SecureLink News

44% of Healthcare Organizations Don’t Have Full Visibility into Access and Permissions Assigned to Users and Third Parties

A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations.

As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated.

The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic.

SecureLink’s study, the results of which were published in the report, A Matter of Life and Death: The State of Critical Access Management in Healthcare, confirmed that many of those breaches involved third-party access to systems. 44% of healthcare and pharmaceutical organizations that responded to the survey said they had suffered at least one cybersecurity incident that was either directly or indirectly caused by a third-party partner.

Vendors and third parties supply many of the components that allow healthcare system to function and with so many third-party components, the attack surface is large. Even though the risk of a third-party data breach is high, the survey revealed only 41% of surveyed healthcare companies had a complete inventory of third parties that have been provided with access to their networks.

“Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access. Healthcare providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyberattacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance,” said Daniel Fabbri, SecureLink Chief Data Scientist.

There is a clear need to improve critical access management in healthcare and strengthen security. The best place to start is the creation of a complete inventory of third parties with access to the network. SecureLink then recommends reviewing users and vendors based on the three pillars of critical access management: access governance, access controls, and access monitoring.

Access governance is concerned with regular reviews of user access to ensure access rights are appropriate. This process can be delegated to staff members’ managers, as they are in the best position to determine what access is required. The principle of least privilege needs to be applied – individuals and third parties should only be provided with access to the systems and data that are required for them to complete their work duties. Reviews and restrictions are a requirement of HIPAA, which also requires policies and procedures to be implemented to ensure access to patient data is terminated when it is no longer required.  The current reality is users and third parties are often given very broad access rights which is risky. The survey revealed 44% of healthcare and pharmaceutical organizations do not have full visibility into the level of access and permissions assigned to internal and external users.

Access controls need to be put in place to limit the data and systems that can be accessed by third parties. Individuals have access rights, which are not changed by access controls, instead, access controls are concerned with giving organizations greater control over the abilities of users and third parties to use (or abuse) their access rights. Access controls should include employing zero-trust network access (ZTNA) solutions, which can help to prevent lateral movement in the event of credentials being compromised.

Access monitoring is vital for security and HIPAA compliance. Organizations need to have visibility into the actions of privileged users and must be able to identify what those users have done or are doing while logged in. All interactions with ePHI must be logged and regularly reviewed to identify suspicious activity but given the huge number of interactions by users on a daily basis, this can be an overwhelming task. 60% of respondents said they thought managing third-party permissions and remote access to their systems would be overwhelming and a drain on internal resources, even though doing so is vital for reducing risk. The only way to effectively monitor for suspicious activity is through the use of machine learning systems. These systems can sift through all interactions and determine events that have no clinical relevance and flag those instances for manual review. While access monitoring may not prevent a breach, it will ensure unauthorized activity is identified promptly. It is all too common insider data breaches to go undetected for months before unauthorized access is detected due to poor access monitoring.

The post 44% of Healthcare Organizations Don’t Have Full Visibility into Access and Permissions Assigned to Users and Third Parties appeared first on HIPAA Journal.

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.