COMMENTARY

Make privileged-access security a priority to protect patient data

THE increased use of electronic personal health information (ePHI), coupled with rapid advances in healthcare technology - from cloud-based applications to IoT-enabled devices to telemedicine - has created complex healthcare delivery networks that are target-rich environments for cyber attackers.

In Singapore, there is increasing adoption of digital healthcare solutions such as TeleHealth, smart home monitoring systems, assistive technology (analytics and robotics), HealthHub portal and healthcare apps, as a result of the country's ambition to become the world's first Smart Nation.

While digital healthcare solutions clearly have the potential to improve lives, they can also be a security nightmare if personal safety and privacy are put at risk. Thus, the issue of cyber security becomes paramount. It's no longer just an IT concern; it is quickly becoming a public safety and infrastructure issue, too. Security must be planned for and supported as an integral part of the Smart Nation initiative.

Outdated and unsupported software, a massive cyber security skills shortage and rapidly evolving technology have left hospitals and healthcare systems vulnerable to ransomware and internal threats to ePHI - both malicious and those resulting from human error. Recent cyber breaches involving healthcare providers around the world drive home the need for the healthcare industry to ensure that effective security is designed and implemented in the overall system.

The attack vectors are expansive in healthcare. Especially when it comes to privileged access, we have to consider all the human points of access, including people with administrator rights, along with non-human access - including the applications and medical devices that interact with critical systems and enable fundamental processes such as integrating patient diagnostic data from third-party services or seeking reimbursement from a payer organisation. Managing access to privileged accounts, credentials and secrets is an effective way to limit the moves an intruder can make after a breach. With privileged-access security measures in place, an attacker's ability to escalate privileges and move laterally to access sensitive systems will be contained.

In an environment where the stakes are so high, proper cyber security hygiene is highly critical. This starts with effectively managing privileged access.

Innovation continues to introduce new technologies that improve patient care, but could leave organisations at risk. With ePHI now being dispersed across expansive networks of patient monitoring devices, mobile endpoints for employees and self-service patient web portals, the risk to healthcare providers continues to evolve. Only organisations that take a holistic approach to securing their environments, including correct privileged access control, will reduce the risk of a catastrophic cyber security incident. A recent study disclosed that 52 per cent of healthcare IT decision-makers cannot prevent attackers from breaking into their networks, and 59 per cent believe that customers' personally identifiable information (PII) could be at risk. Therefore, we challenge organisations to assume that a breach will happen and to implement security tools that prevent an attacker from gaining access to sensitive systems.

TIGHTER REGULATIONS, HARSHER PENALTIES

As ransomware and other cyber attacks continue at an alarming rate, IT organisations face an increasingly tight regulatory environment. Strong privileged-access security (or the lack thereof) can make or break a healthcare organisation's ability to demonstrate compliance and avoid financial penalties.

In Singapore, the new Cybersecurity Bill designates healthcare as one of the 11 critical sectors of essential services to be termed Critical Information Infrastructure (CII). The Bill imposes serious cyber security obligations on CII owners. They are subject to statutory duties to comply with codes and directions, and report incidents to the Commissioner. They are also required to conduct regular audits and risk assessments for cyber security vulnerabilities. There are significant criminal and civil penalties for failing to comply with these obligations. Beyond these regulatory penalties, there are significant operational costs to recover from a data breach. A Ponemon study found that a healthcare data breach costs on average US$380 per record - more than 21/2 times the global average across industries.

To demonstrate compliance with CII regulations, healthcare providers must have access to documented, auditable proof of their efforts to protect privileged access. Audit trails require a solution that enables comprehensive monitoring, recording and isolation of all privileged-user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs and complete, multi-layered audit trail data protection.

It has become increasingly clear that cyber security is a risk factor in health care data. Consequently, organisations must manage privileges to proactively protect against, detect and respond to attacks in progress before vital systems and data are compromised. But managing privileges does not mean denying them. Instead, it is a matter of controlling who has access to what and why. Managing privileged access is part of basic cyber hygiene and can have a huge, positive impact on an organisation's security posture and compliance efforts.

Because privileged-access security complements existing security tools, it helps organisations use their existing cyber security investments towards demonstrable improvements. Privileged-access security is an essential first step in maturing healthcare cyber security and must be a priority.

  • The writer is CyberArk Labs team leader in research

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to t.me/BizTimes