Proper cybersecurity hygiene in the healthcare sector is imperative. This journey all starts with effectively managing privileged access, as CyberArk’s David Higgins explains.
The increased use of electronic personal health information (ePHI), coupled with an acceleration in healthcare technology – from cloud-based applications to IoT-enabled devices to telemedicine – has created complex healthcare delivery networks that are target-rich environments for savvy cyber criminals. More exposed networks have shed light on the vulnerabilities of a healthcare service in urgent need of more robust cybersecurity. The NHS in particular is often plighted with outdated and unsupported software, as well as a massive cybersecurity skills shortage, which makes it increasingly difficult to safeguard against ransomware and internal threats to ePHI – both malicious and those resulting from human mistakes. All the while, regulations around ePHI, such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act and the General Data Protection Regulation (GDPR), continue to increase while non-compliance is bringing stiffer penalties, particularly in relation to privileged access management.
According to recent Verizon analysis, 58% of cyber incidents involve insiders – healthcare is the only industry in which internal actors pose the biggest threat to an organisation.
However, it’s important to remember that the attack vectors are vast in healthcare. When it comes to privileged access, all the human points of access must be considered, including people with administrator rights, along with non-human access – including the applications and medical devices that interact with critical systems and enable fundamental processes such as integrating patient diagnostic data from third-party services or seeking reimbursement from a payer organisation.
Managing access to privileged accounts, credentials and secrets is an effective way to prevent insider threat and limit the moves a threat actor can make after they establish a foothold on the network. With privileged access security procedures firmly in place, an attacker’s ability to escalate privileges and subsequently to access sensitive systems will be reduced. Proper cybersecurity hygiene in an environment where the stakes are so high is imperative. This journey all starts with effectively managing privileged access.
The current healthcare threat landscape
Changing patient demands are ushering in new and innovative technologies to improve patient care. But with such fast innovation has to come tighter cybersecurity measures. With ePHI now being dispersed across expansive networks of patient monitoring devices, mobile endpoints for employees and self-service patient web portals, the risk to healthcare providers is only set to grow. Only those organisations that take a holistic approach to securing their environments – including correct privileged access control – will reduce the risk of a damaging cybersecurity incident.
Building ‘high walls’ to protect an organisation’s perimeter is an out of date approach to security. According to the CyberArk Global Advanced Threat Landscape Report 2018, 52% of healthcare IT decision makers cannot prevent attackers from breaking into their networks, and 59% believe that customers’ personally identifiable information (PII) could be at risk. Therefore, we challenge organisations to assume that a breach will happen and to implement security tools that prevent an attacker from gaining access to sensitive systems.
Tighten regulations and give harsher penalties
As ransomware and other cyber-attacks continue to take effect at an alarming rate, IT organisations face an increasingly tight regulatory environment. Strong privileged access security (or the lack thereof) can make or break a healthcare organisation’s ability to demonstrate compliance and avoid hefty fines.
Beyond these regulatory penalties, there are significant operational costs to recover from a data breach. A Ponemon study found that a healthcare data breach costs on average $380 (~€336) per record – more than 2.5 times the global average across industries.
To demonstrate compliance with HIPAA, HITECH, GDPR and other industry regulations, healthcare providers must have access to documented, auditable proof of their efforts to protect privileged access. Audit trails require a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs, and complete, multi-layered audit trail data protection.
Take the right steps to protect your integrated care delivery network investment
Organisations must manage privileges to proactively protect against, detect and respond to attacks in progress before attackers compromise vital systems and data. But managing privileges does not mean denying them. Instead, it is a matter of controlling who has access to what and why. Managing privileged access is a part of basic cybersecurity hygiene and can have a significant, positive impact on an organisation’s security posture and compliance efforts.
Because privileged access security complements existing security tools, it helps organisations leverage their existing cybersecurity investments towards notable improvements. Privileged access security is an essential first step in maturing a healthcare cybersecurity programme and must be a strategic priority.
Privileged access security solutions can provide proactive, automated, end-to-end detection and protection for all privileged access to systems containing ePHI. Privileged threat detection and analytics provides the ability to respond to and remediate any anomalous or high-risk activities. Monitoring the behaviour of privileged activity to ensure users are not disabling, circumventing or altering implemented security safeguards and controls is not only a best practice but often required by regulations.
In the age of never-ending cyber-attacks and stricter regulations, securing the environment is no longer an option but a necessity. Beyond the regulatory costs and risk to patient data, breaches can considerably slow down processes, which can become life threatening for patients waiting urgently for operations and whose health data is suddenly held to ransom or wiped from the database. Securing privileged access management needs to be at the forefront of healthcare organisations to be fully compliant and protect patients’ data thoroughly.
This article will appear in issue 8 of Health Europa Quarterly, which will be published in February 2019.