Joseph Carson, chief security scientist & advisory CISO at ThycoticCentrify, discusses how to implement advanced privileged-access practices.
For many, 2021 signifies a year of recovery, reflection and reimagining. After the whirlwind year of 2020, we witnessed all aspects and facets of our lives and businesses turn upside down as our communities and economies adapted to the disruptions of the COVID-19 pandemic. As we all know, the pandemic has accelerated digital transformation initiatives across every industry sector, including IT, retail, education, hospitality, financial services, and so on, but most important of them all: Healthcare.
Despite being notoriously resistant to change, the healthcare industry, like many others, was forced to automate, systemize and digitize healthcare management to serve mass populations through social-distancing restrictions and to minimize the burden on health workers. In line with Gartner’s prediction that 85 percent of enterprises will adopt a cloud-first principle by 2025 to free up IT resources and deliver the most business value using the cloud, the healthcare industry scrambled to transition to the cloud to provide digital services to power mobile applications and telehealth services. However, with so much change in such a short period of time, several healthcare organizations struggled to maintain security practices, which is why it comes as no surprise, 2020 was a year of healthcare breaches.
Between June 17 and 22 of 2020, malicious hackers used phishing campaigns to gain access to multiple Microsoft Office 365 business email accounts owned by Florida-based advanced medical solutions provider, MEDNAX Services, exposing patient names, addresses, birthdates, Social-Security numbers, health-insurance information and billing claims details. Ultimately, the Department of Health and Human Services reported that 1.2 million patients were exposed.
The Risk of Weak or Default Passwords
Passwords remain one of the biggest challenges for both consumers and businesses around the world. In the similar case of the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your organization but all connected organizations as well. Successful compromised credentials have resulted in some of the biggest supply-chain cyberattacks in history — all stemming from poor, human-created passwords and escalating further toward the abuse of privileged access.
In our always-on, internet-connected universe, every user, whether a health patient or other, potentially has access to privileged or sensitive information. As witnessed in the MEDNAX breach, this privilege means the compromise of a single user’s credentials can all too readily be exploited by cybercriminals to escalate privileges and gain undetected access across your entire network, exposing data or personally identifiable information (PII).
Reconsidering the Security Perimeter
With cloud initiatives exploding, persistent connectivity and bring your own device (BYOD), the traditional cybersecurity perimeter has dissolved. The first step to reconsidering the security perimeter is to accept that all critical business applications, cloud assets, and remote workers in the perimeter-less enterprise pose as big potential security risks should access get in the hands of an unauthorized user.
Traditional password-management tools are not enough to protect against unrelenting cybercriminals. IT security teams need to implement advanced privileged access practices to gain secure control over web-based cloud management platforms and enforce the principle of least privilege access, even as organizations, including healthcare, are trying to bring healthcare into the hands of the patient.
The real goal of any knowledgeable cybercriminal is to gain control of privileged accounts so they can escalate their access to applications, data and key administrative functions, and then move laterally to other enticing systems. To mitigate risk, security teams need to consider the level of authorizations, permissions, and the number of security controls required to access high-risk data, such as customer or patient information. Identity is the new perimeter and access is the new security.
Shifting Security Strategies
Of all the lessons and experiences that 2020 gave us, one is that the concept of privilege security is changing. We are now seeing patients, users, employees, and consumers alike take a more proactive approach to handling their healthcare, administrative initiatives, IT needs, finances and more, all of which influence the privilege needed to complete those tasks.
Ultimately, organizations need to implement strategic key components to support a comprehensive approach to managing risk while balancing cybersecurity requirements with user productivity and experience. An intelligent, adaptive and highly usable cybersecurity framework of Interoperability, Automation and Orchestration enables security teams to coordinate and fine-tune a multifaceted defense strategy. To learn more, visit my recent guide on securing privileged access, available here.
Joseph Carson is the chief security scientist & advisory CISO at ThycoticCentrify.
Enjoy additional insights from SACUT’s Infosec Insiders community by visiting our microsite.