Guest post by Joseph Schorr, director of advanced security solutions, Bomgar.
Moving into 2016, healthcare organizations will continue to be one of the most attractive targets for hackers. Last year, attacks against healthcare organizations were up 125 percent from 2010 and cost the industry $6 billion, according to the Ponemon Institute.
As illustrated in the Anthem and Excellus Blue Cross Blue Shield data breaches, hackers are moving beyond phishing attacks and random malware drops, and adopting methods that are more sophisticated. By leveraging third-party access and privileged account credentials (such as those held by IT security professionals, IT managers and database administrators) to exploit IT systems, hackers can gain an unrestricted and unmonitored attack foothold on the network. Once they have this foothold, they are remaining inside the victim’s environment for an incredible span of time – on average more than 200 days.
With this trend continuing, healthcare organizations can expect to see an uptick in these types of attacks within the industry. To combat this rise, healthcare organizations will need to focus on shoring up IT security around vendors and other third parties in the year ahead. The following are areas where they can concentrate attention to aid in this effort:
Reevaluate the legacy
In particular, third parties such as vendors are particularly juicy targets because they often use VPN and other legacy access methods to access systems. Examining and implementing more secure, sophisticated remote access and privileged access solutions is a good place to start strengthening IT security for the new year.
It’s a common misconception that VPN is a secure way to provide third-party vendors with network access. The problem lies in that an organization cannot ensure that third-party vendors’ security policies and practices are as strenuous as internal practices. If a criminal compromises a valid VPN connection, they have an open tunnel to an organization’s network and the sensitive data within.
Be in control
For too many healthcare organizations, vendors have more access than they need or their access can’t be monitored or restricted. It’s a scary question: Does your IT department know who their privileged users are and what level of IT permissions they have? If not, taking stock of those users, the systems to which they need access, and when they must access them is a critical undertaking for 2016. Following that, the organization can set access parameters that allow those privileged users to be productive and gain access to tools, data and systems they need to do their jobs, while limiting risk. Proactively controlling and monitoring access to critical systems can help tighten IT security within healthcare organizations.