What are healthcare organizations doing to secure network access and the data within?
We’ve covered training, and some of the people related processes that are requirements of healthcare industry compliance as well as being good security practice. The other side to this however, is technology.
As humans are (unfortunately) fallible, they cannot be relied upon fully. Meaning it is technology’s place to fill the gaps wherever possible, minimising the risks and decreasing the surface area vulnerable to attack.
A bare basic requirement for all security policies, and one that is stipulated in the terms of HIPAA as well as across the NHS, is that user actions must be identifiable to an individual.
There are multiple levels at which this must, or should, be implemented.
Unique user logins
The first is user logins – if users are not even required to login to the network, then there is no hope of them being identifiable. Quite aside from the issue of user identification, this obviously leaves access wide open to attackers. And alarmingly, this is the case among 22% of US healthcare organisations, and more than a third (36%) in the UK.
Beyond this most basic of requirements is a (still very basic) further requirement, in that each user on the network should have a unique ID. Sharing logins naturally obfuscates user identification, meaning you cannot possibly confirm who has access to what files or folders, not to mention when or where from. Nearly a third of US healthcare workers (30%), and 44% in the UK, do not have a unique ID to log on to their employer’s network.
Logoff and on procedure
We’ve mentioned human fallibility and how we tend to make mistakes, especially when we’re in a hurry – say to get out the door and go home at the end of the day, or to get to our next meeting. Which is why logoff procedure should not be left to the user. This is an ‘addressable’ requirement of HIPAA, and a stipulation of NHS Scotland’s security policy, however 48% of US and just 28% of UK healthcare wokers are automatically logged off their network after a set period of inactivity.
To take this a step further, identification continues to be obfuscated if the user can login from multiple devices or locations. Disabling concurrent logins strengthens the affirmation that it is the designated employee using their unique ID, and not an intruder or someone they have shared their password with. Just 37% of US and 13% of UK are restricted from logging in on multiple machines simultaneously. This also of course relates to remote access, with 24% in US and 17% in UK allowing employees to use the same login to access the network remotely.
On the topic of password sharing, obviously this is a practice which goes against the requirement of being able to identify specific users. Some users may engage in it against the guidance of their organisation’s security policy, but shockingly there are a number of healthcare organisations that willingly permit it. In fact 12% in the UK and 6% in the US allow their employees to share logins.
Location and time restrictions
A method of taking identifiability a step further than unique user logins and automatic logoffs, as well as reducing vulnerable surface for attack, is by implementing access restrictions for set times and locations. By limiting access to a network not just to individual users, but by workstation, device or department, this reduces risk and makes identifiabilty stronger. Restrictions on time of access, limited to business hours for example, take this even further.
Perhaps unsurprisingly, a minority of healthcare organisations have taken these extra steps, with 28% having implemented location based restrictions and just 13% basing limitations on time.
Attribution
Ultimately, all of these restriction levels are aimed at ensuring that user actions are identifiable, and a minority of 46% US or 33% UK healthcare workers feel that their actions on the employer’s network can be attributed to them. While a majority of employees may not be planning to take any malicious actions on the network, they are still less likely to be conscientious if they don’t think they will be culpable. On the same note, those that may be looking to steal data are unlikely to feel there’s anything stopping them!
Monitoring
There also isn’t much point in ensuring user actions are identifiable unless someone is monitoring those actions. We found that only 50% of US and 34% of UK healthcare workers are aware of their organizations monitoring network access. It is possible that organizations will be monitoring without employee knowledge, but transparency in this regard will encourage good behavior.