Healthcare breaches are increasing. According to the 2022 Ponemon institute Report, not only did the number of overall third-party attacks increase, but 55% of healthcare organizations stated they experienced a breach in the last 12 months. While feelings aren’t facts, 63% stated they believe third party breaches are increasing, which can of course affect spending, resources, and general organization anxiety.
While increasing attacks are certainly reason to ring the alarm, the report also showed that healthcare organizations, like hospital networks, are not taking the necessary, proactive steps to prevent these attacks. They just aren’t taking their medicine.
Healthcare Organizations Aren’t Taking Proper Precautions
Healthcare organizations rely on a lot of third parties, including third parties for managing software and hardware — everything from billing software to MRI machines — and they’re struggling to keep control of all that vendor access. 63% say managing third parties is overwhelming, and 57% stated that there is lack of oversight or governance with third parties. It makes sense. Healthcare organizations’ primary goal is treating patients, not overseeing cybersecurity. But the two realms are often related, and by not taking proactive steps, these organizations and networks are putting both at risk.
In addition to that overall management, only 49% stated that they monitor third parties and third-party access. Monitoring access is crucial for healthcare. Not only is monitoring a HIPAA requirement, but with an average organization seeing over a million EMR accesses a day, access controls are hard to implement. That means proactive and reactive monitoring is a main method for organizations to make sure that access policies are being followed and that there is no nefarious or unauthorized access.
While it may be difficult for large healthcare networks to implement fine-grained access controls like multi-factor authentication for certain assets or notification-based sign-ons, they can execute governance best practices like least privileged access. Only 38% of healthcare organizations surveyed implement least privileged access. Least privileged access, or the method of ensuring that a user only has enough access to complete a task, and nothing more, is a fairly basic governance policy that is simple to implement and prevents a lot of damage in case of an attack or simple human error. If the nurse in the ICU isn’t able to access the HR records of the staff in radiology, she can’t accidentally delete all the data and a hacker can’t, through her access, steal all of it. Not implementing least privileged access not only highlights mismanagement around access points and critical assets, it vastly widens the attack surface.
But, like stitches on a bad cut, there are ways to repair these issues and move forward.
How Healthcare Can Heal Their Cybersecurity Strategies
What healthcare organizations need to do is focus on their access management, specifically, their third-party management, and start taking small, tangible steps, to get that access under control (literally and figuratively)
1. Identify key or critical access points and create an access governance policy for those points. We’ve written before about how to identify and evaluate access points, and while the process may be extensive, it’s crucial to understand where users are active, and what IGA policies need to be applied to make sure least privilege access is being followed and third parties are not granted too much access.
2. Take time to inventory third parties used and how they should be overseen and managed. If you don’t know what third parties are accessing your system, you’ll never be able to manage or control their access. While third parties can be transient and opaque compared to internal users, there are automated management solutions — like Enterprise Access — that allow organizations to identify, manage, and restrict third-party access to close that major gap.
3. Invest in an access monitoring system, preferably one with machine learning capabilities. As mentioned above, fine-grained access controls can be difficult to implement given the vast EMR accesses an organization has in a single day. Therefore monitoring is critical. But, trying to monitor access manually can be tedious if not impossible, and can lead to missing an important instance or creating multiple false positives. Investing in access monitoring software will allow for efficient, accurate monitoring.