5 critical components in protecting servers from breaches
Realizing the risk of dormant accounts and excessive permissions are critical to protecting health data.
5 critical components in protecting servers from breaches
Servers appear to be the Achilles heel of healthcare organizations’ data protection efforts. About 54 percent of all individuals affected by an information breach of a healthcare organizations were impacted by a breach involving that organization’s server, according to data on the breach portal of the Department of Health and Human Services’ Office for Civil Rights, culling security incidents from June 1, 2018, to May 31, 2019. A report this summer from Clearwater’s CyberIntelligence Institute says that, of the breaches in the previous 12 months, 90 healthcare breaches affecting more than 9 million individuals, were related to servers in some way.
It’s no wonder that servers are hackers’ prime target—they are a central repository of data and critical programs that are shared by users at healthcare organizations. Clearwater analyzed critical and high risk factors facing hospitals and health systems for a six-month period and found that servers topped the list of information system components responsible for these risks—in fact, 62.83 percent of all critical and high risks were a result of some inadequately addressed security vulnerability in servers. That far outstrips security risks posed by Software as a Service (SaaS), 17.06 percent; desktops or laptops, 10.5 percent; or all other risks, 9.07 percent.
Clearwater’s research found two key server vulnerabilities, and three important actions for organizations that want to fill these gaps.
Vulnerability 1: Dormant accounts
This security weakness occurs when the accounts of users who no longer require access to an application, device or system—usually because of leaving an organization or a job change—are not removed promptly. Dormant accounts can be conduits enabling unauthorized users to access data with little fear of detection, Clearwater contends.
Information security executives can prevent risks posed by dormant accounts by using security controls that disable accounts when a change in employee status occurs. Periodic reviews also can identify dormant accounts or their unauthorized use.
Vulnerability 2: Excessive user permissions
The risk of unauthorized access rises when information system users are granted more access or more system rights than the job they perform requires. This also violated the HIPAA Privacy Rule’s principle of Least Privilege. “Users with more system permissions than they require can inadvertently or intentionally access, change or delete sensitive records in an unauthorized manner,” the Clearwater report contends.
To prevent this type of vulnerability, “periodic reviews of user permissions by the appropriate system owner or manager can reveal users whose system permissions exceed what they require,” the Clearwater document notes.
Critical prevention step 1: User activity review
Manual reviews of system activity logs can be tedious, but the use of “log analyzer” software can automatically aggregate and analyze activity logs. These applications can detect anomalies, such a large numbers of records viewed, changed or deleted by a single user. But to correlate events occurring across multiple systems, security incident and event management (SIEM) software can more readily identify potential malicious activity caused by multiple system weaknesses, Clearwater contends. For example, by correlating network logs with application logs, “a security analysis program might show that an unusually high number of unauthorized record views had successfully logged into the application remotely from China.
Critical prevention step 2: User account management
User account management entails automated coordination of user account access with systems that maintain user “position” (such as vice president, manager, line employee and the like) and “status” (such as employed, formerly employed, retired and more). Often, coordination is achieved through the use of identity access management systems that tie Active Directory access and group membership to human resource or payroll applications. “However, organizations that have their own programming staff have also been known to write their own PowerShell scripts to achieve the same functionality that many identity access management programs provide,” Clearwater notes. However, changes in employee positions and status must be recorded promptly for these efforts to succeed.
Critical prevention step 3: User permission review
When organizations don’t use identity access management programs, manual reviews of user system permissions are critical. The number of system users and the frequency of user turnover typically dictate the frequency of such reviews, Clearwater indicates. “However, for those systems with 100 or more users, user permission reviews conducted at least quarterly are recommended,” its report suggests. “Where system access is also granted to students, a review of system permissions immediately after the end of a term or semester is also highly advisable.”
For more information
More information on the Clearwater CyberIntelligence Report on server vulnerabilities can be found here.