Photo of a stethoscope on a laptop keyboard

Privileged Access Management Best Practices

20 Aug 2015 by Christine Kern

Studies show malicious insider fraud costs an organization even more time and money than a denial of service or Web-based attack. In fact, employee behavior is the most expensive vulnerability in enterprise mobile security. Added to the increasingly sophisticated cyber threats facing the healthcare sector, these challenges are making privileged access management more critical, according to Sudhakar Gummadi, CISO at Molina Healthcare.

So how can healthcare providers protect themselves? Improve the methods of authentication for privileged accounts and restrict how a privileged account can be used. To reduce data leakage, healthcare organizations must integrate security into the corporate culture and consistently evaluate the risks of every interaction with networks, devices, applications, data and other users.

Cisco’s study with InsightExpress exposes dangerous employee behavior that puts corporate and personal data at risk:

Unauthorized application use: 70% of IT professionals reported that the use of unauthorized programs resulted in as many as half of their companies' data-loss incidents.

Misuse of corporate computers: Almost half (44%) of employees admitted that they share work devices with others without supervision.

Unauthorized physical and network access: 39% of IT professionals reported dealing with an employee who had accessed portions of a company's network or facility without authorization.

Remote-worker security: Almost half (46%) of employees admitted that they transferred files between work and personal computers when working from home.

Misuse of passwords: 18% of employees share passwords with teammates.

While current Privileged Account Management (PAM) solutions provide better oversight, they do not address the underlying problem with privileged accounts: that that they allow unfettered access to the system.

“Establishing controls around privileged access continues to be a focus of attention for organizations and auditors,” say Gartner analysts Felix Gaehtgens and Anmol Singh in the research firm's Market Guide for Privileged Account Management. “Security leaders must be prepared to address the inventory, classification and use of privileged accounts.”

“A database administrator or an active directory domain administrator having full access was OK a few years back. But now, due to the whole threat landscape, that’s changed. So we need to have the controls in place...on the endpoint, the servers, infrastructure, firewalls, routers, etc. Because what happens is that the hackers look for the privileged access, and once they have the keys to the kingdom...they can do whatever...because those particular credentials provide full access," Gummadi explained in an interview with Information Security Media Group. He emphasized that systems administrators and others who have special access privileges should only use those privileges when absolutely necessary.

“Privileged access needs to be controlled in your environment,” Gummadi added. ”It should have checks and balances and only be given on a need-to-know basis. Good controls in place won't eliminate the risk, but it will minimize the risk."

By limiting the specific actions a privileged user can take, organizations will not only be able to limit who has privileged access, but also dictate exactly what the user is able to do with that access. Far too many organizations, particularly in healthcare, are simply concerned about limiting the number of privileged accounts they authorize for access.

Let Insight help your healthcare organization strengthen its security against external and internal threats.