Skip to content Skip to navigation

Shop Talk: The Threat from Within

March 28, 2007
by Ellen Libenson
| Reprints
Implementing secure access controls helps organizations protect sensitive patient information from insider threat and comply with federal regulations.
According to a recent study published by the Federal Trade Commission, U.S. consumers filed more than 650,000 fraud and identity theft complaints in 2005 alone. While many companies spend their IT security dollars on solutions designed to keep intruders out, they fail to recognize the threat from within.

Numerous reports published by the FBI and the Secret Service reveal that information theft by so-called "trusted users" is just as common — and in some cases, even more so — than security breaches perpetrated by external hackers. It is critical — as both a best-practices security measure and to comply with HIPAA regulations — that hospitals, payers and other healthcare organizations implement reliable, secure solutions to control and manage access to sensitive information.

In many IT environments, administrators are often given the "super user" or "root" password. These serve as the virtual "keys to the kingdom," providing administrators with complete access to the information contained on company UNIX and Linux servers. In an environment in which every administrator knows and shares the root password, there is equal opportunity and temptation for administrators to abuse their privileges, creating a significant risk to the confidentiality of patient records, financial data and other proprietary information.

For example, it is common to find systems administrators sharing passwords with elevated privileges without considering the risks of doing so. For every server, operating system, device or application added to the network, there is a set of privileged accounts created by administrators to manage them. Each represents a security concern, as well as a potential roadblock to comply with HIPAA regulations.

Managing user access — including registration, administrative privileges, passwords and reviews of user access rights — can be accomplished through methods that are similar to those used for managing end-user access controls. Responsibilities for users with elevated privileges must be clearly defined, documented and enforced by a solution that enables organizations to selectively provide the functionality and privileges that the high-level administrative password provides without disclosing exactly what that password is.

Deploying an effective identity and access management solution enables companies to granularly delegate the level of access granted to each password, ensuring that staff members and administrators are only able to access servers and applications required to complete their tasks. Granting the least amount of privilege required and removing the temptation to abuse administrator rights prevents employees from accessing information that they do not need to view.

Effective identity and access management solutions require individuals to send specific requests for administrative rights. These systems can issue a password that only allows access to certain areas of the network and only for the amount of time needed to accomplish a given task. This creates an added layer of security by ensuring that even trusted IT administrators are granted limited access to applications and information.

The best solutions for neutralizing the insider threat will also protect passwords from external hackers. Once an administrator completes the task at hand, the assigned password is reset automatically. For every request, a new administrator password is created, issued and deleted, preventing outsiders from capitalizing on lax password protection policies or finding "orphaned" accounts that may still be active.

The best solutions also address accountability issues associated with the use of limited user and super user passwords. Because there is no distinction between individuals using the root password on UNIX and Linux systems, when the administrator account is used, it is virtually impossible to assign individual accountability. UNIX and Linux operating systems also fall short of tracking an individual's activity while on a particular server. Under these conditions, if an employee gains access to a server or application via the root password, the organization cannot determine what the person did while logged in, from where the user logged on, what directories and data were accessed or what information was downloaded.

As most healthcare organizations realize, HIPAA audits require comprehensive log files to determine the answers to these questions. Comprehensive identity and access management solutions track user activity, creating event logs that capture detailed information about each task request. The most sophisticated solutions also capture keystrokes to provide organizations with a more complete view of the input and output during a specific session.

By implementing solutions that limit and control administrative access rights, monitor user activity and have real-time logging and alerting capabilities, organizations can ensure that patient information has not been altered, compromised or stolen. This not only aligns with best practices approaches to data security, but it also demonstrates to auditors that the company has an access control infrastructure in place and therefore complies with HIPAA regulations.

Ellen Libenson is the vice president of product management at Symark Software in Agoura Hills, Calif. (