Strong cybersecurity architecture and threat management are essential to safeguarding internal and external access to healthcare organizations' systems, especially as those systems may harbor unknown vulnerabilities.
During a June Becker's Hospital Review webinar sponsored by Imprivata, healthcare technology and security leaders discussed why differentiated privileged access management (PAM) is important and how to go about implementing a comprehensive PAM strategy. Panelists were:
- Chris Akeroyd, senior vice president and chief information officer, Children's Health in Dallas
- Brian Barnes, chief technology officer, Coretek
- Joel Burleson-Davis, chief technology officer, SecureLink (Moderator)
- Brian Herr, chief security officer, Coretek
- Jesse Myers, vice president of IT security, Imprivata
Four key insights were:
- The cyber threatscape is making rigorous PAM a necessity. The main attack vector through which cyber breaches occur is privileged access credentials because of how people often use them in ways that overlap with personal access credentials. This occurs, for example, when employees use the same login and password combinations for their personal accounts as they do for their corporate ones, which opens the door to dark web scans and security breaches. "Whatever you define as privileged access [credentials], those are your keys to the kingdom," Mr. Burleson-Davis said.
Compounding the problem is that some users with privileged access are on-premise while others connect to organizations' security systems through the cloud. "Multi-tenancy management of credentials is a critical factor of maintaining least privilege," Brian Barnes said, referring to the concept of restricting access rights only to users who are absolutely required to perform routine activities.
Aware of these risks, some companies are relying almost exclusively on two-factor authentication to prevent unauthorized access. However, the ubiquity of this measure is generating fatigue and causing users to lower their guard even when a request looks suspicious. Chris Akeroyd noted that "two-factor authentication is not the be-all, end-all and can´t be the only failsafe you have."
- When leveraging a PAM solution, build a priority matrix of implementation. Because it is difficult for even the most robust PAM solution to address security deficits across multiple apps, it is essential that implementation focuses on an organization's "crown jewels" first. "Start with those things at the very center of the bullseye that you know you have to protect," Mr. Myers said. "You get some tactical wins quickly and you start getting patted on the back for things that are making people's lives easier as they're not having to type in all those passwords. And the security piece is just a bonus."
- When implementing PAM for third-party vendors, PAM credentials need to be secured and treated differently. Vendors and contractors often share PAM credentials to log in to customer accounts with full-time employees, although doing so represents a security risk and third-party credentials need to be secured and treated differently. The solution to this lapse is third-party-specific remote access that recognizes remote connectivity is inherently risky and has adequate controls. Ideally, such a third-party access solution is integrated within a centralized PAM strategy.
- Integrated PAM and third-party access management has important benefits for organizations. When the two strategies are used in conjunctions, the result is a more secure identity and access landscape. In such a scenario, all identities — internal and external — have their credentials and access rights distributed accurately and securely, while access is managed on a least privilege basis.
To make the most of an integrated PAM solution, organizations ought to ensure that the solution is scalable, designed with interoperability in mind and capable of taking inventory of all identities.
Mr. Myers's advice on facilitating this process is to identify internal "ambassadors" who can help with adoption: "We've had a lot of success going to key engineers and other people who 'get' security risk and getting them comfortable with the idea that [integration] is going to make their lives easier."
To register for upcoming webinars, click here.