Topics In Demand
Notification
New

No notification found.

Top 5 Data Storage and Backup Device Security Risks in Healthcare
Top 5 Data Storage and Backup Device Security Risks in Healthcare

August 6, 2023

12

0

Top 5 data storage and backup device security risks that must be addressed

Today, approximately 30% of the world’s data volume is being generated by the healthcare industry. That’s a lot of data, and it needs to be stored somewhere reliable and secure. That’s where enterprise storage devices come in. These devices, often in the form of network-attached storage (NAS) or storage area networks (SAN), can handle a massive amount of data and keep things running smoothly. They provide high-performance storage capabilities, advanced data protection features, and scalable storage capacity to meet the needs of businesses with large amounts of data. Enterprise storage devices can store various types of data, including files, documents, images, videos, and databases. Additionally, backup devices are a crucial addition to the tech toolkit as they’re designed to create duplicates of important data and store them in a separate location in case anything goes wrong. With the help of enterprise storage and backup devices, businesses can keep their data safe and sound.

But here’s the thing: while enterprise storage and backup devices are crucial for keeping business operations running smoothly, they can also make companies more susceptible to data breaches. These devices can be targets for cybercriminals who want to steal or manipulate sensitive data. If these devices aren’t properly secured, they can be vulnerable to all sorts of cyberattacks, such as malware infections, data theft, and ransomware attacks.

According to Continuity’s State of Storage and Backup Security Report 2023, the average enterprise storage and backup device has 14 vulnerabilities. And three of those are high or critical risk, which could pose a significant threat if exploited. This indicates that there’s a considerable gap in the state of enterprise storage and backup security compared to other layers of IT and network security. The report detected a total of 9,996 security issues, including vulnerabilities and security misconfigurations, that were not adequately addressed, spanning over 270 security principles. The concerning part is that this year’s report is almost identical to last year’s, indicating little has been done to address this high-risk area. Unpatched vulnerabilities in storage and backup systems are the primary targets for most ransomware, and traditional vulnerability management tools do not cover these systems well. Continuity warns that businesses need to take steps to address these vulnerabilities and ensure that their enterprise storage and backup devices are adequately secured to prevent data breaches.

Here are the top five storage and backup device security risks detected by Continuity in its latest analysis:

  • Insecure network settings (use of vulnerable protocols, encryption ciphers): Insecure network settings, such as vulnerable protocols or weak encryption ciphers, can also cause data breaches in healthcare. Hackers and cybercriminals can exploit vulnerabilities in these protocols and ciphers to gain unauthorized access to sensitive patient information. For example, using outdated protocols, such as Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS), can make a network vulnerable to attacks. Similarly, weak encryption ciphers, such as those that use short keys or outdated algorithms, can make it easier for hackers to decrypt the data. 
  • Unaddressed Common Vulnerability and Exposures (CVEs): CVEs are known security vulnerabilities in software and hardware systems that can be exploited by hackers to gain unauthorized access to sensitive patient information. Healthcare organizations can leave their systems open to attack if they fail to address these vulnerabilities. For example, if a healthcare organization fails to apply a security patch for a known vulnerability in its EHR system, a hacker could exploit it to access patient data.
  • Access rights issues (over-exposure): Over-exposure occurs when individuals are granted access to sensitive patient information that they do not need to perform their job duties. This can occur when healthcare organizations fail to properly manage access rights or when employees abuse their access privileges. For example, a receptionist with access to patient records may inadvertently disclose sensitive information to unauthorized individuals, or an employee with malicious intent could steal patient data.
  • Insecure user management and authentication: Weak user authentication, such as using easily guessable passwords or failing to implement multi-factor authentication, can make it easier for hackers to gain unauthorized access to sensitive patient information. Additionally, poor user management practices, such as failing to disable accounts of former employees, can leave healthcare organizations vulnerable to insider threats. For example, a former employee with access to patient data could intentionally cause a data breach or inadvertently cause a breach through negligence. 
  • Insufficient logging and auditing: Without proper logging and auditing, it can be difficult for healthcare organizations to detect and respond to security incidents, such as unauthorized access attempts or data breaches. Insufficient logging can occur when healthcare organizations fail to record important security events, such as failed login attempts, changes to user permissions, or suspicious network activity. Without this information, it can be challenging to identify potential security risks or investigate security incidents. Inadequate auditing can occur when healthcare organizations do not regularly review and analyze their security logs to identify security incidents or potential security risks.

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.