- As healthcare providers continue to work toward creating strong cybersecurity measures, it is important to remember that insider access could also lead to a potential data breach. Failing to secure privileged accounts could lead to unauthorized users gaining access to sensitive data.
Minneapolis, Minnesota-based Allina health recently implemented Thycotic’s Secret Server for improved privileged account management (PAM).
Healthcare organizations cannot afford to let privileged user accounts run dormant, said Allina Health Senior Security Engineer Thomas Peeples, CISSP.
Peeples explained to HealthITSecurity.com that the decision to use Secret Server for PAM had already been made when he started at Allina. He added that Allina will select tools that are ideal for one purpose, and then explore other features of the tool at a later date.
“The primary use case for purchasing a PAM tool of this nature was to meet a [Payment Card Industry] requirement of rotating local administrative accounts on workstations,” Peeples said, adding that he believed the requirement to be every 90 days.
“We wanted a way to automate that process because prior to Secret Server, we just disabled the local administrative account,” he continued. “It was a task to get them turned back on if they were needed for any support work.”
Allina then found that Secret Server was able to reach out to work stations and remotely manage the local administrative account and rotate it on a scheduled basis, Peeples said.
Right off the bat Allina was also able to reduce the number of domain admin accounts in its environment.
“We had a server team where every member of that team was in the domain administrative group,” Peeples explained. “When we implemented Secret Server and I was able to communicate its value to that team, they decided to remove individual privileged accounts from the domain administrators group. They instead created about four shared accounts that are now managed and stored in Secret Server.”
Each time that account needs to be used it’s going to be checked out by the individual needing the account, he stated. Upon checking the account back in, the account is automatically rotated and a new password is put in place.
“If we ever were compromised or a breach was to take place, they’d say it’s about 260-something days before you would know about it,” Peeples noted. “Well, if somebody compromises one of our domain admin accounts today, the chances of them being able to use the account tomorrow or next week is eliminated due to Secret Server. Now those accounts are rotated almost every four hours, and mostly on a daily basis.”
Peeples added that Allina has also been able to push the tool out into the business with its EMR workers.
“If you’re going to be utilizing Hyperspace or EPIC and making some changes, those application accounts are privileged right accounts,” he said. “They’re also stored in Secret Server, so to utilize those accounts we have the support team now checking those accounts out. They’re being rotated on a per-use basis as well.”
Employee training on the new tool has not been an issue, Peeples stated. The basic use cases and the documentation on the product was pretty easy to share, he said.
“We created our own ‘How To,’ including how to log in, how to pull up a Secret, how to check an account out,” Peeples explained. “It included a couple of pictures identifying what to do. Then we put that in a Word document and shared it out with employees.”
“The training documentation is pretty solid for Secret Server and it has simple use cases, as in logging in, reviewing a secret, checking a Secret out,” he continued. “There’s multiple workflows that you can use from the tool, but the basic stuff that we want users to begin to do, the training was pretty simplistic.”
Other healthcare providers that are considering updating their own PAM solutions should start from the top down, Peeples advised. Essentially, entities should make sure their leadership team is aware of and understands PAM, and also understands how different tools can assist with PAM in the protection of privileged accounts.
“Once you have that leadership buy-in then the security team needs to go ahead and make sure your policies are updated to reflect how privileged accounts should be managed,” Peeples said. “Once the policies are in place then you are able to introduce the tool to the teams and show them how to use the tool. Teams can learn for example, ‘Secret Server is a tool that you can use to be compliant with the current policies that are in place.’”
Leadership buy-in is especially critical, Peeples maintained. Once that has been established from a policy perspective, organizations can push it down to other staff member levels. Entities will likely have infrastructure teams not understand at a holistic level or at a high level why certain security measures must be taken.
“If you’re having somebody have to log in and check out a password, that’s not going to be very convenient for them trying to get their task done,” he stated. “You’re going to get people rebelling against it. From that point, you help them understand that there may not be very much value from the day-to-day tasks, but from a compliance and audit standpoint, this is huge.”
From a PCI perspective, rotating accounts and protecting those accounts is important, Peeples said. There is also then an audit trail for employees who are using those accounts and passwords.
Security teams, server teams, and even desktop teams within a healthcare organizations may require varied approaches with regard to implementing new tools and updating policies and procedures, he explained. Entities will need to adopt an approach that works for their daily operations and team members.
“From a security perspective, starting from the leadership position and updating policies to reflect how privileged accounts should be managed is definitely the path that I would recommend any other security team that wants to push to use [PAM solutions],” he said.
Ensuring basic cyber hygiene for improved data security
Overall, PAM should be a priority for organizations, especially as nearly every major data breach that has happened as been due to some type of account compromise, Peeples stated.
“We have to change our mindset from this idea of convenience to really paying attention to how the threat landscape is changing,” he stressed. “We need to know what the core reason is for a lot of these breaches.”
“Primarily it’s just been compromised administrative accounts that are never changed,” he continued. “Such as service accounts. Most hackers know that service accounts are never changed. Most hackers know that local administrative accounts on servers are never changed.”
It’s a good practice currently to begin to rotate those accounts, Peeples maintained. Whether it’s on a quarterly basis or every 90 days, those accounts should be rotated in an effort to minimize the number of stale accounts in the environment.
“That way the accounts aren’t sitting dormant to once they’re compromised,” he explained. “You’ve got to do a better job of rotating those accounts. You have to maybe use user behavior analytics tools to determine the baseline behaviors of your privileged accounts.”
Organizations must also know where their privileged accounts are, he concluded. There needs to be a solid auditing and provisioning process in place as well.
“When there’s a deviation of those normal behaviors, it should be looked into because that could be another sign that some malicious behavior is beginning to take place with privileged accounts,” Peeples added. “And update your policies and discuss PAM. Those are basic cybersecurity hygiene approaches that you need to do going forward.”