Upload
securelink-inc
View
35
Download
0
Tags:
Embed Size (px)
Citation preview
REMOTE ACCESS SECURITY
CODE BLUE
Immediate action suggested for healthcare security and IT professionals
September 24, 2014
Stolen patient records are worth 10 times the value of a stolen credit card.
Source:
$1 - $2 $10 - $20
The FBI issued a warning criticizing healthcare’s security relative to financial and retail sectors.
“the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the
possibility of increased cyber intrusions is likely."
August, 2014
September 2014 July 2014 October 2014
and it’s one that makes healthcare especially vulnerable.
868,000 payment cards stolen
These high-profile retail breaches all resulted from the exact same attack vector,
216 locations
395 locations
November 2013
40,000,000 credit cards stolen
An average hospital has more than 100 3rd party technology vendors.
They require remote access to deliver services and support to your application owners.
And they need powerful, elevated credentials, not regular user accounts.
Each vendor has between 2 and 2,000 unique users that may need to access your network with an admin credential
How are they getting access today?
About half have a login on your VPN
Which leads to logins being shared, your admin credentials written on sticky notes and
a very low level of audit for accountability.
The other half use WebEx or something like it
Which gives you very little in the security, control, or audit areas. Great products for end-user desktop
support, but not for enterprise software.
“It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”
How good is your vendor’s security?
October 21, 2014
5 suggestions for eliminating this vulnerability:
1) Be aware.
Vendors are not typical users and should be treated as very special guests.
2) Have a realistic policy
Insist on individual logins, demand accountability, but don’t expect a technician to send you a copy of her passport.
It’s not going to happen.
3) Integrate policy in your purchasing process.
Remote access should be negotiated before the vendor needs it. If your EMR system is down, your IT staff (or
someone else) is going to open a door that may be left open. The best time to negotiate access methodology is when the software is being purchased (amazing how accommodating
the salespeople are at that time) or when your maintenance / subscription agreement is being renewed.
4) Control the platform.
If left to their own devices, a vendor may choose a remote support method (often a simple screen-sharing tool) that
meets their needs more than yours. Your platform should support multi-factor authentication, provision granular access privileges, keep credentials private and audit all
activity at the individual user level.
5) Monitor vendor activity.
While it may not be practical to track every keystroke, a consistent audit of vendor remote access should create alarms when a server is accessed repeatedly, or large
files are being transferred outside the network.