What Risk Do Privileged Users Pose to Healthcare Data Security? | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

What Risk Do Privileged Users Pose to Healthcare Data Security?

August 26, 2016
by Heather Landi
| Reprints
Click To View Gallery

Employees with the most access to high value information assets continue to be seen as a serious insider risk, according to a recent Ponemon Institute study, and healthcare organizations need to ensure their governance processes decrease the risk of privileged user abuse.

In the study, The 2016 Study on the Insecurity of Privileged Users, sponsored by Forcepoint, Ponemon Institute presents three years of research findings on how privileged users of information technology resources are often the riskiest employees. For the study, researchers surveyed 704 individuals with in-depth knowledge about how their organizations manage privileged users due to their access to their organizations’ IT networks, enterprise systems, applications and information assets. Of the respondents, 9 percent are from healthcare organizations. Privileged users include those in positions such as database administrators, network engineers, IT security practitioners and cloud custodians.

According to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity, the study authors wrote.

“While the study reveals companies are taking steps to manage the risk, the perception among those knowledgeable about access rights in their organizations is that the risk is either unchanged or increasing,” the study authors wrote. The study indicated that 91 percent of respondents believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months.

And the study authors noted that this finding is almost unchanged from five years ago when 86 percent of respondents were concerned about the threat. “Based on this finding, new solutions and governance processes are needed to decrease the risk of privileged user abuse,” the study authors wrote.

According to 79 percent of respondents, privileged access rights are required to complete their current job assignments. And 21 percent of respondents reported they do not need privileged access to do their jobs but have it, and cited two primary reasons. “First, everyone at his or her level has privileged access even if it is not required to perform a job assignment (43 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (34 percent of respondents),” the study authors wrote of the survey findings.

The study findings uncovered 12 trends with regard to the risks created by the inability to control unauthorized access by privileged users.

When respondents were asked what factors will change their organizations’ approaches to access governance, 63 percent say it is the increasing number of regulations or industry mandates. However, privileged user abuse is becoming more influential in access governance processes. Thirty-two percent of respondents cited that as a factor in the latest survey compared to 19 percent in 2011.

According to the survey findings, it is becoming increasingly difficult to detect if insider behavior is a threat. “This is because security tools yield more data than can be reviewed in a timely fashion and behavior involved in the incident is consistent with the individual’s role and responsibility. Monitoring and reviewing of log files, SIEM and manual oversight are the primary steps taken to determine if an action taken by an insider is truly a threat,” the study authors wrote.

Forty-two percent of organizations represented in this study are correlating activity from multiple sources such as trouble tickets and badge records to determine risky privileged user behavior. More than half of the respondents, 57 percent, say their organizations do not have the capabilities to effectively monitor privileged user activities. Respondents cited a lack of resources, in-house expertise and technologies as barriers to correlating of trouble tickets and badge records to minimize the privileged user risk.

There is a growing concern about the risk privileged users pose to data security, as increasingly, malicious insiders target privileged users to obtain their access rights, according to the study findings.

In 2011, only 21 percent of respondents said it would be likely that malicious insiders would use social engineering or other measures to obtain someone’s access rights. According to the 2016 survey, this concern has increased significantly, as 46 percent of respondents said it woudl be likely that malicious insiders would target privileged users' access rights. In addition, the study authors noted, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights.

And the study findings indicate that the most common scenarios that create the insider threat have not changed since 2014. Of the respondents, 74 percent say privileged users believe they are empowered to access all the information they can view, 66 percent say privileged users access sensitive or confidential data because of curiosity and 58 percent say the organization assigns privileged access rights that go beyond the individual’s role or responsibility.

Malicious insider threats are not the only risk when regard to employee misuse of data security. As reported by Healthcare Informatics, recent study by professors and research scientists from Dartmouth College, the University of Pennsylvania and the University of Southern California found that medical workers, nurses and physicians frequently workaround cyber security controls in healthcare settings, which leaves healthcare organizations vulnerable to cyberattacks and data breaches. According to those study findings, clinicians are doing so because information security systems often were developed without sufficiently considering clinical workflow and health IT usability.

“The problem,” the researchers in the Dartmouth College study wrote, “is the workers who build, use and maintain the systems—often chief information or technology officers (CIOs/CTOs), chief medical informatics officers (CMIOs), sometimes cybersecurity experts, and often just IT personnel—did not sufficiently consider the actual clinical workflow.”

According to the recent Ponemon Institute study, companies are increasing their deployment of processes for granting privileged user access, the study found. The use of commercial off-the-shelf automated solutions increased from 35 percent of respondents in 2011 to 60 percent in 2016. Since 2011, the use of manual processes such as by phone or email increased from 22 percent to 36 percent of respondents.

And, the study findings indicate that companies still struggle to keep pace with the number of access change requests that come in on a regular basis with an increase from 53 percent in 2011 to 61 percent in 2016.

Among the respondents, information security is rarely responsible for insider threat programs. Instead, information technology and lines of business are most accountable for the reduction of insider threats.

As far as solutions to mitigate risk, companies are increasingly relying on background checks, with 63 percent of respondents saying their organizations perform thorough background checks before issuance of privileged credentials and 60 percent conduct regular privileged user training programs.

Thirty-seven percent of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in 2011 and 33 percent in 2014.

According to respondents, a lack of visibility continues to hinder the ability to determine if users are complying with policies. “The study findings reveal that 39 percent of respondents are not confident that they have the enterprise-wide visibility for privileged user access and can determine if users are compliant with policies. Only 18 percent are very confident that they have this visibility,” the study authors wrote.

The study also examined how companies are allocating resources to reduce insider threat. “Forty-four percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (41 percent) say their organizations do not have one. An average of 10 percent of the overall IT budget is allocated to insider threat technology investments,” the study authors wrote.

The study authors concluded that organizations need to consider solutions and governance processes that will decrease the risk of privileged user abuse.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Health Data Breach on Healthcare.gov Portal Impacts 75K People

October 23, 2018
by Heather Landi, Associate Editor
| Reprints

The Centers for Medicare & Medicaid Services’ (CMS) direct enrollment pathway for agents and brokers suffered a cyber attack last week and the hackers accessed the files of approximately 75,000 individuals, according to a new release issued by CMS last Friday.

CMS officials said that earlier last week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers, which a HealthCare.gov portal. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE.

CMS confirmed that the hacking attack only affected the portal, and the direct HealthCare.gov website remains unaffected.

CMS believes approximately 75,000 individuals’ files were accessed. “While this is a small fraction of consumer records present on the FFE, any breach of our system is unacceptable,” CMS officials said.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” CMS Administrator Seema Verma said in a statement. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

CMS followed standard and appropriate security and risk protocols for researching and reporting the incident, the agency said. Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify federal law enforcement. CMS is actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information, the agency said.

CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled.

“We are working to address the issue, implement additional security measures, and restore the Direct Enrollment pathway for agents and brokers within the next 7 days,” CMS said on Friday.

The tool through which the breach occurred is only available through the currently-disabled Direct Enrollment pathway for agents and brokers. As a result, the remaining FFE enrollment channels, including HealthCare.gov and the Marketplace Call Center, remain operational.

“It is important to note that CMS is in the beginning stages of the assessment of this breach. This is an evolving situation and we will continue to provide additional information,” CMS officials said.


More From Healthcare Informatics


FDA Releases Draft Premarket Cybersecurity Guidance for Medical Device Manufacturers

October 19, 2018
by Heather Landi, Associate Editor
| Reprints

The Food and Drug Administration (FDA) has released draft guidance to the healthcare industry that updates cybersecurity recommendations for medical device manufacturers with the aim of addressing vulnerabilities and evolving cybersecurity threats.

The draft premarket cybersecurity guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, identifies issues related to cybersecurity that manufacturers should address in the design and development of medical devices to ensure better protection of devices against cybersecurity threats that could interrupt clinical operations and delay patient care.

The new guidance is intended to provide recommendations to the medical device industry regarding cybersecurity device design, labeling and that FDA recommended documentation be included in pre-market submissions for devices vulnerable to cybersecurity threats. The recommendations build on the framework that the FDA created in its 2014 guidance for manufacturers.

According to the FDA, these updated recommendations also will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.

“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” FDA Commissioner Scott Gottlieb, M.D., said in a statement. “The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”

“Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system,” Gottlieb said in his statement, noting that the rapidly evolving nature of cyber threats necessitated an updated approach “to make sure [the guidance] reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices.”

“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” Gottlieb said.

As part of its focus on strengthening medical device cybersecurity, the FDA also announced this week an agreement with the Department of Homeland Security to increase collaboration on medical device security. The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Such collaboration can lead to more timely and better responses to potential threats to patient safety, the agencies said.

“Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities and assist the health care sector in being well positioned to proactively respond when cyber vulnerabilities are identified. This agreement demonstrates our commitment to confronting cybersecurity risks and the unscrupulous cybercriminals who may seek to put patient lives at risk,” Gottlieb said in a statement about the partnership.

With regard to the draft guidance issued this week, it incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device users are able to respond quickly to potential threats, the FDA said.

The draft guidance also introduces two tiers of devices—those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software—based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.

The FDA will hold a public workshop Jan. 29-30 to discuss the newly released draft guidance.


Related Insights For: Cybersecurity


GUEST BLOG: The Cybersecurity Shortage: Closing the Gap

October 17, 2018
by Mac McMillan, Industry Voice
| Reprints
The gap between the level of cybersecurity preparation that should exist in the current environment, and the reality, is both troubling and in need of closer examination

We are by all estimates well over a million cybersecurity professionals short of what we need and racing towards an even bigger shortage in the decade to come.  Current approaches are not likely to produce the number of cyber warriors we are going to need to close this gap.  Not for want of good intention, but I believe we won’t achieve our intended goal, because the environment has changed and if we don’t recognize this change we may never catch up.  There are multiple factors affecting this paradigm shift, but the biggest of them all is the rapidly evolving nature of technology that is moving at lightning speeds and the associated exponential growth in threat produced as a byproduct. 

Closely related is what this means for the rapidly expanding competency that cybersecurity professionals will have to possess just to be effective in the future.  We have known for decades that cybersecurity is a dynamically changing field affected by changes in the physical environment, changes in technology, the evolving nature of threat and the operational impacts of users.  The enterprise is never static, and every change presents a new opportunities and new risks.  If we take healthcare as one example of this just the past two decades have witnessed amazing changes in technology adoption, the rise of hyperconnectivity, the increase in the sophistication and frequency of attacks and the endless application of technology to operations, simple and complex.  This will move even faster in the future as technologists are already talking about faster processing speeds, quantum computing, artificial intelligence, etc.  Making it harder and harder for those who have to secure the enterprise to do that.

In fact, today’s cybersecurity professionals have to be as diverse as the thing they are trying to secure, meaning many different cyberwarriors with very different specializations.  Analysts, administrators, engineers, program experts, threat hunters, monitors, architects, etc.  Making it all the more impossible for current approaches to succeed.  The supply is not going to catch up with the demand one cyberwarrior at a time.  That ship has sailed.  All the college programs in the land, although important, are not going to get us there.  You cannot create a cyberwarrior army large enough, fast enough to solve this problem.  We need a different approach.

In today’s and tomorrow’s information technology environment, everyone who uses a computer will need basic cybersecurity skills, and everyone who works in IT will need specific job-related cybersecurity knowledge and we need both general and specialized cybersecurity professionals.  Individuals who write code should know how to do so with security in mind.  Database developers and administrators should understand the threats associated with what they are doing and how to avoid them.  System engineers should understand network security principles and how to apply them to what they do.  And on and on.  Information system designers, developers, manufacturers, consumers and users need to accept and embrace this basic requirement.  Curriculums from the earliest stage where information technology is introduced should include cybersecurity training.  Curriculums in career fields where information technology will be critical to accomplishing that skill should include cybersecurity training.  No information technology degree should be achievable without cybersecurity as part of the curriculum.  We should promote greater professionalization of the cybersecurity field to define specific career paths from the very specialized to the general practitioner to the strategist to ensure not only the expertise needed at the tactical level, but the professionals with the breadth and scope of knowledge and experience needed at the higher levels of responsibility to lead and develop effective cybersecurity strategies and programs. 

The gap between the good guys and the bad guys is growing, because we are still trying to solve the problem in the same antiquated way, one cyberwarrior at a time.  There is zero unemployment in the field right now, and many of the people filling cybersecurity roles today are only marginally competent.  Because not only does it take education in multiple disciplines to be become knowledgeable in the field it takes experience, which can only be attained in time.   We are never going to be successful following the path we’re on today.   We need to recognize the paradigm shift that has occurred and embrace the new reality.  Everyone who deals with information technology has to be part cyberwarrior.  Everyone has the responsibility to understand basic computer security skills and the cyber threats that can keep them from accomplishing their mission.  In the military we call this awareness of risk operational security and every soldier, sailor, airman and Marine from top to bottom is charged with understanding operational risks so they can mitigate them regardless of their job specialty.  

Some organizations are beginning to realize this new reality and are taking steps to change how they approach educating the workforce of the future.  One such organization is the University of Texas, which I had the pleasure of supporting recently, who is building a new graduate certificate program within their healthcare curriculum to train members of the workforce to move into healthcare, particularly former veterans.  What is unique about this curriculum is that they have integrated cybersecurity knowledge so that graduates of this program not only prepare themselves for a career in healthcare by learning practical skills, but they learn about where cybersecurity is important and why they need to understand it to be successful.  Their lab environment is unique in that it replicates the hospital experience, admissions, ER, the smart patient room, OR, radiology, pharmacy, etc. and in each lab cybersecurity will be taught along with the information technology associated with those environments as well as the cyber threats that affect both privacy and security there.  A curriculum that teaches not only practical skills needed to work in healthcare, but how to protect patient data and operations.  The program has included several experienced healthcare CISOs as contributing staff lending real world expertise to what they are building.  These are the type of visionary programs we need more of if we are going to close this gap in cybersecurity skills.

Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.


See more on Cybersecurity