Hack-proofing ID and access management
A clinician approaches a computer on wheels and logs in, then walks away without ever signing out, thereby leaving the system open for anyone to view, those with nefarious intent included. A physician leaves the hospital to accept employment with a competitor but the chasm between HR and IT leaves that individual’s user account still active after anyway. And then there are the systems administrators themselves, typically as privileged as kings when, truth be told, they should not be.
These are just three of the common pitfalls information security professionals face when it comes to identity and access management — and they are all avoidable instances when hospitals institute best practices in identity and access management.
Security consultants Mac McMillan, CEO of Cynergistek and Tom Walsh, Founder and Managing director of tw-Security shared tips and best practices for mastering identity and access management.
4 steps to geting started
The process of identity and access management consists of four steps, according to Tom Walsh, founder and managing partner of tw-Security.
The first is user identification. The next step, authentication, is where a user is asked to prove an ID that is authenticated with a password, token or biometrics.
Once the user is identified and proven, the next step is what Walsh called authorization or permission. Here, the system dictates what the user is permitted to see within the application or network.
And the last step is accountability, where the person is responsible for their actions, Walsh explained. In certain instances, a user must be able to give a reason why they are accessing certain information.
Learn more at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
That is just the beginning. To really lockdown user identity and access management, Walsh also recommends a few more tactics, notably onboarding basics, connecting IT and HR, and provisioning.
“We advocate the minimum-necessary-privacy principle,” Walsh said. “The principle of least privilege, in the security world, the idea is the same: Only give access to information as it’s appropriate in order for someone do their job function.”
Access and identity begin on day 1
Privacy principals start every time a newly-hired employee is granted access. Rather than simply communicating that initial access via a form, Walsh recommends a Terms of Agreement that include the username and password. The new employee must agree to the terms or access won’t be provided.
Beyond that basic interaction, Walsh said it’s important to connect those people to human resources and IT concurrently. Just as new employees need badges or keys do their job, but they also need to be provisioned with access to the network.
If the IT department isn’t connected to HR, however, users can’t be set up before their start-date. Walsh explained, as a result, managers sometimes share their IDs with new hires, thus security breaks down from the beginning.
Walsh said that his firm also advises clients to establish access by roles within their department. For example, nurses need to see clinical information, but those in scheduling or billing departments don’t need access to that data. User provisioning sets things up on a role-based system.
“The best way to handle provisioning is role-based access because all access can be assigned in advance,” Walsh said. “And from then on when an employee requests access, the organization is fully-aware of who is getting access to what.”
Cynergistek CEO Mac McMillan said another challenge is that many provider organizations use dissimilar multiple user identities.
“Understanding who any given user is within the environment means you have to be able to find a way to normalize across all of the different identities,” McMillan explained. “In order to effectively handle access management a CIO has to overcome the obstacle of the number of systems that don't support common system IDs.”
Don’t leave user accounts dormant
Dormant accounts are a major issue plaguing healthcare security. When doctors, vendors, practices or other associated users leave an organization, the user accounts need to be closed. However, with a gap in communication between HR and the IT department, many of these user accounts remain open. While it may not seem like a major problem, these single accounts can begin to add up with hundreds or thousands of dormant accounts within an organization — creating a serious vulnerability.
The biggest problem is these past users can still gain entry into the system or a criminal can use these dormant, unsecured accounts to gain the same amount of access as the previous account holder.
According to a recent Clearwater Compliance analysis on risk ratings, user control review and user permission review controls are only partially in place or missing about 71 percent of the time — despite urging from the U.S. Department of Health and Human Service Office of Civil rights for organizations to make it a priority.
Further, the report also found similar problems with excessive user permission controls. User activity review and user permission review controls are partially in place or missing about 70 percent of the time.
Perpetuating the vulnerabilities is the failure of organizations to use IT software able to detect and prevent threats, like snooping detection software. And while the report found inadequate device or data encryption is a significant source of risk for hospitals, the encryption levels are at the minimum on par with overall national healthcare averages.
Giving patients access: tread carefully
Understanding employee identities and access needs is a tremendous amount of work and granting patients rights, whether via a portal or other tools, adds even more complexity.
“Management challenges with patient access to the hospitals portals is emerging and will continue to escalate as more patients start to use these services,” McMillan said.
What’s more, this access could include non-IT systems with patient records, such as lab results, pharmacy or radiology.
“CIOs who may be asked to provide new credentials, or grant credentials to patient’s authorized representatives will need to work closely with the privacy officers as they must serve as the buffer to screen and approve these request based on the rules and the applicable state laws tied to the patients’ residency," McMillan said. "This may also include cases where the patient has lost their user credentials to the portal."
Beware the kings of kings
Another major failing is with system administrators who are seen as gods of the Kingdom — kings of kings. They have all access rights to every piece of data on the system.
While users have to jump through all of these hoops to get into the system, Walsh said he found most system administrators don’t follow the same rules.
“System administrators are at most risk because they have the keys to the kingdom,” he said. “Sometimes they have the worst access controls of anyone on the system. It’s almost the opposite of what you would think. What we need to do is make sure we’re holding people accountable.”
Last but not least is the necessity to manage user accounts for outgoing employees. When someone leaves an organization, HR takes action and payments are halted. According to Walsh, that same action can get the IT department to remove network access from the person when the departments are connected.
“The more we automate supervision,” Walsh explained, “the better it is.”
The Privacy & Security Forum takes place in Boston Dec. 5-7, 2016. What to expect:
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches