The cybersecurity challenges confronting healthcare providers are immense. Patient data must be constantly secured, and large numbers of connected devices must operate consistently and securely in an environment where patients, doctors, non-medical staff, the IT department, and outside contractors all require varying levels of system access. When one takes the challenges of securing such an environment together with the high value of patient data – in which a typical electronic health record (EHR) for an individual can contain their name, their social security number, their medical history, their banking and credit card information, the names of their relatives, and much more of value to hackers – it’s easy to see why healthcare is the industry most often targeted by hackers.And not only is healthcare the most targeted industry, it’s the most successfully targeted and breached: In 2018, the healthcare industry suffered more data breaches than any other. To make matters worse, detection and containment of a data breach in healthcare takes an average of 365 days to discover – and the breaches themselves cost three times more than in any other industry.
Healthcare Industry Security Vulnerabilities
1. Vulnerability: IoT & Connected Devices
High vulnerability and high value coincide to make healthcare providers a particularly attractive target for hackers. In understanding how best to secure healthcare IT, then, it makes sense to go into a little greater depth on specific vulnerabilities, and how they can be ameliorated.
Perhaps the biggest vulnerability within the healthcare industry is that the IT infrastructure tends to have a very high number of access points – think equipment like connected MRIs, iPads being carried by staff, desktop computers at nursing stations, laptops on carts, wireless repeaters to amplify signal throughout a hospital, and everything else that in today’s environment can be connected to a network. Without proper security, any of those access points can be used as entrances into the larger system, and that brings us to another vulnerability faced in the healthcare environment: Short-staffed and under-funded IT departments.
2. Vulnerability: IT Staff
Hospitals and other healthcare organizations have a primary focus on providing patient care – and that’s as it should be. But with budgets focused on patient care, there’s often very little left for the IT department. What that means in practical terms is that the IT team is very often small, and operates with a small budget – despite the fact that they very often have long to-do lists, including strict security regulation compliance. Because they have so much to do, including managing all of the connected devices referenced above, corners are sometimes cut as the IT team struggles to keep up with the workload. This should not be taken as an attempt to deride IT teams, however; they are trained professionals who work hard. But it is true to say that small, overworked IT teams are a potential vulnerability simply because they very often can’t keep up with all of the demands that proper cybersecurity requires.
3. Vulnerability: Third-Party Contractors and Vendors
Precisely because IT teams are small and yet are faced with an overwhelming task list, third-party vendors are often called in to do specific work on which they are expert – updating a server, for example. And all those high-tech connected machines require licensed manufacturer technicians to handle maintenance and calibration. To do this work, contractors are often given privileged access to the system, remotely or on-site. If such access is not closely monitored and limited, however, a contractor can have free rein within the system itself or bounce across the network to other valuable targets. Thus creates yet another potential system vulnerability in terms of both security and privacy, because with inappropriate system access a contractor may be able to see patient records or run amok with life-saving equipment, and thus run afoul of not only cybersecurity protocols, but also regulatory compliance measures like NIS and the GDPR in Europe and HIPPA, HITECH, PCI DSS, and other measures in the U.S.
Closing Down the Vulnerabilities
Given the particular needs and environment of a healthcare provider, any solution designed to close these vulnerabilities needs to have several key qualities. An appropriate solution must:
- Be low-impact, so that the delivery of healthcare is not impacted;
- Be high-result, so that the vulnerabilities are closed;
- Be easily implemented, so that it can be put in place quickly, with a minimum of disruption; and
- Incorporate security-by-design principles, to minimize IT workload while simultaneously maximizing security throughout the system.
These qualities are vital – but what specific problems should such a solution address, and what features should it have in order to do so? A suitable solution will:
- Be capable of controlling remote access;
- Provide for session oversight of users within the system;
- Properly enforce the principle of least privilege;
- Streamline management for the IT / security team;
- Ensure compliance with the many regulations dealing with healthcare.
The Cure: PAM
A robust privileged access management (PAM) solution can meet the above requirements – but only if it comprises several key components that work together. It should have, in the first instance, an access manager component that gives security teams control of, and visibility into, privileged access. That is, managers should be able to define privileges for any user, ensuring that the user can only see the systems and do the tasks for which they are authorizes. Aside from assigning such privileges, the security team also needs visibility into login activity, and the actions that privileged users take while they are in the system.
A proper PAM solution will also provide session management capabilities. Such capabilities should be both real-time and automated. That is, the session manager should be capable of detecting inappropriate session activity on its own, along with the power to either automatically terminate such session or to raise real-time alerts so that administrators can examine the sessions in order to take necessary steps. Furthermore, the session manager component of a PAM solution should be capable of recording all sessions, which is especially critical in a healthcare setting: It provides an audit trail for regulatory compliance, but also can be used both as a training tool and diagnostic resource in case of an equipment failure. For example, if a contractor updates the software on an MRI machine, and then the machine subsequently suffers a malfunction, the session logs can be used to determine if the update was done improperly, or if the machine has suffered a true mechanical malfunction.
Finally, a proper PAM solution will also have a strong password manager component. Such a component will guarantee both that passwords are of sufficient strength and also are regularly rotated, so that even if a hacker somehow gains a password it will be obsolete before they can attempt to use it to gain system access. To further secure the system, session-based password expirations are particularly useful when contractors are logging into the system, because the password manager can rotate the password as soon as a contractor ends their session – thus guaranteeing that the password can’t be used at a later point to reenter the system without the security team’s consent.
Healthcare at Risk: The Webinar
Security incidents are now an inevitable part of business. But healthcare organizations that have proper a PAM solution in place can substantially lower the costs of a data breach – typically by somewhere around $1.5 million per breach.
For more insights on securing healthcare IT infrastructure with PAM, be sure to watch the webinar, Healthcare at Risk: Securing patient data and critical equipment in the healthcare sector, presented by WALLIX VP of Sales Chad Carter. Chad discusses all of the above topics, and provides his own insights into this critical challenge with the view that if protecting patients is a healthcare provider’s primary function, then that protection should – and must – extend to cybersecurity protections, as well.