InfoSec Insider

Then and Now: Securing Privileged Access Within Healthcare Orgs

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, discusses best practices for securing healthcare data against the modern threat landscape.

Healthcare organizations have always been high-value targets for cybercriminals, as their networks store large volumes of personally identifiable information (PII) including Social Security numbers, dates of birth, addresses and very sensitive personal health data.

Since the beginning of the COVID-19 pandemic, the number of targeted attacks on healthcare provider network servers, email systems and devices has rapidly increased as attackers look to take advantage of the overwhelmed healthcare sector struggling to cope with accelerating demand.

Some attackers also attempted to steal information related to COVID-19 statistics and in some cases, vaccine data. The pandemic has also forced many healthcare providers to adopt and onboard telehealth vendors to allow for remote work and accommodate the influx in traffic as well as continue delivering safe healthcare and reduce the potential spread of COVID-19. This has in turn has created a larger attack surface, leaving both provider and patient data at higher risk.

Over the last three decades, most healthcare organizations have carried out digital-transformation initiatives, moving patient records and data to networks and cloud environments. Let us take a look back to see how the storage, security and access to patient records has evolved into what it is today.

Healthcare Data Security: Then

Prior in the early 1990s, patient medical records were kept on paper in a library and stored in boxes and shelves. Records were updated by hand and transported manually to and from medical archives, a process that was extremely insufficient and prone to human error. There was no way of accurately monitoring who had access to the archives or looked at records, and there were very few measures in place that prevented unauthorized employees from looking at patient records. Back then, access control was largely nonexistent however they did require physical access.

The digitization of medical records began in some countries in 1991,with a goal being to boost efficiency and accuracy, increase security, improve privacy and reduce the amount of time wasted. While this project was a life-saving improvement that embraced technology and gave medical professionals instant access to patient records, it presented healthcare organizations with a new wave of security and privacy concerns to navigate, specifically relating to identity and access management security controls.

Security Healthcare Data: Now

Flash forward to today, and almost all patient medical records are digitalized and housed within a database located on a network. As we witness the increasing number of attacks on healthcare organizations, this data must now be protected with the highest possible security access controls — and there are several key systems and initiatives that organizations can implement to achieve maximum protection.

A properly managed and configured privileged-access control solution is without doubt the most important of these. Most modern access-control systems are role-based, where access to certain systems is delegated and assigned based on a user’s job functions, and each user is only given enough permissions to carry out their role. Whether it be on healthcare-related applications or the operating system, users should never have access to files that exceed the scope of their daily duties. Privilege and access management are together the most effective deterrent to threats inside a network for either those who have compromised the network already, or insider threats.

Organizations must actively monitor user privileges, ensuring that accounts and roles that are no longer being utilized are deprovisioned on a regular basis along with performing routine verification to determine that each user’s access is still necessary. Often, user privileges will be elevated to allow greater access for a specific task, which can lead to vulnerabilities if it is not removed once the work is finished. It is also critical that an employee’s access is terminated, and passwords are changed immediately after they leave a position or move to another role.

While access-control systems can provide high levels of privilege control for healthcare organizations, it is important to remember that there is no practice, application or device that will secure an infrastructure completely without effort and proper conduct from employees.

Employees play a critical role to the security of a healthcare organization, something that is often overlooked. Time and resources must be invested into educating employees on best practices when accessing sensitive systems. For example, all healthcare staff, regardless of their level should use strong passwords on their devices and avoid texting or emailing information on unprotected devices.

By implementing organization-wide education and training initiatives, it can help reduce the number of data leaks and safeguard organizations from cybercriminals. One way to help employees reduce cyber-fatigue and move passwords into the background is to help them move to using a strong password-management solution which will help them reduce the number of accounts and passwords they need to manage directly.

Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles