Modernizing healthcare infrastructure also needs to include better ways to protect data
Enterprises across a range of industries have digitally transformed over the years to upgrade business operations, realize higher growth potential and align better with emerging customer expectations.
The healthcare industry in particular has been ahead of the curve and made dramatic changes over the past decade in its digital transformation efforts by shifting from paper-based to digital systems.
Digital health technology has also been deployed to address the most acute needs while navigating the COVID-19 pandemic, including in the immediate outbreak response and later in impact mitigation. For example, healthcare providers were able to leverage telehealth to conduct triage or offload hospital personnel by conducting routine patient visits remotely.
But it begs the question: With the constant modernizing of healthcare infrastructure and IT estates, does it make sense to use an outdated privileged access management (PAM) approach to secure access to more modern solutions? Would you buy a new car and ask them to put a physical keylock on it?
The Growing Security Threat to Health Care
While integrating anything with an outdated approach can be challenging, the problems are especially poignant—and critical to overcome—when it comes to security. We all know that cybersecurity is important, but it rings true now more than ever when threat actors are looking to leverage a period of uncertainty.
According to the “2020 Verizon Protected Health Information Data Breach Report,” misuse (incidents involving unapproved or malicious use of organizational resources) is a common root cause of security incidents in health care. In 66% of incidents, the threat actor is misusing privileged credentials to gain unauthorized access to data.
Attacks are as prevalent as ever as well, with recent attacks such as the Magellan Health breach that impacted more than 365,000 patients, or the 274,000 patients impacted by the Benefit Recovery Specialists credential hack. In addition, just last month, an audit of LifeLabs’ 2019 data breach revealed that the testing organization was collecting more personal health information than necessary and didn’t have adequate security tools and processes in place.
It’s no secret that the industry is a prime target for threat actors due to its dealings with a vast amount of highly sensitive data, which needs to remain current and accurate—particularly in instances where life or death decisions may depend on it. In turn, the Dark Web offers a breeding ground where healthcare records are a hot commodity that often go for a much higher price than credit card numbers.
Due to the significance of this personal data, it’s no surprise that health care is such a highly regulated industry. Those who work in this vertical need to do things right, do things fast and remain in compliance with requirements such as HIPAA and HITECH. That is a pretty tall order in itself; however, when combined with the fact that the most common threat actors in health care are insiders, it can paint a rather challenging picture.
So where do we begin to try to thwart these attacks and maintain the necessary compliance? A good place to start is looking at how attackers are attempting to access healthcare data and then countering those tactics and techniques. For example, it only takes one compromised credential to lead to millions of damages and HIPAA fines. If 80% of data breaches are tied to compromised credentials, such as Forrester Research estimates, it’s important to pinpoint and target that area and do everything possible to prevent this.
Stepping Up IAM Practices and Remaining Compliant
First, multi-factor authentication (MFA) is low-hanging fruit that can significantly increase the effectiveness of authentication. Since MFA requires more ways to authenticate than just a simple username and password, it’s one of the best options to prevent unauthorized users from accessing sensitive data and moving laterally within the network. MFA should be used everywhere, not just for end user access to applications, but across every user (end users, privileged users, contractors and partners) and every IT resource (cloud and on-premises applications, VPN, endpoints and servers).
In addition, considering the high percentage of privileged access misuse in the healthcare industry, enforcing least privilege access is essential to prevent unauthorized access to sensitive data by malicious insiders and external threat actors. This entails establishing granular, role-based PAM controls to limit lateral movement, as well as just-enough, just-in-time access to systems and infrastructure.
Cloud-ready solutions can generally best expedite healthcare organizations’ digital transformations when ready. On-premises-bound PAM solutions simply cannot secure modern attack surfaces brought about by digital transformation. Organizations need to quickly move to a least-privilege approach backed by cloud-ready services that minimize the attack surface and improve audit and compliance visibility, as well as reduce risk, complexity and costs for the modern, hybrid enterprise.
Whether implementing procedures for monitoring log-in attempts and reporting discrepancies, recording any privileged access on the server or allowing person or entity authentication, it is imperative that healthcare organizations improve their HIPAA compliance postures with an identity-centric PAM approach founded on zero trust principles: never trust, always verify, enforce least privilege.
The challenges of properly managing and securing privileged access across heterogeneous environments such as health care can be difficult, but they’re not impossible to overcome with the modern solutions and approaches available today.