In the first half of 2023, more than 39 million individuals were impacted by healthcare-related data breaches. Considering both the vulnerability of healthcare organizations and the relative value of protected health information (PHI), the industry continues to attract significant attention from today’s most dangerous cybercriminals.
And while regulations like the Health Insurance Portability and Accountability Act (HIPAA) have forced healthcare organizations to more strongly prioritize the privacy and protection of patient data, they aren’t enough on their own. Regulatory compliance is important, but further protections are needed.
Identity-based attacks have become particularly popular with cybercriminals across a wide range of sectors, and the healthcare industry is no exception. In fact, recent research indicates that 93% of healthcare organizations have suffered an identity-related breach within the past two years, suffering consequences that include operational downtime, compromised data, reputational damage, and more—not to mention the possibility of regulatory penalties.
Attackers increasingly recognize identity management as a weak point for many healthcare organizations, and they will continue to target identities until the industry addresses the threat in a meaningful and effective way.
The Scope of the Threat to the Healthcare Industry
Attackers target identities in a variety of ways, but social engineering has become one of the most frequently used tactics. As you can probably imagine, it’s easier to trick someone into giving away their password—especially when they believe they are talking to a boss, colleague, or family member—than it is to overcome or circumvent modern cybersecurity tools.
Tactics like phishing have been around almost as long as the internet, but today’s attackers have become increasingly adept at them. Targeted, “spear phishing” attacks are common today, often using information gleaned from a target’s LinkedIn or other social media accounts to appear more authentic.
Business Email Compromise (BEC) attacks are also common today, using spoofed or compromised email accounts to trick unsuspecting employees into transferring information or funds to attackers.
The most recent Verizon Data Breach Investigations Report (DBIR) indicates that an astonishing 74% of all breaches now involve the human element, underscoring just how pervasive human-focused tactics like social engineering have become. And unfortunately for healthcare organizations, the cost of inaction is rising as well.
IBM’s Cost of a Data Breach Report for 2023 found that the average cost of a data breach is now $4.45 million, but within healthcare specifically the average increases to a whopping $10.93 million—almost double the next closest industry. Failure to effectively secure identities—or limit the damage that a compromised identity can inflict—can result in significant damage to any business, but the threat to healthcare organizations in particular cannot be overstated.
Healthcare organizations also face a number of challenges specific to the industry. Legacy systems are common in healthcare, and the recent trend toward digitization of information has produced challenges of its own.
A lack of IT and security expertise can lead to gaps, especially considering the broad range of identity types present within a given system. Patients, nurses, doctors, and administrative staff might each have dozens of potential designations, each with their own set of entitlements—and their roles and needs can change quickly.
What’s more, healthcare facilities often lean heavily on third-party contractors like traveling nurses, partner practices, and others, which come with their own set of identity security challenges. Overprovisioned identities with access to more systems than they need are an attacker’s dream but ensuring that every identity has only the permissions it needs is a significant challenge in healthcare.
First Steps Toward Stronger Identity Security
Fortunately for healthcare organizations, the increase in identity-based attacks is accompanied by advanced new identity security solutions.
Additionally, today’s broad recognition of the danger compromised identities can pose means business leaders are generally more open to considering new investments in identity security—in fact, 96% of healthcare organizations agree that their “ability to detect and prevent an identity-related security breach needs improvement.”
That said, budgets are not unlimited, and it’s important to understand which investments can have the most significant impact on the specific threats healthcare organizations face. That doesn’t just mean implementing new security solutions but reexamining the policies and procedures the organization has in place.
Securing and automating the identity lifecycle management process is one of the most important steps. Every day, hundreds—if not thousands—of patients check in, change wards, discharge, or go through any one of a dozen different status changes, each necessitating the creation, modification, or removal of certain permissions or entitlements.
And those are just the patients—doctors, nurses, and administrative staff have similarly fluid roles, and manually configuring their access needs would be an impossible task.
Modern identity systems allow healthcare organizations to create pre-defined roles and designations, automatically adjusting access permissions according to changing needs. These systems can also automatically offboard identities that are no longer in use—something that often gets lost in the shuffle when managing identities manually.
While not a healthcare-related breach, the Colonial Pipeline attack was a high-profile example of what can happen when adversaries get their hands on an inactive identity that still retains its access privileges. Healthcare organizations can’t afford to let that happen to them, and automated management processes can help ensure that dormant accounts are retired.
Leveraging AI for Intelligent Provisioning
Many modern solutions also include AI-based capabilities that make continuous evaluation of access possible. These solutions can monitor which permissions and entitlements are actually being used by identities within the environment and curtail or expand them as needed.
If one type of user (or “role”) is repeatedly submitting access requests for certain information, the system may recommend that information be added to the standard entitlements for that role. On the other hand, if it observes that certain permissions are rarely (or never) used, it may recommend eliminating those permissions.
In today’s threat landscape, it isn’t possible to stop every attack—but it’s important to ensure that if and when an attacker does compromise an identity, that identity does not have access to extraneous systems outside what it needs to perform its essential functions.
Overprovisioning is often a matter of convenience: IT and security teams don’t want to drown in thousands of access requests every day. Intelligent provisioning relieves those departments of that burden, automatically adjusting access needs according to a combination of predefined roles and observed behavior. The result is a much more secure—and efficient—approach to access provisioning.
These AI-based solutions can monitor access usage for suspicious activity, as well. For example, a doctor suddenly attempting to access or download another doctor’s patient data might raise a red flag. Likewise, a pediatric nurse poking around the financial and accounting systems would certainly qualify as abnormal.
Attackers will use compromised identities to access any systems the identity has access to, and understanding what constitutes normal vs. suspicious activity can help healthcare organizations identify when an attacker may be present in the system. And if a pediatric nurse has access to the financial systems, that can also highlight a broader problem that needs fixing. Eliminating those unnecessary entitlements can prevent a similar incursion in the future.
It's also important to note that strong archiving and data retrieval processes are needed in the event of a worst-case scenario. Backups are critical not just for compliance purposes, but for ensuring that a ransomware attack or other significant event cannot prevent access to critical information and systems.
As health information becomes more digitized, attackers recognize that preventing access to electronic PHI applications can significantly disrupt healthcare activity. Ensuring that these backups are in place—and their access information is well protected—is a critical element in ensuring that attackers cannot cripple operations in one fell swoop.
Prioritizing Identity Security Amid Today’s Threat Landscape
Healthcare is a prime target for today’s attackers, and the volume and complexity of identities that healthcare organizations need to manage can present a significant security challenge.
Fortunately, modern identity solutions and practices have made it easier to automate substantial portions of identity lifecycle management, including onboarding and offboarding, while AI-based capabilities have made it easier to adjust permissions and entitlements in real-time.
The name of the game is limiting the amount of information and systems an attacker can access with a compromised identity, and automating these processes can help ensure that nothing slips through the cracks. As the cost of a breach continues to increase with each passing year, healthcare organizations need to prioritize strong identity security if they want to avoid becoming the next major victim.
Ben Cody is SVP, Product at SailPoint.
