SECURING THE
PAPERLESS HEALTH
SERVICE
The increased use of electronic personal information, coupled
with rapid advances in healthcare technology, has created
complex healthcare delivery networks that are target-rich
environments for cyberattackers. David Higgins, Director of
Customer Development at CyberArk, tells us how healthcare
organisations should update their security environment to face
the current threat landscape and increasingly tight regulations.
David Higgins, Director of Customer
Development at CyberArk
T
oday’s healthcare
systems rely
increasingly
on electronic
personal health
information
(ePHI), while the
acceleration of healthcare technology is
creating a widened and more complex
attack surface than ever for healthcare
delivery networks. Savvy cybercriminals
are looking for any opportunity to exploit
the cloud-based applications or IoT
enabled devices that healthcare now
relies on, so they can get hold of ePHI.
The growing exposure of networks
showcases the concerning vulnerabilities
plaguing a healthcare service desperate
for stronger cybersecurity. Specifically,
the NHS suffers from outdated and
74
unsupported software, and a massive
cybersecurity skills shortage which
compromises security and the ability
to efficiently safeguard against
ransomware and internal threats to
ePHI – malicious, but also resulting
from human mistakes. At the same time,
we’re seeing an increasing number of
regulations around ePHI being created,
such as HIPAA HITECH and GDPR, while
non-compliance is bringing harsher
penalties, particularly in relation to
privileged access management.
Recent Verizon analysis revealed that 58%
of cyberincidents involved insiders and,
even more worryingly, healthcare was the
only industry in which internal actors were
the biggest threats to an organisation.
However, it’s important to remember that
the attack vectors are vast in healthcare.
When it comes to privileged access,
all the human points of access must
be monitored, including those holding
administrator rights, along with non-
human access. Particularly important
are the applications and medical devices
that interact with critical systems and
enable fundamental processes such
as integrating patient diagnostic data
from third-party services or seeking
reimbursement from a payer organisation.
The most effective thing healthcare
organisations can do to manage access
to privileged accounts, credentials and
secrets is implementing an effective
way to contain insider threats. Strong
privileged access security procedures
in place will limit an attacker’s ability to
escalate privileges and subsequently
to access sensitive systems. Proper
Issue 10
|
www.intelligentciso.com