HTN Now: Imprivata on cyber security strategy and why privileged access management matters

At HTN Now, we welcomed Imprivata’s senior product marketing manager Andy Wilcox and identity, security and access governance director Jaimin Patel. Andy and Jaimin shared their insights and expertise on cyber security and privileged access management with our HTN audience.

Accelerating IT complexity and the new complex landscape

On the topic of accelerating IT complexity, Jaimin noted how the landscape has changed in the last 20 years with the advancement of EPRs, cloud applications, and SaaS (software-as-a-service) based applications.

“The number of users engaging and connecting with patient data has now grown,” he said. “It’s not just a doctor or a nurse, it’s also non-critical people who are part of the ecosystem – your affiliates, external users and vendors are also part of the ecosystem, looking to access patient records from different locations and from different types of devices. The application suite has grown as well; now there are tens of applications that users need to connect into every day. That means the amount of data has grown tremendously, and it’s in different places.”

On the implications of this growing complexity for organisations, Jaimin continued, “For a single organisation, having to worry about who is accessing the data and how to make this access seamless for users is key. From this perspective, the level of complexity means additional challenges, which is not only painful on an operational level, but also expensive.”

Current challenges

“We hear all about the ransomware attacks and cyber attacks on healthcare organisations and their partners or external vendors,” Jaimin said. “That continues to increase insider threats, meaning that many of an organisation’s users don’t even realise the amount of access they have within the internal system. That also adds to the complexity, or adds to the risk of insider threat, unknowingly opening the doors. Around 80 percent of breaches involve privileged credentials, which opens up doors with additional and much higher risks to the organisation.”

Third parties often become the focus here, he added, with organisations tending to focus their security efforts on their employees and internal users. “How do you ensure that their environment is secure when they’re connecting to your organisation, or to your network? That opens up a new frontier for many bad actors, where instead of directly affecting or targeting a health organisation, they target a prominent supplier or a vendor. That allows them to open up multiple health organisations to attack. Any one vendor might have access to files across lots of different organisations, and credentials are the keys to the kingdom. If you can compromise the privilege credential, then you can open up any door.”

EU context and regulation

Andy picked up the discussion at this point, highlighting the EU context in particular and the regulation surrounding cyber security for health organisations.

“The EU is currently in the process of updating regulations with the NIS2 (Network and Information Systems) directive, and we expect these updates to also be picked up in the UK,” he explained. “The updates mean that the framework is becoming a lot more like GDPR for cybersecurity – it’s expanding on some of the basic things like stricter reporting and reporting chains, introducing fines, and probably most importantly, introducing personal liability. It will mean that executive-level people are going to carry responsibility for ensuring that the right cybersecurity controls are in place and that the right technologies are deployed.”

On how this impacts the direction and focus of his work, Andy commented: “The key focus when we’re talking about privileged access and privileged access management is things like basic cyber hygiene practices, such as strong passwords, and security for privileged access, multi factor authentication, remote access, and supply chain security. This is important, because your downstream vendors are providing the critical systems you are implementing, so you need to grant them access to your internal networks to be able to manage and support them. If you don’t have policies and processes in place to manage that, you could be exposing yourself to fines.”

Access management in the NHS

Andy moved on to discuss the approach to cyber security within the NHS. “The NHS has gone from a very small number of applications inside the four walls of the hospital which were delivered on a very small number of devices, to this vast array of solutions and applications, some of which are not managed within the hospital,” he pointed out. “You’re looking to third parties to provide the support, the maintenance and everything else to ensure they’re available all the time to support patient care. That can mean limited visibility into what they’re doing – how do you know what someone’s done when you’ve granted them access to a server to perform some maintenance or upgrades?”

“In the NHS, the tools being used may not be best practice. I’ve seen systems, which may succeed in giving someone access, but may not provide you with the level of auditing, detail or oversight to be sure you’re providing protection for critical technology. Also, there are still a lot of very manual processes in place, like opening up a VPN tunnel to a particular user, creating them a user account to access a system, and so on.” Decommissioning those users once they have completed tasks is very time-consuming, he noted, and increases the overheads of your internal IT departments.

He also raised the risk of third-party vendors coming in on devices that are outside of NHS control and so may not be compliant with internal policies around endpoint security, antivirus and firewalls. “You don’t know what those devices could be bringing into your network – that is a lot of risk that needs to be managed.”

When it comes to tackling these challenges, Andy highlighted new NHS policy around access from remote users to internal networks, which makes multi-factor authentication (MFA) a requirement for remote users. “This applies to pretty much everyone in the NHS, whether an individual trust or an ICB. This new policy, along with the NIS2 framework, places a lot more onus on downstream suppliers; so you have to take a lot more interest in what those downstream suppliers are doing and how they’re accessing your networks.”

Privileged access management in the NHS

Jaimin pointed out that a key challenge facing the NHS is when it comes to privileged access management. One such issue is the challenge of storing information in one place. For example, Jaimin noted that IT admins often have a spreadsheet of credentials and elevated rights on a secure network which only they have access to.

Moving on to focus on how privileged access management solutions can support organisations, he explained, “A healthcare organisation probably has a number of medical devices, and you’re going to get people from the vendor organisation coming in to support those devices. This time it could be John, next time it might be Jane. All these different users may have generic credentials, they might all be using the same one. Now, say John leaves and goes to work at another place. John still knows that generic credential, and he can use it to log in. But how do you know whether he is still working for the vendor or not? A privileged access management solution can identify and validate a user’s employment for you.”

It’s about building a digital identity, he noted. “25 years ago, a firewall was enough for an organisation to use as perimeter security. But now, with the advancement of technology like cloud-based systems and mobile devices with remote access, it becomes more difficult. That’s where a digital identity comes into play. You use a digital identity to make sure a user or device has set permissions about what they can connect to, and to ensure you know what they are doing with that access. Knowing where to start with that process is the key; a digital identity framework can help an organisation with this.”

Digital identity framework

Jaimin highlighted Imprivata’s digital identity framework, explaining how they looked at what was critical for a healthcare organisation and broke it down into four segments: governance administration, identity management, authorisation, and authentication and access.

“Governance administration is at the top, as the end goal for an organisation, and the three other pillars are the steps,” he continued. “Once an organisation implements all of those steps, you get to a state where you now have a compliance-based organisation, but also proactive risk mitigation that you can rely on.”

Each of the pillars have subgroups, he added; for example, within identity management, there are joiner and leaver processes and mobile device processes to make sure that select devices have the right access.

“The goal from an organisation perspective is that the framework is vendor agnostic,” Jaimin specified. “You may have a solution from another vendor, but does it check off all the different capabilities that are on the framework?”

He noted that people often ask a question along the lines of: ‘From a CIO perspective, I see the vision, but how do I know where I am in my journey?’

“That’s the place we always start: what are the next things to focus on?” Jaimin said. “There’s an assessment in terms of thinking about a complete path to your identity maturity; then comes the maturity assessment, which tells us where you are within that framework. We help many of our customers complete that assessment, which in turn helps them to identify the different gaps within their organisation.”

Picking up on the point about the maturity assessment, Andy explained how Imprivata designed the maturity assessment to be self-guided so that “you can use without our input to assess where you are in your organisation’s journey. It helps you start to look beyond some of the core access elements like logging into a Windows computer or logging into applications for general users, and you start getting into more specific areas of focused digital identity, like privileged access management. So it’s a good model to work through to decide what you want to prioritise and how to get there.”

Many thanks to Andy and Jaimin for joining us.