Surviving the ‘Cyber-Demic’ with Identity

How Identity-Centered Solutions Help Healthcare Address Rising IoT and Cloud Security Threats

The last thing any Healthcare executive wants to hear is that a ‘cyber-demic’ is on the horizon. Yet, that is precisely what Experian describes, pointing out that COVID-19 vaccine rollout information and personal healthcare data are “particularly vulnerable.” Cyberattacks targeting the healthcare industry increased more than 45% in 2020 – double the increase seen by other industries. 

Despite this onslaught, the healthcare industry rose to meet the recent global health crisis. Healthcare technology adoption moved faster than ever. Cloud migration and digital transformation initiatives accelerated. Resilience became the mantra of the post-COVID era, and the cloud provided the path forward. 

For all its benefits, healthcare in the cloud faces many challenges. It’s harder to control and secure access to Protected Health Information (PHI), a crucial aspect of meeting compliance regulations like the Health Insurance Portability and Accountability Act (HIPAA). Information sharing across vendors and partners associated with healthcare, whether claims and accounting related or medical service providers, increases vulnerability. Combine this with the sheer volume of interconnected devices and the fact that nearly three-quarters of healthcare virtual networks allow malware to spread to vulnerable Internet of Things (IoT) devices, and it’s ulcer generating for any Healthcare CISO.

How can organizations mitigate Healthcare IoT and cloud security threats? This article discusses how identity management solutions enable organizations to address healthcare IoT and cloud security threats proactively.

Healthcare Cloud Security Challenges

PHI Outside the Bubble

Initially, Electronic Health Records (EHR) and PHI didn’t reside in the cloud, but government initiatives encouraging healthcare IT usage and a global health crisis were key drivers of this trend. As organizations continue to move their EHRs to the cloud, telehealth services expand, and additional IoT medical devices get developed, more healthcare data resides outside the traditional network security boundaries than ever before. 

Manually managing all of the new cloud resources – and their associated accounts and identities – is a daunting task. If it is not properly maintained and updated throughout the identity lifecycle, there is a high risk of orphaned accounts and sprawling permissions for individuals that have left or changed roles. To keep up with the management tasks, it is easy for administrators to use broader bulk role-based permissions. While simplifying the administrative time, it creates increased risk of over-permissioning that is directly in conflict with HIPAA’s minimum necessary rule. 

Cloud EHR Risks

One of the most integral healthcare technologies is an EHR solution. EHRs are integrated throughout healthcare delivery from treatment to billing. This creates large quantities of valuable healthcare data, much of it stored in the cloud — making it a tempting target for tempting cybercriminals.

Users and patients must have secure, efficient, and appropriate access to ePHI. Many cloud EHRs provide tools to help manage users and access. These tools are often limited and do not provide fine-grained access control for resources, manage medical devices, or detect inappropriate access such as Segregation of Duties (SoD) violations. Managing these access controls and risks are critical to maintaining continuous HIPAA compliance. 

Medical Device Security

Medical devices are part of the IoT, and there is a lot of benefit in this technology. At-risk patients can effectively monitor blood sugar levels or high blood pressure, for example, without having to drive an hour to the nearest clinic. Providers rely on these devices to continuously manage multiple patients with a single nurse, reducing overhead. And insurers reduce costs by managing these chronic conditions – ensuring that patients avoid readmission.

According to a PricewaterhouseCoopers (PwC) 2019 survey, about a third (36%) of health industry execs are using IoT to improve security and safety for their staff and patients, with another 18% planning to do so this year. The pandemic has only accelerated the use of IoT as patients were in lockdown and often unable to make in-person visits to healthcare facilities.

Despite these clear benefits, IoT also introduces a unique set of risks to healthcare organizations. A large trove of patient data is collected and stored, providing near real-time information on a patient’s health. According to the U.S. Food and Drug Administration (FDA), the medical device IoT requires extra vigilance. This makes sense given that IoT l is notoriously vulnerable. In fact, the 2020 Unit 42 threat report uncovered:

• 98% of all IoT device traffic is unencrypted
• 72% of healthcare organizations are combining IoT and IT assets on virtual LAN
• 57% of IoT devices are vulnerable to medium- or high-severity attacks
• 41% of attacks exploit device vulnerabilities

Identity Fortifies Healthcare Cloud Security

Governance for All Identities

As the healthcare industry continues to transform and adopt cloud-based services and solutions, its security model and mindset must also mature. Reliance on the traditional perimeter of firewalls needs to progress to identity-centered security. Drawing the security perimeter at identity offers security and governance that expands beyond the conventional organizational boundaries. Identity is not geographically bound, allowing you to protect PHI and govern access on-premises and in the cloud.

Identity Governance and Administration (IGA) is key to delivering a governance solution for both human and machine identities. Comprehensive IGA solutions that incorporate Zero Trust principles and factor in risk-based controls, internal policies, and regulatory compliance can streamline decision making, reduce risk, and provide continuous compliance. 

Machine based identities such as those belonging to IoT devices are also managed by IGA. By limiting the scope of access for IoT devices, the ability for them to be used to propagate malware or serve as a beachhead for an attack is reduced. So even if the device is attacked, its damage is restricted. 

IGA solutions also have deep visibility into the IT ecosystem to identify how access is being used and use this information to drive decisions on new access and evaluate the appropriateness of existing access. This contextual awareness ensures that access is appropriate and prevents toxic combinations of access that might create SoD violations. By continually monitoring, tracking, and enforcing how access is implemented, healthcare organizations can realize a state of continual compliance with HIPAA. 

Privileged Access Management Built for the Cloud

Healthcare organizations migrated many services to the cloud during the pandemic to increase accessibility and address the public health crisis. Now that the industry has experienced the elasticity, scalability, resiliency, and cost optimizations offered by the cloud, many of these services will continue post-COVID. However, the loosened regulations will not last forever. Moving forward, healthcare organizations will require cloud-focused Privileged Access Management (PAM) solutions to ensure security and compliance requirements are met.

Embracing traditional PAM solutions to manage and monitor new cloud ecosystems won’t protect critical assets in the cloud – primarily because the on-premises IT infrastructures they were designed to support are static in nature, unlike the ephemeral cloud. Reconciling access control frameworks for legacy systems and the cloud ecosystem is complicated at best. Configuring access control among a range of disparate services gets stymied by a lack of visibility. Simply “lifting and shifting” traditional PAM is not the most effective solution. 

Cloud Privileged Access Management (CPAM) solutions allow organizations to assign fine-grained access privileges to cloud resources, ensuring compliance with the HIPAA “minimum necessary requirement,” which is equivalent to least privilege. Combined with an IGA solution, uniform risk, governance, and access rules implemented can be applied consistently throughout the cloud ecosystem. This provides organizations continuous compliance by having a universally applied set of security controls for their resources, whether in the cloud or on-premises.  

For all its complexity, healthcare cloud security doesn’t have to remain a challenge for organizations as they adopt modern technology. A comprehensive IGA solution with integrated CPAM reduces the risks associated with healthcare IoT, cloud EHRs, and telehealth. Safely collecting and delivering PHI is a crucial aspect of patient care and meeting compliance regulations like HIPAA. By implementing cloud IGA and PAM solutions, healthcare providers can solve compliance challenges, and focus on what matters most: patient care.