Best Practices For Privileged Access Management In Healthcare

By Christine Kern, contributing writer

How can healthcare organizations protect against breaches in PHI security?

According to Accellion, a Dimensional Research study shows malicious insider fraud costs an organization even more time and money to recover from than a denial of service or web-based attack. In fact, employee behavior is the most expensive vulnerability in enterprise mobile security, and added to the increasingly sophisticated cyber threats facing the healthcare sector, these challenges are making privileged access management more critical, according to Sudhakar Gummadi, CISO at Molina Healthcare.

One important step in the process is to continuously assess data vulnerabilities, as Health IT Outcomes pointed out. William Massengill, CEO of Benson Area Medical Center, explained that beyond assuring that antivirus software and updates are current, “we assure that all employees are removed from our network immediately after they leave our employment.”

And Mark Kadrich, Chief information Security & Privacy Officer at San Diego Health Connect explained, “Part of the risk analysis needs to be an understanding of how PHI is made available to people and devices. A huge problem today is that many EHRs make it entirely too easy to access and upload this sensitive data. Providers need to add controls to their network to manage how PHI migrates off the EHR.”

To protect themselves, healthcare organizations need to improve the methods of authentication to privileged accounts and restrict what a privileged account can do for any particular use of the account.

According to CISCO, potentially dangerous employee behaviors included:

• Unauthorized application use, with70 percent of IT professionals reporting that the use of unauthorized programs resulted in as many as half of their companies’ data loss incidents.
• Misuse of corporate computers: Almost half (44 percent) of employees admit that they share work devices with others without supervision.
• Unauthorized physical and network access: 39 percent of IT professionals reported dealing with an employee accessing unauthorized parts of a company’s network or facility.
• Remote worker security: Almost half (46 percent) of employees admitted that they transferred files between work and personal computers when working from home.
• Misuse of passwords: 18 percent of employees share passwords with co-workers.

“Establishing controls around privileged access continues to be a focus of attention for organizations and auditors,” say Gartner analysts Felix Gaehtgens and Anmol Singh in the research firm’s Market Guide for Privileged Account Management. “Security leaders must be prepared to address the inventory, classification and use of privileged accounts. “

“A database administrator or an Active Directory domain administrator having full access was OK a few years back. But now, due to the whole threat landscape, that’s changed. So we need to have the controls in place ... on the endpoint, the servers, infrastructure, firewalls, routers, etc.…hackers look for the privileged access, and once they have the keys to the kingdom ... they can do whatever ... because those particular credentials provide full access,” Gummadi explained in an interview with Information Security Media Group.

“Privileged access needs to be controlled in your environment, and it should have checks and balances and only be given on a need-to-know basis. Good controls in place won’t eliminate the risk, but will minimize the risk.”

By limiting what specific actions a privileged user can take, organizations will not only be able to limit who has privileged access, but also dictate exactly what the user is able to do with that access. Far too many organizations, particularly in healthcare, are just concerned about limiting the number of privileged accounts they authorize for access.