Saviynt Blog | Security News and Research

Fighting Insider Threats in Healthcare With Zero Standing Privilege

Written by MJ Kaufmann | Apr 1, 2021 7:00:00 AM
Learn How Zero Standing Privilege Helps Identify and Combat Insider Threats

Managing security and access in healthcare isn’t easy. It’s one of the most strictly regulated industries worldwide. Nearly every aspect of healthcare is regulated, especially patient health information. Complex changes to regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI/DSS), keep healthcare cybersecurity professionals on their toes. 

Recent innovations in healthcare technology have only added to the load. Things start to get extremely complicated when managing access to protected health information (PHI) for numerous devices — and individuals — using everything from Electronic Health Records (EHRs) to telehealth features. When you consider that in 2020, there were 642 significant healthcare data breaches, securing patient health information can seem like a daunting task. 

The Danger Inside

It’s easy to assume that healthcare cybersecurity risks consist solely of bad actors and other external threats. But the truth is that nearly half (48%) of healthcare industry breaches begin with insider threats. Insider threats arise when someone “uses their authorized access — intentionally or unintentionally — to compromise your organization’s network, data or devices,” according to Verizon. But current employees aren’t the only insider threats. Contractors, board members, and former employees who still have lingering access can be insider threats too.

''Insider threats arise when someone uses their authorized access — intentionally or unintentionally — to compromise your organization's network, data or devices.''

So how do you identify and defend against insider threats? This article looks at ways healthcare organizations can identify and combat insider threats – and proactively prevent them as well.

Healthcare Security Internal Risks
Managing a Dynamic Workforce

Healthcare relies on a constant ebb and flow of doctors, nurses, technicians, contractors, and vendors. The use of temporary staff is widespread, with 94% of healthcare facilities utilizing locum physicians. Flex staff may work at various hospital locations on different days, increasing the changing permission needs. These locum tenens require access to sensitive data to perform their jobs. But, that access must be removed or modified when they leave or change roles. Too often, privileges linger, raising the risk of insider threats and the chance that data falls into the wrong hands. 

Access to Electronic Health Records

Healthcare providers must strike the right balance between security and patient care. The goal is to protect digital assets and privacy without preventing healthcare providers from delivering quality care. That’s why it’s crucial to take an approach that provides frictionless access to EHRs while ensuring patient privacy at the same time. 

For instance, an orthopedist consulting in the ER on a patient needs immediate access to that patient’s records, but not to the records of anyone else in the ER that day. HIPAA requires her request get evaluated based on the context of her current role and responsibilities to that individual patient. To maintain compliance, her access must be disabled once her work with that patient is complete. This type of fine-grained access is challenging to execute with passwords, account permissions, and user groups alone. 

Zero Standing Privilege: Proactive Prevention

HIPAA mandates that healthcare institutions safeguard patient health information and ensure access is granted only as needed to deliver care. Using risk to evaluate which users get access is a start. But this process can be cumbersome when addressing requests on a case-by-case basis. It also runs the risk of access remaining well past when it is needed. Standing privilege, orphaned accounts – coupled with a high-churn rotating workforce – leave healthcare organizations vulnerable.

What is Zero Standing Privilege?

Enter the concept of zero standing privilege (ZSP), which helps deliver the security and privacy level that HIPAA and similar healthcare security regulations require. ZSP is a proactive security framework wherein nobody holds or receives access to protected data by default. Superuser accounts, which are dangerous and tend to multiply in large institutions, no longer exist. Every access request requires a risk-based evaluation and gets provisioned for a limited period. ZSP applies the principle of least privilege in its most potent form.

Embracing Least Privilege

Implementing least privilege in the fast-paced healthcare industry is a formidable task. Users are dynamic, moving from one role to another, one ward to another, and even one hospital to another — and often all in the same week. Resources healthcare workers needed one week aren’t required the next. This is where zero standing privilege comes into play. Because access is automatically disabled after a period of time, excessive permissions won’t linger under the radar, and access management becomes less cumbersome.

 

Hear Vibhuti Sinha discuss Just-in-Time Access at KC Live

Providing Just-in-Time Access

Zero standing privilege relies heavily on Just-in-Time (JIT) Access. It’s referred to as “Just-in-Time” because users can quickly get access to needed resources. This eliminates the need to prearrange accounts or go through a lengthy approval process that impedes their productivity. 

Instead of providing high-level access as JIT Provisioning does, modern Identity Governance and Administration (IGA) solutions offer JIT Access. Users simply request the access they need when they need it. If there is little to no risk, they often receive access to the application, data, or system automatically, reducing the IT burden in the process. In the cases where access looks risky, the request escalates for a human review. With JIT Access, users only have access to protected health information and sensitive resources for the minimum time period necessary, after which it’s automatically disabled.

The use of JIT Access mitigates the risk of privileged account abuse. It significantly narrows the scope of an attack and limits the damage a malicious insider can cause. It also reduces the potential for accidental account abuse preventing users from gaining unauthorized access to sensitive data. At the same time, providers can deliver healthcare faster – all without compromising security.

Automation Paves the Way for Safer Access & Quality Care

Modern IGA solutions that apply Zero Trust security principles streamline the access request process with automation. These platforms use AI & ML (machine learning) to evaluate access and apply organizational and industry-standard policies. Through the use of peer and usage analytics, each request is evaluated based on contextual identity information. As access approvals and denials occur, the platform gathers data from each request, while the system learns from that data. Eventually, the AI understands appropriate responses to access request scenarios common within the organization. This alleviates the burden of repetitive requests and enables approvers to focus on unusual or high-risk requests.

Elevating Healthcare Security

Combating insider threats is an additional burden as healthcare organizations continue to face down a worldwide pandemic. Zero standing privilege offers a way to mitigate the risk of privileged account abuse, limits the damage done by malicious insiders, and reduces the chance of accidental account misuse. By implementing ZSP, combined with Just-in-Time Access, risk-based analytics, and automation, healthcare organizations can continue to focus on delivering high-quality healthcare without compromising security or compliance.

Learn more about how Saviynt helps healthcare organizations address the challenges of efficiently providing patient services while simultaneously protecting their data.