The acceleration of electronic personal health information (ePHI), coupled with an increase in healthcare technology – from cloud-based applications to IoT-enabled devices to telemedicine – has paved the way for complicated healthcare delivery networks that are goldmines for savvy cyber criminals.
More exposed networks have shed light on the vulnerabilities of a healthcare service in urgent need of more robust cyber security The NHS in particular is often bogged down with antiquated and unsupported software, and a concerning cyber security skills shortage, which makes it increasingly challenging to safeguard against ransomware and internal threats to ePHI – both malicious and those resulting from innocent human error. Moreover, regulations around ePHI, such as HIPAA HITECH and GDPR, continue to increase while non-compliance is bringing more stringent penalties, particularly relating to privileged access management.
One thing to consider is that attack vectors are vast in healthcare. When it comes to privileged access, all the human points of access must be considered carefully, including people with administrator rights, along with non-human access – including the applications and medical devices that interact with critical systems and enable important processes such as integrating patient diagnostic data from third-party services or seeking reimbursement from a payer organisation.
Managing access to privileged accounts, credentials and secrets is an effective way to limit insider threats. With privileged access security procedures firmly in place, an attacker’s ability to escalate privileges and subsequently to access sensitive systems will be reduced. Proper cyber security hygiene in an environment where the stakes are so high, is an absolute must. It all starts with effectively managing privileged access.
Assessing the threats
Patients now want healthcare advice and treatment in the quickest and most hassle-free way possible. This is demanding new technologies to keep apace. Security quite simply has to keep up.
With ePHI now being dispersed across expansive networks of patient monitoring devices, mobile endpoints for employees and self-service patient web portals, the risk to healthcare providers is only going to escalate. Only those organisations that take a holistic approach to securing their environments – including correct privileged access control – will minimise the risk of a damaging cyber security breach.
Building “high walls” to protect an organisation’s perimeter is an old-fashioned approach to security. According to the CyberArk Global Advanced Threat Landscape Report 2018, 52 percent of healthcare IT decision-makers cannot prevent attackers from breaking into their networks, and 59 percent believe that customers’ personally identifiable information (PII) could be at risk. Therefore, we challenge organisations to assume that a breach will happen and to implement security tools that prevent an attacker from gaining access to sensitive systems.
Tightening up on regulations and penalties
As ransomware and other cyber-attacks continue to hit our headlines, IT organisations are tasked with managing threats in an increasingly tight regulatory environment. Strong privileged access security (or the lack thereof) can make or break a healthcare organisation’s ability to demonstrate compliance and avoid hefty fines.
Beyond these regulatory penalties, there are operational costs attached to recovering from a data breach. A Ponemon study found that a healthcare data breach costs on average USD$380 per record – more than 2.5 times the global average across industries.
To demonstrate compliance with HIPAA HITECH, GDPR and other industry regulations, healthcare providers must have access to documented, auditable proof of their efforts to protect privileged access. Audit trails require a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs, and complete, multi-layered audit trail data protection.
Security as a ‘must’ with integrated, digitised healthcare
Organisations must manage privileges to proactively safeguard against, detect and respond to attacks in progress before attackers compromise vital systems and patient data. But managing privileges does not mean denying them. Instead, it is a matter of controlling who has access to what and why. Managing privileged access is a part of basic cyber security hygiene and can have a significant, positive impact on an organisation’s security posture and compliance efforts.
Because privileged access security complements existing security tools, it helps organisations leverage their existing cyber security investments towards notable improvements. Privileged access security is an essential first step in maturing a healthcare cyber security programme and must be a strategic priority.
In the age of mass cyber breaches making headline news, securing the environment is no longer an option but an absolute necessity. Beyond the regulatory costs and risk to patient data, breaches can considerably slow down processes, which can become life threatening for patients waiting urgently for operations and whose health data is suddenly held in ransom or wiped from the database. Securing privileged access management needs to be on the frontline for healthcare organisations to be fully compliant and protect patients’ data in the era of digitised healthcare.
EMEA Technical Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.