Healthcare Cybersecurity Starts with Identity and Access Security

Healthcare organizations are under attack, and the third-party vendors they work with have become a common threat vector. To mitigate risk and avoid potential health data breaches, HIPAA-covered entities need to take a hard look at identity and access security.

Findings from a joint survey with the Ponemon Institute indicate that 55% of healthcare organizations experienced a cyberattack caused by one of their third-party vendors in the last 12 months. That’s an 11% increase from 2021, which was already a record-breaking year for cyberattacks and ransomware on hospitals.

The healthcare industry has also had the highest average cost of a data breach for twelve years in a row. Just in the last year alone, the average cost of a cyberattack went from $9.23 million to over $10 million, according to IBM’s Cost of a Data Breach Report.

While these stats are alarming, healthcare organizations are hit with more than just a financial toll when they experience a data breach. They also deal with the impacts it has on patients and their protected health information.

The value of PHI

Protected health information (PHI) consists of an individual’s confidential and sensitive information—everything a bad actor needs to commit identity theft, and everything a hospital is trying to protect. It’s one of the most valuable pieces of information a cybercriminal can get their hands on, valued at up to $250 per record on the black market, so it’s no wonder they go to such great lengths to compromise healthcare security.

Cybercriminals will use a seemingly endless list of attack methods to compromise hospital networks, but two of the most common and effective methods are credential theft and third-party access.

Credential theft is costing healthcare organizations

Only 33% of healthcare organizations say they remove a third-party user’s credentials when appropriate.

Credentials are the keys to every door that leads to PHI. They’re the difference between an authorized and unauthorized digital identity—only verified and authorized digital identities are granted privileged credentials to mission-critical systems, like EMR databases. So if an authorized user leaves an organization and those credentials are left lingering in cyberspace, it’s “fair game” in the eyes of bad actors looking for this exact kind of un-revoked password.

Once a bad actor gets a leaked, shared, or compromised password, there’s no stopping what they could do with the information they access. Multiple hospitals have had to divert ambulances because their systems were down due to a cyberattack. Mortality rates are increasing as a result of hacks on healthcare networks. And patients are experiencing more complications from medical procedures — all because of ransomware and cyberattacks. When credentials aren’t protected, rotated, and securely stored, it’s not just impacting digital identities — it’s affecting the identities and lives of patients.

Healthcare organizations aren’t securing third-party vendor access

Hackers are highly effective at using third-party remote access to breach hospital networks. And our work with the Ponemon Institute shows that healthcare organizations lack confidence in their ability to root out these kinds of threats. Around two-thirds of respondents to our second annual survey don’t feel they are highly effective at mitigating them.

Healthcare IT teams aren’t taking the proper precautions to secure the exact routes bad actors are taking into their systems. Over half of organizations aren’t able to restrict their third party’s access to just what they need to perform a job and nothing more. This type of access control, based on the principle of least privilege, stops bad actors in their tracks if they breach a healthcare network.

Forty-nine percent of organizations also aren’t monitoring third-party access. In an industry like healthcare, monitoring access is critical to protecting PHI. Patient privacy monitoring is one of the most effective methods to ensure user access is authorized and appropriate. Access monitoring workflows detect anomalies, notify security and privacy teams of suspicious activity, and analyze user behavior to detect and prevent similar threats. Without these procedures in place, significant security gaps still exist, and that’s just enough for a hacker to exploit.

How healthcare organizations can secure identities and third-party access

The problem is clear: credentials and third-party access are the all-too-common methods attackers are using to attack healthcare facilities. The solution lies in locking down digital identities and consolidating user access.

Securing digital identities

Nurses, doctors, and hospital staff are all trusted identities within a healthcare setting. But we’re in an evolving digital landscape where no digital identity can be trusted. This introduces conflict within a healthcare IT environment when immediate and urgent access is needed. There’s no time to authenticate and verify when a patient’s life could be on the line.

Instead of limiting the access of hospital staff, healthcare organizations can secure digital identities by automating the authentication protocol within healthcare systems. Automated workflows like SSO, identity management, and identity governance tools vet a digital identity at the start of their user lifecycle and, through authentication, ensure that this identity is the only identity granted privileged credentials and accessing PHI.

Securing third-party access

The future of access is consolidation, especially in regard to managing internal and external user access. Healthcare organizations are all too often at the whim of granting network access via their vendors’ connectivity methods.

The most effective way to apply access controls and keep track of your third-party users is by consolidating the various connectivity methods by your vendors. Streamlining remote access gives healthcare teams the ability to manage, restrict, and monitor all third-party user access from one comprehensive platform.

This article was originally published in HealthIT Security.