Thycotic Telephone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

The First Line of Defense – Passwords

Written by Thycotic Team

January 14th, 2015

The IT security stakes are high for the healthcare industry – HIPAA violations and fines, criminal charges, and tainted brand reputations make up the fates of healthcare organizations that fail to protect patient data both from the inside and out.

Why Healthcare is Being Targeted

A large number of personally identifiable information (PII) is stored in healthcare networks – social security numbers, dates of birth, and payment information are the big targets for hackers. Those with access to this information can choose to post it on underground hacker sites to those looking for victims for their fraud scams. Court documents state that Joshua Hippler, a hospital employee in east Texas who had access to such information, pled guilty in August 2014 to, “Wrongful disclosure of individual identifiable health information, with the intent to sell, transfer, and use for personal gain.” Hippler was not a hacker – he merely had access to information that he knew could make him some extra money if sold to people who had a use for it. This underlines the fact that healthcare organizations are just as vulnerable, if not more, to attacks from the inside as well as the outside.

Access Control

Long, complex passwords changed regularly are important to have, but even more important is having a properly configured access control system. Whether it be on healthcare-related applications or the operating system, users should not have read/write access to files they don’t need in order to perform their job functions. Many modern access control systems are role-based, meaning that individual user accounts can be assigned roles based on job functions and obtain the permissions outlined by the role. Changes to the role will affect all users who have the role assigned to them, so it is an easy way to see who has what privileges. Privilege management is the most effective deterrent to threats inside of the network – either those who have compromised it already, or those attacking from the inside. Be sure to periodically delete user accounts and roles not being used, and perform routine verification to ensure each user’s access is still necessary – sometimes users will need higher levels of access for a short period, which can open vulnerabilities if it is not removed once the work is finished. Of course, always remove an employee’s access immediately when they leave the company.

Educate Employees and Keep Audit Records

The healthcare industry often uses portable devices to transfer patient data. With this in mind, it becomes critical to encrypt the data on portable devices and educate employees on the risk of leaving portable devices unattended. In addition, they need to understand the importance of not intentionally sharing patient data with anyone who doesn’t need it. Educating them will help reduce the number of accidental leaks of data due to employee negligence, but there are still many risks faced every day. For this reason, it’s important to have a strong auditing system to prove what users had access to what data at a specific time. This will help administrators monitor users’ actions, changes in permissions, and, if worst comes to worst, narrow down the source of a data breach to an individual or group who had access to the data.

Security is an Active Effort

There is no practice, application, or device that will secure an infrastructure completely without effort and proper behavior from employees. All employees contribute to the security of the company, for better or for worse. Healthcare companies need to educate their employees, encrypt and store data in secure locations, and audit all records in order to do their part to protect the sensitive data of their patients.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.

Thycotic Team

We deploy smart, reliable, IT security solutions that empower companies to control and monitor privileged account credentials and identities.