Privacy & Security

What's next for privileged access management?

Why healthcare IT needs to control PAM
By Kurt Hagerman
July 07, 2015
10:28 AM

Many organizations do a reasonably good job at limiting access to data and systems for their general user population. When it comes to privileged access, however, most simply attempt to limit who and how many people have this type of access without considering the inherent risks of granting wide-open root or admin level access.

The latest data breaches have been the result of attackers gaining elevated privileges to systems by compromising a privileged user's credentials and then using the authorized access to exfiltrate data.

The concept behind privileged access management – or sometimes privilege identity management – to better control privileged account access is not a new notion. But organizations need to take an important step forward in granularity.

Current PAM solutions provide better management of privileged accounts but do not solve the underlying problem with privileged accounts: that they allow unfettered access to the system; allowing whomever has access full control over the system.

While providing better control over and accountability for the use of privileged accounts, they do not provide the ability to truly provide access based on the well-understood concept of least privilege. And this is where that next level of granularity will help organizations provide their privileged users with the ability to do their assigned tasks without giving them the keys to the kingdom and putting the organization at unnecessary risk.

"Establishing controls around privileged access continues to be a focus of attention for organizations and auditors," says Gartner analysts Felix Gaehtgens and Anmol Singh in the research firm's Market Guide for Privileged Account Management. "Security leaders must be prepared to address the inventory, classification and use of privileged accounts."

Root cause
Root or administrative access is typically meted out in its entirety to certain trusted individuals. The problem with this approach is that this level of access allows the user to take any action they want, on any system, regardless of the immediate objective or their respective role in the organization.

Threat actors specifically target these users through malware, social engineering or other lateral breaches. Once a threat actor or malicious party gains access to a privileged user's credentials, they often either have or can find a way to escalate to root access. The result? They "own" the environment, allowing them to execute their nefarious objectives.

By taking PAM/PIM to the next level — by limiting what specific actions a privileged user can take — organizations will not only be able to limit who has privileged access, but also dictate exactly what the user is able to do with that access. Far too many organizations, particularly in healthcare, are just concerned about limiting the number of privileged accounts they authorize for access. But we need more control.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Former Georgia Rep. Doug Collins
Trump taps former Rep. Doug Collins to head VA

Most Read

Providence's inpatient telemedicine programs pack a powerful punch
The Light Collective amplifies its call for patient data rights
Atrium Health responds to new social engineering attack
Vendor Notebook: New cybersecurity and EHR performance upgrades 
HMIS integration with other public HIS sought and more India briefs
Particle Health files antitrust suit against Epic

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management
Healthcare workers in a meeting
Prioritizing cost management at U.S. healthcare systems: Keys to better margins
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'
Avihai Sodri of Antidote Health on telemedicine
How virtual-first can improve outcomes and make care more affordable