IAM in Healthcare
It was perhaps no coincidence that amongst the first victims of the WannaCry ransomware were NHS hospitals in the UK. In addition to the presence of specialist equipment where applications are not always compatible with the latest operating system patches, healthcare networks are designed to provide availability. As such, even sensitive data are often unencrypted, even at rest. Whilst these aids resource access by clinicians, particularly at the point of treatment, the design has been shown to be wilfully inadequate in a hyper-connected world.
A security benchmark by the Ponemon Institute showed that almost 90% of surveyed healthcare organisations experienced an information security breach. More worryingly, 45% had five or more such events. This suggests attacks often appear in successive phases. With continued digitisation, the pressure on healthcare environments will not abate.
Successful breaches will invariably affect any organisation’s reputation. Being a highly-regulated sector, confirmed data breaches could subject healthcare organisations to other legal and regulatory liabilities, including financial penalties. There is no silver bullet; a good security posture will involve data classification, layered controls, cultural change and mature breach compensating strategies. Complete protection against breaches is not a realistic expectation. However, it is possible to include additional controls for access to resources and reduce the time between a breach and its detection, thus limiting the damage.
To aid event detection, logging and network monitoring toolkits such as Security Information and Events Management (or SIEM) systems have increased visibility to event information within the organisation’s infrastructure. In the most recent attack, once inside the network, perpetrators were able to access resources and data rapidly. Thus a system which is able to detect and respond to unauthorized resource access could limit the damage. Identity and Access Management (or IAM) is precisely such a tool. Already successfully applied in other highly-regulated industries, its core strengths of centralized information analysis & automated corporate policy enforcement could have limited the effects of the most recent cyber-attacks. In environments which experience a large number of successful cyber-attacks and repeated breaches, IAM could be an important defensive tool in the armoury.
Dr Wendy Ng, CISSP, CCNP; 22nd May 2017