The events of 2020 have exemplified how healthcare organizations need to work against a constant backdrop of change. On top of changes within the public health landscape, they also need to be prepared for evolving cybersecurity threats.
Whether facilitated through insider threat, external hacking, or employee negligence, all of the below pose serious risks to health organizations:
The healthcare industry is not unique in having to protect sensitive data from these threats. However, the nature of the industry makes it a high-profile target with a lot to potentially lose from breaches. This blog will explore the reasons why – and also explain why Privileged Access Management (PAM) is the best form of defense.
Like all sectors, healthcare has had to adapt to the digital and mobile era. There has been an increase in the use of electronic personal health data (ePHI) as well as rapid advances in technology. Mobile endpoints and self-service web portals have brought convenience to patients. And when you factor inpatient data moving to cloud-based storage and the increase in IoT-enabled devices – you begin to paint the picture of a complex and connected network.
These advances in technology all have the power to transform healthcare for the better. They have also led to a much-expanded attack surface and target-rich environment for hackers. Unfortunately, hospitals often have outdated and unsupported software, as well as a cybersecurity skills shortage. This increases their appeal as targets for hackers.
The stakes are high when it comes to data breaches within the healthcare industry. Patient confidentiality has long been a central pillar of medicine, making this data particularly sensitive. And healthcare organizations deal with this sensitive data on a huge scale. Patient records have a lot of value on the dark web and black markets: a health record can fetch a similar fee to stolen credit card details.
There is plenty to be saved for healthcare organizations that invest in strong cybersecurity. According to a Ponemon Institute study, a healthcare data breach costs on average $380 per record. That’s more than 2.5 times the global average across industries. However, the nature of the healthcare industry means the ramifications can go beyond financial loss and breach of privacy.
In healthcare, loss of data can lead to a literal life or death situation. The loss of medical notes or access to a vital piece of equipment could have serious implications for a patient. Research from the University of Central Florida showed that data breaches increased a hospital’s 30-day mortality rate. The need to retrain staff, upgrade software, and make other operational changes can divert resources away from patient care.
In addition, healthcare organizations can face severe penalties for failing to comply with security regulations such as HIPAA, HITECH, and GDPR. Controlling privileged access is a key component of the expected security measures. Privileged Access Management (PAM) offers the most effective way to comply with regulations and protect healthcare organizations from mass data breaches.
Monitoring and auditing access to systems can be a challenge with employee churn and large amounts of systems and privileged data. The numbers and distributed nature of users within a healthcare organization make it difficult to effectively manage and monitor them. The larger and more complex a system becomes, the more privileged users are required. Privileged users can include:
A PAM system such as the PAM4OT secures privileged accounts and allows healthcare organizations to proactively protect themselves. Controlling privileged access limits the moves a hacker can make after they’ve established a foothold in the network. This greatly diminishes their ability to move laterally within that network and access sensitive systems.
With the right privileged access security steps in place, a hacker’s capacity to escalate privileges and access confidential information such as patient records will be greatly mitigated.
Hospitals across the US, UK, and Europe have been subject to various file encryption and data breach extortion schemes. For example, the 2017 WannaCry ransomware attack threw the UK’s NHS into chaos. Thousands of hospital computers and pieces of diagnostic equipment were hijacked, forcing doctors to manually carry lab results and cancel nearly 20,000 appointments.
In other cases, patient files were publicly leaked, presumed compromised, encrypted, and even deleted. These hacking incidents are varied in attack method, and there is no single solution to the problem. However, many attacks rely upon administrative access to execute – and these attacks are made much harder with a PAM system in place.
WALLIX Bastion offers comprehensive monitoring, recording, and isolation of all privileged user sessions. This helps with regulatory compliance by giving healthcare organizations documented, auditable proof of their efforts to protect privileged access. When the behavior of privileged users is monitored and managed by a PAM system, health organizations’ data becomes more secure. That’s why PAM needs to become a priority.
Learn more about securing privileged access to healthcare IT with WALLIX Bastion.