IT hacking is an ever-growing issue in the healthcare industry, with 2020 being one of the biggest years for cybersecurity attacks to date. COVID-19 played a large role in the uptick in attacks as many threats targeted remote workers and the fears surrounding the ongoing pandemic. The largest known breach of 2020, Blackbaud, was estimated to have affected at least two dozen providers and over 10 million patients.1 This breach was noted to have been caused by unauthorized access to a system that allowed hackers to extract PII.
A common theme in cyber attacks is attackers obtaining access to systems through an authorized user’s account via email phishing. The access then goes undetected, allowing intruders to extract information for months at a time. If unauthorized access is one main method hackers use to extract information, the first line of defense is to review user access on a consistent basis.
Organizations with user access review processes in place have better vision on whether an employee’s system access is appropriate or unnecessary, limiting the number of avenues cyberattackers can utilize.
There are four employee types to be reviewed during user access reviews to ensure all areas of the organization are protected: current employees, new employees, non-employees (e.g. consultants), and terminated employees.
For current employees, reviewing system access on a regular basis ensures they have access to the systems they need. A key element of user access reviews is ensuring that the minimal amount of access is given to an employee in order to perform their job function. Limiting access to only the necessary systems provides stronger protection to data.
The idea of minimal necessary access carries over to new employees and the process for provisioning their access. Outlining the necessary systems required for their role in the beginning, and only provisioning access to those systems, is optimal to minimize risk; if more access is needed, it can be given when that time comes.
Non-employees are people who do some sort of work within an organization but are not employed. These can be researchers, contractors, consultants, freelancers, subcontractors, etc. While they are providing services for an organization, non-employees require access to systems and information, but their access privileges need to be monitored to ensure they only have access to systems for the period of time they are working.
Lastly, there is a rising issue of terminated employees inappropriately accessing sensitive systems because their access rights were never deprovisioned. Processes should be configured to remove terminated employees’ access across all systems, rather than limiting deprovisioning to the main activity directory system.
In 2020, a former employee of Cisco accessed a protected computer and deleted 456 virtual machines, costing the company $2.4 million dollars to rectify.2 Reviewing all terminated employees’ access to ensure their access has been revoked correctly is an important final step in protecting against cyber attacks.
Unfortunately, and perhaps surprisingly, correctly revoking all access for an employee remains difficult in modern organizations due to a number of reasons including human error, the large numbers of systems that are deployed within organizations, and a lack of visibility of all accounts within those systems. Moreover, manual processes that require managers to remember to manually request each account is deprovisioned are likely to result in gaps and potential vulnerabilities.
The review of all current and former users’ access rights is an ongoing process as people come and go, get promoted or move departments. To minimize organizational risk, IT teams should conduct quarterly access reviews (at least) so only the necessary system access is granted to employees, and terminated users have had all their access privileges revoked. Moreover, automated processes and tools should be configured to provide managers visibility to all accounts in an organization so they can easily be deprovisioned, without having to remember each step.
IT hackers continue to go after healthcare organizations. Data protection starts with user access reviews to quickly identify and remove any unnecessary access, which will limit the avenues for attackers to exploit. Implementing processes to conduct regular and complete user access reviews can put healthcare organizations in a better position to catch and mitigate risk from cyberattacks.