Privileged access management: the cyber priority for the healthcare sector

The news has recently been full of stories documenting the rise of technology in the NHS: from the role of artificial intelligence in treating Parkinson’s disease, to Matt Hancock’s call for a greater deployment and use of apps in our health service – there are seemingly never-ending opportunities for new technologies to revolutionise healthcare.

While this race to reap health benefits from technology is exciting, security must not be forgotten. Healthcare organisations now gather huge amounts of valuable data for hackers and the worst attacks are yet to come.

We often hear about the NHS in negative terms on the news, as the service can fall victim to hacks due to outdated and unsupported software. On the other hand, the growing cyber security skills gap makes it incredibly challenging to effectively protect against ransomware and internal threats to information such as electronic personal health information (ePHI). That’s without mentioning regulations around this information, such as HIPAA, HITECH and GDPR, which will increasingly tighten while also bringing in tougher penalties to those organisations that fail to comply.

The CyberArk annual Global Advanced Threat Landscape report revealed that 42% of security professionals around the world admitted that the biggest cyber threat faced was unsecured privileged accounts. When privileged access is concerned, all points of access on any machine or device must be secured. This includes the applications and medical devices that interact with critical systems and enable critical processes such as integrating patient diagnostics data from third-party services.

The key to containing a threat actor, be it internal or external, malicious or not, is to adequately manage privileged accounts, credentials and confidential information. The healthcare sector faces high stakes as it deals with huge amounts of sensitive patient data, so managing and securing privileged access must be a priority.

What does the current healthcare threat landscape look like?

Technology can indeed help modernise our healthcare system by allowing patients to immediately speak to GPs via video, or order repeat prescriptions through an app. But security must be embedded at the heart of these new innovations. A more connected health service will inevitably mean an expanded attack surface for hackers.

In this scenario, security can’t be an afterthought or a ‘bolt on’ consideration. With the spread of ePHI across networks, web portals and mobile endpoints, the risk to healthcare providers is only set to increase. The only way to reduce the risk of a data breach or cyber-attack is to implement a holistic security strategy for healthcare environments – including streamlined privileged access control.

See also

• Healthcare providers: The route to digital transformation success
• The future for digitised healthcare
• Top 10 healthcare innovations for 2019

Our Global Advanced Threat landscape report also found that 52% of healthcare IT decision-makers don’t think they can prevent hackers from infiltrating their networks, putting customers’ PII at risk for 59% of them. The old approach of building ‘high walls’ to keep hackers away no longer works. Hackers will always find a way in – so healthcare organisations have to implement security tools that will assume attackers are already in to prevent them from gaining access to critical systems.

Tighter regulations, harsher penalties

Today’s regulatory environment is getting stricter while ransomware and other cyber attacks are gaining in momentum, making it difficult for IT teams to dodge hefty fines and ensure compliance.

But penalties are not the only threat for organisations. Operational costs for recovery can quickly add up after a breach – according to a Ponemon study, a healthcare data breach costs on average USD$380 per record – more than 2.5 times the global average across industries.

To show compliance with HIPAA HITECH, GDPR and other industry regulations now in place, healthcare companies must have access to documented, auditable proof of their efforts to protect privileged access at all costs. Audit trails demand a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs, and complete, multi-layered audit trail data protection.

How to deliver a modern, secure healthcare service

Privileged access management is crucial for healthcare companies to proactively protect against, detect and respond to attacks in progress before attackers wreak havoc. But managing privileges does not mean denying them – rather, it means controlling who has access to what and why. Managing privileged access is one component of a basic cyber security hygiene that can have a positive impact on an organisation’s overall security posture and compliance efforts.

Privileged access security can complement and work in tandem with existing security tools, allowing organisations to get more positive outcomes. It can provide automated, proactive, end-to-end detection and protection for all privileged access to systems containing ePHI. Privileged threat detection and analytics provides the ability to respond and remediate anomalous or high-risk activities. Monitoring the behaviour of privileged activity to ensure users are not disabling, circumventing or altering implemented security safeguards and controls is not only a best practice but often required by this new regulatory environment.

We are in an exciting age of innovative technologies. Apps, digitised systems and AI have the power to transform our healthcare system and improve patient care. But security has to come on this journey – from start to finish. Privileged access management is a much-needed step to secure healthcare organisations in the age of the ‘mass data breach’. With the right privileged access security steps set in place, a hacker’s capacity to escalate privileges and, in turn, access confidential information such as patient records will be mitigated. Too much is at stake if proper cyber hygiene is not woven into a healthcare organisation’s digital transformation.