44% of Healthcare and Pharmaceutical Organizations Have
AUSTIN, Texas, Oct. 22, 2021 (GLOBE NEWSWIRE) — SecureLink, a leader in critical access management, has released a new report titled “A Matter of Life And Death: The State of Critical Access Management in Healthcare,” revealing that third-party attacks in healthcare are on the rise and fundamentally threaten not just highly sensitive medical data, but patient care.
The report, which includes data from research conducted in partnership with Ponemon Institute, reveals that within the last year, 44% of healthcare and pharmaceutical organizations experienced a data breach caused by a third party – posing compliance, reputational, and financial risks. With vendors and third parties supplying most of the components that make up the healthcare provider ecosystem, the very structure of the healthcare industry creates a greater attack surface area for data breaches, ransomware, and remote takeover of medical devices. Despite this threat, just 41% of healthcare and pharmaceutical organizations have a comprehensive inventory of all third parties with access to their network.
“Attacks by third parties are on the rise across industries—and healthcare is no exception. It’s also clear there’s an alarming disconnect between how an organization perceives a third-party threat and the actual reality of dangerous third-party access threats, as evidenced in the scarce security measures organizations employ,” said Daniel Fabbri, SecureLink Chief Data Scientist. “Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access. Healthcare providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyber attacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance.”
SecureLink’s report aims to emphasize the urgent need for improving critical access management in healthcare, along with the necessary steps healthcare organizations should implement to strengthen security. To begin the process of securing critical access points— especially from third parties—healthcare organizations must limit network and user access across applications. This includes implementing zero trust network access (ZTNA), monitoring application access, and regularly reviewing access rights among users and vendors using the three pillars of critical access management: access governance, access controls, and access monitoring:
- Access governance: Analysts noted a 55% increase in healthcare data breaches, impacting the health information of an estimated 26 million people in the United States. For this reason, the access governance practice of performing user access reviews is imperative to any healthcare organization’s data management and security practices. Not only do user access reviews help prevent data breaches by inventorying the access rights of users and delegating reviews to a staff member’s respective manager, but they also ensure healthcare organizations comply with HIPAA and HITRUST requirements around access to electronic protected health information (ePHI).
- Access controls: In addition to the vulnerabilities created by broad access rights, healthcare organizations often lack visibility into which vendors have entry into their system. Just 44% of healthcare and pharmaceutical organizations have visibility into the level of access and permissions that both internal and external users have. Fine grained access controls, which include access schedules, approvals, and notifications, along with ZTNA, allow IT or security professionals to provide additional control over the exercise of user access rights to reduce risk, increase visibility, and increase friction.
- Access monitoring: 60% of healthcare and pharmaceutical organizations agree that managing third-party permissions and remote access to their network can be overwhelming and a drain on their internal resources. Implementing robust machine learning-based access monitoring to electronic health records provides session audits that show who accessed what data, when, how, why, and for how long. This, in turn, helps determine misuse and flag those instances for review or investigation by a privacy or compliance professional.
North Country HealthCare, a nonprofit serving over 50,000 patients across 12 Arizona communities, works with over 90 providers and numerous external entities, with 10 currently accessing its systems. Prior to implementing SecureLink’s critical access management solutions, the rapidly expanding organization faced third-party vendor VPN vulnerabilities that threatened security.
“Because many healthcare organizations—including ours—rely on third-party vendors to address changing healthcare needs, they must be fully aware of the risks associated with third parties,” states Jon Smith, Chief Information Officer at North Country HealthCare. “More than that, healthcare organizations need to be vigilant about securing their systems and sensitive patient data from potential bad actors, especially third parties. Since implementing SecureLink’s vendor access management solution, we’ve been able to conduct regular access reviews and fine tune permissions among our vendors to ensure they have access only to the information and applications they need. This level of control around access and credentials offers us an extra layer of security and allows us to focus on our core mission of providing quality care to our rapidly growing community.”
The data points included in this report were from a study conducted by Ponemon Institute on behalf of SecureLink and includes responses from 69 individuals across health and pharma industries who are involved in their organization’s approach to managing critical access data risks. Respondents are based in North America.
To view the complete findings and download the “A matter of life and death: The state of critical access management in healthcare” report: https://www.securelink.com/research-reports/the-state-of-critical-access-management-in-healthcare/. For more information on SecureLink: www.securelink.com
SecureLink is the industry leader in critical access management, empowering organizations to secure access to their most valuable assets, including networks, systems, and data. By leveraging Zero Trust principles, machine learning, and artificial intelligence, SecureLink provides comprehensive security solutions to govern, control, monitor, and audit the most critical and highest risk access points. Organizations across multiple industries — including healthcare, manufacturing, government, legal, and gaming — trust SecureLink to secure all forms of critical access, from remote access for third parties to access to critical infrastructure, regulated information, IT, and OT.
For more information visit: www.securelink.com
Codeword for SecureLink