By Alon Nachmany, Field Chief Information Security Officer, AppViewX
Over the past few years hospitals and healthcare systems have increasingly become a target for cybercriminals. In 2021, HIPAA Journal reported an average of 1.95 healthcare data breaches of 500 or more records per day – adding up to more than 700 a year – and, the situation is only getting worse.
Due to previous attacks and potential threats and based on the increased cyberthreat posed by the turmoil between Russia and the Ukraine, Cybersecurity & Infrastructure Security Agency (CISA) recently issued a rare cyber “Shields Up” warning to the U.S. private sector, including healthcare organizations noting that “every organization — large and small — must be prepared to respond to disruptive cyber activity.”
The American Hospital Association (AHA) is even warning U.S. hospitals about possible cyberattacks from Russia on U.S. healthcare IT systems due to rising tensions over the 2022 Russian invasion of Ukraine.
Historically, unfortunately, the healthcare industry has lagged in becoming cyber resilient compared to other industries, and the target on its back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, precious data, and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data.
Gone are the days when healthcare system and hospitals exclusively guarded their data centers on-premises. With the introduction of the cloud and its various benefits, enterprises have increasingly adopted a hybrid approach to hosting their applications. In fact, most enterprises today use a hybrid strategy for their data centers, with an average of three or more different clouds driving various applications in their infrastructures. And here lies the problem.
While Public Key Infrastructure (PKI) has traditionally been used in hospitals to secure sensitive patient records, there’s a need to keep new applications in wearable/remote IoT-enabled medical devices secure. With such devices capturing users’ health information and relaying it back to healthcare professionals by the minute, it is essential to ensure that the line of communication is not intercepted. It is also crucial to keep the device up to date via regular updates for optimum security. PKI makes this possible by providing a device identity and a layer of protection to medical devices. However, PKI alone is not enough.
With point-to-point encryption and foolproof authentication, digital certificates or machine identities are becoming more popular and used more widely within healthcare and hospitals as they provide a safe environment for IoT devices to function, mitigating data leakage and hacking concerns. Digital identities authenticate software upgrades as well, making it tough for hackers to break into the network, and the following are reasons why proper machine identity management is necessary for hospitals and healthcare systems.
High cost of data breaches
IBM reported that the average cost of healthcare data breaches can be as high as $7.13 million. Healthcare organizations hold a repository of sensitive patient information and assets. Identity and Access Management (IAM) helps organizations manage who has access to electronic medical records and aids in protecting critical patient data. A robust IAM solution helps keep tabs on the certificate infrastructure with real-time reporting and detailed dashboards with key metrics and statistics displayed for quick retrieval and action.
Regulatory and compliance controls
Regulatory mandates like the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH), and even newer regulations like Electronic Prescribing for Controlled Substances (EPCS) require strong authentication procedures and granular access controls to data, devices, and applications. Healthcare organizations face severe challenges in implementing safe practices due to large record volumes, widespread use of telemetry, and third-party healthcare services like pathology labs, scan centers, healthcare insurance providers, and healthcare billing firms requiring access to patient records. Furthermore, healthcare organizations are among the biggest consumers of IoT devices, making them vulnerable to attacks. Hence, the need for Machine Identity Management (MIM) programs that focus on the necessary periodic checks can help organizations from paying a hefty fine due to non-compliance.
The growing importance of verifying identities
Multifactor authentication (MFA) tactics like passwords, time-based one-time passwords (TOTP), SMS, and single sign-on (SSO) help verify the identity and credibility of the employees and patients before authenticating login attempts. Unfortunately, however, SMS MFA is no longer a viable sole option for keeping digital assets safe due to text-based cyberattacks dubbed “Smishing.” Similar to phishing, the technique uses SMS and text messages instead of emails – and the number of cases has climbed over the past year, according to the Better Business Bureau (BBB). Additionally, SIM jacking – where thieves take control of someone’s phone number and tricking a carrier into transferring it to a new phone – is another attack technique that’s rising in popularity due to the fact it can be used to bypass traditional MFA. In fact, AT&T contractors and a Verizon employee were recently charged with SIM swapping, revealing that stealing phone numbers to hack accounts is an easy task for those who know what they’re doing – and, like this case, is sometimes an inside job.
To enhance the security of digital assets, hospitals and healthcare systems need to conduct frequent audits of your machine identities helps identify vulnerabilities like weak passwords, expired or rogue certificates. Gaining knowledge about your certificates and keys helps prevent sudden outages, missed expirations and possibilities of security threats. With an audit trail in place, anomalies can be easily detected, isolated, and resolved, saving teams the effort of scanning the entire ecosystem for issues when a problem is detected.
Giving the right access to the right individual
Role-based access control (RBAC) ensures that the right staff and clinicians have the required access to the specific systems and applications, thus reducing the risks of data exposure. While role-based hierarchies and approval processes aren’t anything new to the IT and security world, privilege access is something that organizations are still struggling with today. Instead, healthcare organizations should think of RBAC as a standard – a starting base to certificate management – that will run every certificate signing request or issuance call through the designated authorities. This will prevent the presence of undocumented certificates, which could cause problems on going undetected in the event of expiry or compromise.
Reducing operational and IT burden
End-to-end automation helps reduce operational burden, boost productivity and minimize human errors. A comprehensive machine identity management solution helps users set up workflows for automated renewals, employ streamlined revocation and replacement processes, and take advantage of zero-touch endpoint provisioning procedures. This allows users to perform their tasks independently and securely, without involving any other department and help desk. Users can set up tasks that will automatically renew certificates when they near expiration, or custom workflows that can revoke and reissue all the certificates issued by a particular certificate authority or CA. With automation, IT and security teams at healthcare organizations are also now bogged down by various repetitive, tedious and mundane tasks. Their time is now available for more strategic, innovative work for the system.
Achieving Zero Trust security
With the number of hacking incidents continuing to climb, Zero Trust security is becoming a necessary priority for hospitals to secure their networks. However, as hospitals and healthcare systems’ have data and assets across distributed environments, it’s more complex and challenging to properly secure each endpoint. In fact, more than 96% of today’s organizations are struggling to properly secure each endpoint and manage digital identities – and they’re overwhelmed. There are few critical reasons why healthcare systems and hospitals today struggle with Certificate Lifecycle Management (CLM) and MIM including:
- Lack of understanding of the entire certificate process, what it is, how it works and how it’s not going to “break” everything
- Lack of visibility into the certificate infrastructure
- Lack of control over certificate lifecycle processes
This is where automated CLM and MIM comes in. Automating CLM – enrollment, provisioning, renewal, and revocation – helps streamline the entire process, keeps digital identities up-to-date and effectively eliminates outages. Processes such as over policy management and secure shell (SSH) keys governance can be automated for enhanced security.
Some of the key benefits of automation in managing certificates include:
- Stronger security by reviewing administrator access to digital identities
- Simplification of the adoption of HSMs to improve the protection of private keys
- Faster decommissioning of certificates to prevent unused certificates from being exploited by cybercriminals
Implementing end-to-end automation for certificate lifecycle management is the roadmap to achieving a Zero Trust framework, which is based on the principle of ‘trust no one, verify everything’.
Prioritizing security over convenience
With healthcare organizations going to the cloud and undergoing digital transformation, MIM has become an essential. Looking ahead, healthcare organizations should prioritize investing in a comprehensive and integrated MIM that delivers specialized support for healthcare applications. This will strike a balance between convenience and ease of use and help with security, compliance, and risk mitigation requirements.
Alon Nachmany, is a cybersecurity evangelist and Field CISO of AppViewX, where he helps some of the world’s largest organizations secure vital data, as well as protecting some of the most cutting-edge innovations. Nachmany has more than 15 years of experience as a cybersecurity leader and has served as CISO, as well as an IT and security executive for organizations such as National Securities Corporation, WeWork, Bromium and others.