Privileged access controls essential to healthcare security strategy
Recent healthcare data breaches in which hackers got in through administrator credentials highlight the need for privileged access management, Sudhakar Gummadi, chief information security officer at California-based Molina Healthcare, says in an interview at HealthcareInfoSecurity.
Privileged access, which IT workers use to do their jobs of building and maintaining the infrastructure, essentially gives them the keys to the kingdom. These days, though, it doesn't make sense to offer them 24/7 privileged access, Gummadi says.
While encryption and other tactics are good to have as part of a good defense-in-depth strategy, it's critical to have controls for privileged-access management, he says.
"A database administrator or an Active Directory domain administrator having full access was OK a few years back. But now, due to the whole threat landscape, that's changed. So we need to have the controls in place ... on the endpoint, the servers, infrastructure, firewalls, the routers," he says.
While there are technologies that can help manage privileged access, it can be a culture shift for many organizations.
"You'll have a IT administrator who will say, 'I've been doing this for 20 years? Why should I have to check in and check out? Why should I request access to do my job?' I tell them that 10 years or 20 years back, the security landscape was different. … We need to have the tool in place and make sure the IT personnel understand [the need for it]," he says.
Inadequate access controls have been cited in the aftermath of both the Premera and Anthem hacks. In addition, a recent Government Accountability Office report listed that as one of the ongoing cybersecurity problems at the Department of Veterans Affairs and other federal agencies.
To learn more:
- here's the interview
Health industry lacks 'security advocacy'
Budget, non-compliant employees top hospital IT leaders' security concerns
GAO: VA, other federal agencies, must address cybersecurity weaknesses
Premera knew systems were vulnerable prior to attack
Access monitoring key to thwarting insider health security threats
Why the Anthem data breach won't be the industry's wakeup call