Privacy & Security

What's next for privileged access management?

Why healthcare IT needs to control PAM
By Kurt Hagerman
July 07, 2015
10:28 AM

Perfect privilege
In a perfect world, we'll have solutions that will provide for those who assign access rights but won't have access themselves. This already exists in other technologies, most commonly in encryption and encryption key management, and needs to be extended to privileged access management.

There are vendors in the space today that help define what a particular user can do with a privileged account – even down to command-level execution. This approach will allow an organization to specify what commands are available to a user for any given use of a privileged account.

The opportunities this affords are virtually limitless. Access required to complete a specific task could be granted at the time needed and tied to a service ticket or other form of request. True least privilege-based access could finally become a reality.

It's the next step in granularity. A lot of the exploits take advantage of having root. If a given account only had the ability to do one or two things, could malicious parties leverage that level of permission to complete their objectives or pivot off that account to do other things? Not likely. And it's a much-needed next step.

How access affects health IT
While organizations in every vertical must verify and vet vendors and third parties, those in healthcare IT should pay special care because of the privacy at stake and the compliance guidelines they must follow.

As current HIPAA guidelines stand, organizations only are required to verify that identities are tied to the person claimed, typically through some means of multi-factor authentication. The HIPAA requirements, the primary driving force for protecting patient data, don't mandate that organizations restrict access or abilities of privileged accounts once they've been properly authenticated.

Given the complexity of typical healthcare environments, a better way to control privileged access in a healthcare setting is crucial to protecting PHI. Investing in a current PAM solution would be a great first step, but implementing one that provides for more granular control is a much better and more secure solution.

Today vs. Tomorrow
We've focused our attention on limiting how many people have privileged access. It's a good sign that organizations are concerned about this access, but the conversation has recently turned to how we can do a better job of limiting what can be done with a privileged account. This is a great sign of the continuing maturity in the security space.  We still need more solutions that provide for more granular, fine-tuned control and monitoring of these accounts.

As the threat landscape continues to evolve and as the criminals continue to refine their methods, we will need to not only improve the methods of authentication to privileged accounts, but also be able to restrict what a privileged account can do for any particular use of the account.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Former Georgia Rep. Doug Collins
Trump taps former Rep. Doug Collins to head VA

Most Read

The Light Collective amplifies its call for patient data rights
Atrium Health responds to new social engineering attack
Vendor Notebook: New cybersecurity and EHR performance upgrades 
HMIS integration with other public HIS sought and more India briefs
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management
Healthcare workers in a meeting
Prioritizing cost management at U.S. healthcare systems: Keys to better margins
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'
Avihai Sodri of Antidote Health on telemedicine
How virtual-first can improve outcomes and make care more affordable