Vital to manage privileged access
Firms must take holistic approach to securing environments to reduce risk of a catastrophic cyber security incident
The increased use of electronic personal health information (ePHI) coupled with advances in healthcare technology has created healthcare delivery networks that are target-rich environments for cyber attackers.
In Singapore, there is growing adoption of digital healthcare solutions such as the HealthHub portal where 72 accounts were recently illegally accessed.
Cyber security is no longer just an information technology concern - it is becoming a public safety and infrastructure issue.
Outdated and unsupported software, cyber security skills shortage and evolving technology have left hospitals and healthcare systems vulnerable to ransomware and internal threats to ePHI - both malicious and those resulting from human error.
The attack vectors are expansive in healthcare. Especially when it comes to privileged access, we have to consider all of the human points of access, including people with administrator rights, and those with non-human access.
Managing access to privileged accounts, credentials and secrets is an effective way to limit the moves an intruder can make after a breach.
With privileged access security measures in place, an attacker's ability to move laterally to access sensitive systems will be contained.
Proper cyber security hygiene in an environment where the stakes are so high is critical. This starts with effectively managing privileged access.
With ePHI being dispersed across expansive networks of patient monitoring devices, mobile endpoints for employees and self-service patient web portals, the risk to healthcare providers continues to evolve.
Only organisations that take a holistic approach to securing their environments will reduce the risk of a catastrophic cyber security incident.
A recent study disclosed that 52 per cent of healthcare IT decision-makers cannot prevent attackers from breaking into their networks, and 59 per cent believe that customers' personally identifiable information (PII) could be at risk.
Therefore, we challenge organisations to assume that a breach will happen and to implement security tools that prevent an attacker from gaining access.
In Singapore, the new Cybersecurity Act designates healthcare as one of the critical sectors of essential services to be termed critical information infrastructure (CII).
The law imposes serious cyber security obligations on owners of CII.
Beyond regulatory penalties, there are significant operational costs to recover from a data breach. A study found that a healthcare data breach costs on average US$380 (S$520) for each record - more than 21/2 times the global average across industries.
To demonstrate compliance with CII regulations, healthcare providers must have access to documented, auditable proof of their efforts to protect privileged access.
Audit trails require a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, searchable audit logs and complete, multi-layered audit trail data protection.
It has become increasingly clear that cyber security is a risk factor in healthcare data.
Consequently, organisations must manage privileges to proactively protect against, detect and respond to attacks in progress before attackers compromise vital systems and data.
Managing privileges does not mean denying them. It is a matter of controlling who has access to what and why.
Privileged access security is an essential first step in maturing healthcare cyber security and must be a priority.
The writer is labs team leader in research at CyberArk, a security software company
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now
