The increased use of electronic personal information, coupled with rapid advances in healthcare technology, has created complex healthcare delivery networks that are target rich environments for cyberattackers. David Higgins, Director of Customer Development at CyberArk, tells us how healthcare organisations should update their security environment to face the current threat landscape and increasingly tight regulations.
Today’s healthcare systems rely increasingly on electronic personal health information (ePHI), while the acceleration of healthcare technology is creating a widened and more complex attack surface than ever for healthcare delivery networks. Savvy cybercriminals are looking for any opportunity to exploit the cloud-based applications or IoT enabled devices that healthcare now relies on, so they can get hold of ePHI.
The growing exposure of networks showcases the concerning vulnerabilities plaguing a healthcare service desperate for stronger cybersecurity. Specifically, the NHS suffers from outdated and unsupported software, and a massive cybersecurity skills shortage which compromises security and the ability to efficiently safeguard against ransomware and internal threats to ePHI – malicious, but also resulting from human mistakes. At the same time, we’re seeing an increasing number of regulations around ePHI being created, such as HIPAA HITECH and GDPR, while non-compliance is bringing harsher penalties, particularly in relation to privileged access management.
Recent Verizon analysis revealed that 58% of cyberincidents involved insiders and, even more worryingly, healthcare was the only industry in which internal actors were the biggest threats to an organisation. However, it’s important to remember that the attack vectors are vast in healthcare. When it comes to privileged access, all the human points of access must be monitored, including those holding administrator rights, along with non-human access. Particularly important are the applications and medical devices that interact with critical systems and enable fundamental processes such as integrating patient diagnostic data from third-party services or seeking reimbursement from a payer organisation.
The most effective thing healthcare organisations can do to manage access to privileged accounts, credentials and secrets is implementing an effective way to contain insider threats. Strong privileged access security procedures in place will limit an attacker’s ability to escalate privileges and subsequently to access sensitive systems. Proper cybersecurity hygiene in an environment where the stakes are so high cannot be compromised. This all starts with effective privileged access management.
What do today’s threats look like?
With increasingly changing patient demands come new and innovative technologies to improve patient care. The issue is, such fast innovation cannot be created without the tighter cybersecurity measures that will protect it. ePHI is now being dispersed across expansive networks of patient monitoring devices, mobile endpoints for employees and self-service patient web portals, growing the risk to healthcare providers. Taking a holistic approach to securing the environment is the only effective way of reducing the risk of damaging cybersecurity incidents and that includes correct privileged access control.
Building ‘high walls’ to protect an organisation’s perimeter is an out of date approach to security. According to the CyberArk Global Advanced Threat Landscape Report 2018, 52% of healthcare IT decision-makers cannot prevent attackers from breaking into their networks, and 59% believe that customers’ personally identifiable information (PII) could be at risk. Organisations must understand that breach will happen to them, so they can implement the security tools that will prevent an attacker from gaining access to sensitive systems.
Beware of new regulations and their harsher penalties
While ransomware and other cyberattacks continue grow alarmingly, IT organisations face an increasingly tight regulatory environment. Strong privileged access security (or the lack thereof) can make or break a healthcare organisation’s ability to demonstrate compliance and avoid hefty fines.
The other side of the coin is the significant operational costs organisations face to recover from a data breach. A Ponemon study found that a healthcare data breach costs on average US$380 per record – more than 2.5 times the global average across industries.
To demonstrate compliance with HIPAA HITECH, GDPR and other industry regulations, healthcare providers must have access to documented, auditable proof of their efforts to protect privileged access. Audit trails require organisations to have a comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, along with fully searchable audit logs and complete, multi-layered audit trail data protection.
How to approach securing your integrated care delivery network investment
The biggest imperative for organisations is to manage privileges to proactively protect against, detect and respond to attacks in progress before attackers compromise vital systems and data. But managing privileges does not mean denying them, rather controlling who has access to what and why. Managing privileged access is a crucial part of basic cybersecurity hygiene which can have a significant, positive impact on an organisation’s security posture and compliance efforts.
Privileged access security is an essential first step in maturing a healthcare cybersecurity programme and must be a strategic priority. It can provide proactive, automated, end-to-end detection and protection for all privileged access to systems containing ePHI. Privileged threat detection and analytics provides the ability to respond and remediate to any anomalous or high-risk activities. Monitoring the behaviour of privileged activity to ensure users are not disabling, circumventing or altering implemented security safeguards and controls is not only a best practice but often required by regulations.
In the age of never ending cyberattacks and stricter regulations, securing the environment is no longer an option but a necessity. Beyond the regulatory costs and risk to patient data, breaches can considerably slow down processes, which can become life threatening for patients waiting urgently for operations and whose health data is suddenly held in ransom or wiped from the database. Securing privileged access management needs to be at the forefront of healthcare organisations to be fully compliant and protect patients’ data thoroughly.