Guest post by Joseph Schorr, director of advanced security solutions, Bomgar.
Moving into 2016, healthcare organizations will continue to be one of the most attractive targets for hackers. Last year, attacks against healthcare organizations were up 125 percent from 2010 and cost the industry $6 billion, according to the Ponemon Institute.
As illustrated in the Anthem and Excellus Blue Cross Blue Shield data breaches, hackers are moving beyond phishing attacks and random malware drops, and adopting methods that are more sophisticated. By leveraging third-party access and privileged account credentials (such as those held by IT security professionals, IT managers and database administrators) to exploit IT systems, hackers can gain an unrestricted and unmonitored attack foothold on the network. Once they have this foothold, they are remaining inside the victim’s environment for an incredible span of time – on average more than 200 days.
With this trend continuing, healthcare organizations can expect to see an uptick in these types of attacks within the industry. To combat this rise, healthcare organizations will need to focus on shoring up IT security around vendors and other third parties in the year ahead. The following are areas where they can concentrate attention to aid in this effort:
Reevaluate the legacy
In particular, third parties such as vendors are particularly juicy targets because they often use VPN and other legacy access methods to access systems. Examining and implementing more secure, sophisticated remote access and privileged access solutions is a good place to start strengthening IT security for the new year.
It’s a common misconception that VPN is a secure way to provide third-party vendors with network access. The problem lies in that an organization cannot ensure that third-party vendors’ security policies and practices are as strenuous as internal practices. If a criminal compromises a valid VPN connection, they have an open tunnel to an organization’s network and the sensitive data within.
Be in control
For too many healthcare organizations, vendors have more access than they need or their access can’t be monitored or restricted. It’s a scary question: Does your IT department know who their privileged users are and what level of IT permissions they have? If not, taking stock of those users, the systems to which they need access, and when they must access them is a critical undertaking for 2016. Following that, the organization can set access parameters that allow those privileged users to be productive and gain access to tools, data and systems they need to do their jobs, while limiting risk. Proactively controlling and monitoring access to critical systems can help tighten IT security within healthcare organizations.
Gaining visibility into when and how vendors or other third parties access the network and what data they are accessing once they are inside is very challenging for most organizations.
In healthcare and in other sectors, organizations have not invested enough of their IT security budget in solutions that provide transparency into their vendor access. If a vendor’s credentials are compromised, organizations without sophisticated tools that can assess what’s happening within their network—not outside of it—lack the ability to begin the process of uncovering an unauthorized user. Technologies that allow monitoring and auditing of remote sessions add value from an accountability perspective. Capturing and recording all actions taken during every remote session keeps everyone on the task at hand and within the appropriate systems of a network.
These areas can be security and compliance weak points that healthcare CIOs should look to address in 2016. By assessing, controlling and monitoring third-party access into the network, healthcare CIOs and CISOs can help to strengthen IT security and limit their exposure to hackers.