

It is common to develop a layered approach to security that’s very effective when using tools that do different jobs. However, when healthcare trusts govern different cloud vendors with different tools and then add more tools for on-premises storage, NAS and SharePoint, it results in a risky siloed approach to controlling access. Not only does this inconsistent approach lead to security gaps that attackers can exploit, it also makes it difficult to gain a complete view of your risk exposure, as well as to respond to changes and new operational directives as multiple tools require multiple attempts to cover the same problem. Over-diversification of tools is bad idea number six.

According to Gartner, an estimated 80% of the world’s data is unstructured.1 And one in four users will save sensitive data to cloud apps or share it with someone else.2 It’s time to tame the sea of unstructured data. It’s time to extend identity governance to data stored in files. Here are the six things healthcare trusts could do to protect patient data. 

  1. Find and remove open access 
  2. Minimise multiple paths of access
  3. Automate real-time activity responses
  4. Discover where sensitive data resides and apply appropriate access controls
  5. Leverage business users (or line of business users) to participate in information security efforts
  6. One tool for the job

To learn more, contact us or visit the Identity for Healthcare page.

  1. Gartner, “Organizations Will Need to Tackle Three Challenges to Curb Unstructured Data Glut and Neglect Foundational,” January 2017
  2. SailPoint Market Pulse Survey 2017

Find out how SailPoint can help your organization.

*required field

By submitting this form, you understand and agree that use of SailPoint’s web site is subject to SailPoint Technologies’ Privacy Statement.