The healthcare industry is no stranger to cyber threats. Seven years on from WannaCry, another major ransomware attack in June severely disrupted healthcare services across London.
The founding CEO of the UK’s National Cyber Security Centre has since warned that ransomware attacks on healthcare are a ‘major global problem’, and that the NHS remains vulnerable to further targeting by cybercriminals unless it takes stringent steps to update its computer systems.
Healthcare is a prime target for cybercrime given its aging IT infrastructure and the amount of confidential data it stores.
Many healthcare companies are also viewed as an ‘easy ride in’ to sensitive databases
Many healthcare companies are also viewed as an ‘easy ride-in’ to sensitive databases due to their complex webs of access needs and increased reliance on non-employee identities like travel nurses, contracted physicians, medical students, and contractors.
This can make it easier for malicious actors to hack and exploit these identities if they are not protected in the same way as permanent staff.
As 93% of healthcare organisations globally have experienced an identity-related security breach in recent years, Public Sector Director at SailPoint, Gregg Hardie explores how the healthcare sector can better combat cyber security challenges.
The healthcare system’s identity explosion
The NHS alone currently employs 1.5 million people, yet only 1.3 million of those people work on a full-time basis. Whilst the benefits of non-employee identities are vital in the healthcare industry to plug resourcing gaps and fill staff shortages, this growing reliance on third-party labour has simultaneously introduced new security challenges and risks.
Without the proper visibility over who is moving in and out of internal networks, healthcare organisations risk leaving themselves vulnerable in the face of attack.
One of the key risks associated with the volume of identities working within internal healthcare systems is the potential for unauthorised access to confidential patient data.
With little oversight over third party non-employees especially, this lack of visibility could make a breach far more likely
Without proper management of identities, both employee and non-employee accounts could be over-provisioned.
This means users are granted too much access to systems and files beyond what their roles and responsibilities should allow, increasing the number of potential entry points for cybercriminals seeking to exploit vulnerabilities in a company's security infrastructure.
With little oversight over third-party non-employees especially, this lack of visibility could make a breach far more likely.
Administering more stringent access controls
One of the biggest issues that sets the healthcare industry apart when it comes to managing non-employee identities is the sector’s use of legacy technology and manual processes.
The healthcare sector frequently works with students and medical schools to teach the doctors, nurses, and physicians of tomorrow.
However, this makes the industry more prone to receiving student information through unstructured data – information hidden within spreadsheets and emails, and which requires a significant amount of manual effort.
This risks opening up a can of worms, as non-employee data isn’t being regularly monitored and updated, leading to a build-up of unauthorised access.
These spreadsheets can lie dormant for months at a time, giving organisations no indication of when non-employees leave the company, or if their role changes.
The healthcare sector frequently works with students and medical schools to teach the doctors, nurses, and physicians of tomorrow
This means that access privileges are not removed when an employee moves on or changes roles – increasing the risk of compromised access or a data leak.
Managing non-employees and their access separately from access needs of the rest of the business can open additional areas of risk.
To prevent against a potential compromise, companies need to manage both types of identities - employees and non-employees alike - in a centralised way, so that they have clear and holistic visibility across all identities and their access.
Non-employee risk management processes allow organisations to execute risk-based identity access and lifecycle strategies for third-party non-employees
Non-employee risk management processes allow organisations to execute risk-based identity access and lifecycle strategies for third-party non-employees.
This enables healthcare companies to implement more stringent access controls to reduce the risk of unauthorised access - granting access permissions to contract workers on a “need-to-know” basis only. By doing this, companies can untangle this complex web of access and increase visibility over who has access to their patient data and where it is being shared.
A healthy dose of visibility
Keeping track of employees and non-employees effectively means ensuring that these identities are managed centrally and intelligently.
With AI at the core of a unified identity security solution, organisations can quickly analyse vast amounts of data to detect patterns indicative of potential threats.
The importance of identity security in the healthcare sector cannot be overlooked
Technology such as this is vital in allowing organisations to see, manage, control, and secure all variations of identity.
Whether it’s a malicious cybercriminal trying to gain access to sensitive data, or an innocent employee or third party accidentally clicking on a deceiving link, businesses can respond more quickly to shut down any risk that could result in a data breach.
The importance of identity security in the healthcare sector cannot be overlooked. In today’s digital age, technology, and processes that offer organisations complete visibility over who is entering their systems - no matter if they are a permanent employee or third party, will be crucial to help protect healthcare organisations from cybercrime.
