A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations.
As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated.
The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic.
SecureLink’s study, the results of which were published in the report, A Matter of Life and Death: The State of Critical Access Management in Healthcare, confirmed that many of those breaches involved third-party access to systems. 44% of healthcare and pharmaceutical organizations that responded to the survey said they had suffered at least one cybersecurity incident that was either directly or indirectly caused by a third-party partner.
Vendors and third parties supply many of the components that allow healthcare system to function and with so many third-party components, the attack surface is large. Even though the risk of a third-party data breach is high, the survey revealed only 41% of surveyed healthcare companies had a complete inventory of third parties that have been provided with access to their networks.
“Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access. Healthcare providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyberattacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance,” said Daniel Fabbri, SecureLink Chief Data Scientist.
There is a clear need to improve critical access management in healthcare and strengthen security. The best place to start is the creation of a complete inventory of third parties with access to the network. SecureLink then recommends reviewing users and vendors based on the three pillars of critical access management: access governance, access controls, and access monitoring.
Access governance is concerned with regular reviews of user access to ensure access rights are appropriate. This process can be delegated to staff members’ managers, as they are in the best position to determine what access is required. The principle of least privilege needs to be applied – individuals and third parties should only be provided with access to the systems and data that are required for them to complete their work duties. Reviews and restrictions are a requirement of HIPAA, which also requires policies and procedures to be implemented to ensure access to patient data is terminated when it is no longer required. The current reality is users and third parties are often given very broad access rights which is risky. The survey revealed 44% of healthcare and pharmaceutical organizations do not have full visibility into the level of access and permissions assigned to internal and external users.
Access controls need to be put in place to limit the data and systems that can be accessed by third parties. Individuals have access rights, which are not changed by access controls, instead, access controls are concerned with giving organizations greater control over the abilities of users and third parties to use (or abuse) their access rights. Access controls should include employing zero-trust network access (ZTNA) solutions, which can help to prevent lateral movement in the event of credentials being compromised.
Access monitoring is vital for security and HIPAA compliance. Organizations need to have visibility into the actions of privileged users and must be able to identify what those users have done or are doing while logged in. All interactions with ePHI must be logged and regularly reviewed to identify suspicious activity but given the huge number of interactions by users on a daily basis, this can be an overwhelming task. 60% of respondents said they thought managing third-party permissions and remote access to their systems would be overwhelming and a drain on internal resources, even though doing so is vital for reducing risk. The only way to effectively monitor for suspicious activity is through the use of machine learning systems. These systems can sift through all interactions and determine events that have no clinical relevance and flag those instances for manual review. While access monitoring may not prevent a breach, it will ensure unauthorized activity is identified promptly. It is all too common insider data breaches to go undetected for months before unauthorized access is detected due to poor access monitoring.