According to recent research by the Identity Defined Security Alliance, 78 percent of healthcare organizations surveyed reported an identity-related breach in the last two years, and the industry has suffered an unprecedented number of ransomware attacks in the last year. Through a “zero-trust” approach enabled by identity-defined security strategies, healthcare CISOs have an opportunity to improve security, better serve customers and develop competitive advantages.
Zero trust has been at the center of security discussions in the healthcare space for the past few years, and with good reason. The sheer number of users seeking access to critical information and systems made trust a dangerous commodity. Physicians frequently may want their office workers to have the same level of privileges that they do to obtain a patient's information. Other times, the payer community wants access to information, and health organizations need to ensure they are only permitted to see the appropriate data.
For these reasons, controlling access is an essential part of an identity-defined security strategy. IT leaders at healthcare organizations need a deep understanding of the access needs of their frontline clinical staff, as well as the array of partners and others who need access to systems and information. The sheer number of accounts creates a long list of targets for the spear-phishing attacks, which remain a favorite tool of threat actors.
One of the key defenses against phishing and credential abuse is multifactor authentication (MFA). Before implementing MFA, there should be an extensive analysis of the organization's IT infrastructure. IT decision-makers should move slowly to ensure they know what access points need to be protected and what software and applications will be impacted.
Another deciding factor in these discussions should be how much user friction employees are willing to accept when accessing different systems. Keep user-friendliness in mind when determining the right form of MFA—whether it is a combination of biometrics and passwords, passwords and security tokens, or something else. The more friction users face, the more pushback there will be. Whatever solution is settled on should ideally be context-aware and account for considerations such as user location, the time of day the request is being made, and what application or system the user is requesting the ability to access to make access decisions smarter and more granular.
This level of granularity can be game-changing. Healthcare is one of the most regulated industries in the U.S. While not explicitly required by the Health Insurance Portability and Accountability Act (HIPAA), two-factor authentication perfectly fits the requirement to "limit unnecessary or inappropriate access to and disclosure of Protected Health Information."
MFA is also an important step toward zero-trust security. While zero trust has been discussed by security professionals in the healthcare space in recent years, the use of legacy systems in healthcare organizations often makes implementing zero-trust authentication models difficult. However, as organizations increase their adoption of cloud services, zero trust will likely become easier to implement. Doing so will not eliminate complications; for example, the mix of cloud applications and services being used will challenge visibility because they rely on infrastructure that is separate from the on-premises network. Organizations will have to establish continuous visibility into their environments to implement effective policy enforcement and segregation of data and users.
Another important component of zero trust is the enforcement of the principle of least privilege. Implementing least privilege effectively meets the requirements of HIPAA's minimum necessary standard. The endgame of this strategy is to minimize the attack surface. With the growth of cloud services, partners, and employees needing access, implementing a least privilege strategy alongside effective identity governance mitigates the types of cyber-attacks healthcare organizations face.
Further complicating the matter, advanced attackers are often interested in maintaining persistence in the environment and stealing information instead of simply encrypting and ransoming compromised systems and data. Their attack strategy will include targeting active directory. As a result, hardening it against attacks by adopting basic best practices—such as patch management, monitoring for misconfigurations, and cleaning up excessive privileges—is a vital part of defending the organization and implementing effective identity governance.
On their own, endpoint security, network security, and security awareness training provide pieces of the puzzle healthcare organizations will need to complete to maintain the proper protection and compliance levels. While protecting healthcare organizations may never get less complex, focusing on a zero-trust approach backed by identity-defined security best practices will reduce risk and improve their cyber-security prognosis.
Heather Mills is the Manager of Security Risk Management at Community Health Systems.