According to a recent study published by the Federal Trade Commission, U.S. consumers filed more than 650,000 fraud and identity theft complaints in 2005 alone. While many companies spend IT security dollars on solutions designed to keep intruders out, the companies fail to recognize the threat from within.
Ellen Libenson
Numerous reports published by the FBI and the Secret Service reveal that information theft by so-called "trusted users" is just as common—and in some cases, even more common—than security breaches perpetrated by external hackers. It is critical that hospitals, payers and other healthcare organizations implement reliable, secure solutions to control and manage access to sensitive information.
In many IT environments, administrators are often given the "super user" or "root" password. These serve as the virtual keys to the kingdom, providing administrators with complete access to the information contained on company UNIX and Linux servers. In an environment in which every administrator knows and shares the root password, there is equal opportunity and temptation for abuse of confidential patient records, financial data and other proprietary information.
For example, it is very common to find systems administrators sharing passwords with elevated privileges without considering the risk. For every server, operating system, device or application added to the network, there is a set of privileged accounts created by administrators to manage them. Each represents a security concern and a potential HIPAA roadblock.
Managing user access can be accomplished through methods similar to those used for managing end-user access control. Responsibilities for users with elevated privileges must be clearly defined, documented and enforced by a solution that enables organizations to selectively provide the functionality and privileges that the high-level administrative password provides without disclosing exactly what that password is.
Deploying an effective identity and access management solution enables companies to granularly delegate the level of access granted to each password, ensuring that staff members are only able to access servers and applications required to complete their tasks.
Effective identity and access management solutions require individuals to send specific requests for administrative rights. These systems can issue a password that only allows access to certain areas of the network and only for the amount of time needed to accomplish a given task. This creates an added layer of security by ensuring that even trusted IT administrators are granted limited access.
The best solutions for neutralizing the insider threat will also protect passwords from external hackers. Once an administrator completes the task at hand, the assigned password is reset automatically. For every request, a new administrator password is created, issued and deleted.
The best solutions also address accountability issues with limited user and super user passwords. Because there is no distinction between individuals using the root password on UNIX and Linux systems, when the administrator account is used, it is virtually impossible to assign individual accountability.
Comprehensive identity and access management solutions track user activity, creating event logs that capture detailed information about each task request. The most sophisticated solutions also capture keystrokes to provide organizations with a more complete view of the input and output during a specific session.
By implementing solutions that limit and control administrative access rights, monitor user activity and have real-time logging and alerting capabilities, organizations can ensure that patient information hasn't been altered, compromised or stolen.
