Intelligent CISO Issue 10 | Page 74

SECURING THE PAPERLESS HEALTH SERVICE The increased use of electronic personal information, coupled with rapid advances in healthcare technology, has created complex healthcare delivery networks that are target-rich environments for cyberattackers. David Higgins, Director of Customer Development at CyberArk, tells us how healthcare organisations should update their security environment to face the current threat landscape and increasingly tight regulations. David Higgins, Director of Customer Development at CyberArk T oday’s healthcare systems rely increasingly on electronic personal health information (ePHI), while the acceleration of healthcare technology is creating a widened and more complex attack surface than ever for healthcare delivery networks. Savvy cybercriminals are looking for any opportunity to exploit the cloud-based applications or IoT enabled devices that healthcare now relies on, so they can get hold of ePHI. The growing exposure of networks showcases the concerning vulnerabilities plaguing a healthcare service desperate for stronger cybersecurity. Specifically, the NHS suffers from outdated and 74 unsupported software, and a massive cybersecurity skills shortage which compromises security and the ability to efficiently safeguard against ransomware and internal threats to ePHI – malicious, but also resulting from human mistakes. At the same time, we’re seeing an increasing number of regulations around ePHI being created, such as HIPAA HITECH and GDPR, while non-compliance is bringing harsher penalties, particularly in relation to privileged access management. Recent Verizon analysis revealed that 58% of cyberincidents involved insiders and, even more worryingly, healthcare was the only industry in which internal actors were the biggest threats to an organisation. However, it’s important to remember that the attack vectors are vast in healthcare. When it comes to privileged access, all the human points of access must be monitored, including those holding administrator rights, along with non- human access. Particularly important are the applications and medical devices that interact with critical systems and enable fundamental processes such as integrating patient diagnostic data from third-party services or seeking reimbursement from a payer organisation. The most effective thing healthcare organisations can do to manage access to privileged accounts, credentials and secrets is implementing an effective way to contain insider threats. Strong privileged access security procedures in place will limit an attacker’s ability to escalate privileges and subsequently to access sensitive systems. Proper Issue 10 |