By Shawn Hays, Senior Product Manager - Security, Compliance, and Identity, at Microsoft

The Health Insurance Portability and Accountability Act (HIPAA) is often the first thing that comes to mind regarding ensuring patient privacy in healthcare.¹ But as ransomware attacks and data breaches against healthcare systems continue, HIPAA safeguards must evolve to protect against growing cybercriminal activity.

The healthcare sector is now one of the most targeted industries for ransomware attacks, making up 25% of complaints filed with the FBI’s Internet Crime Complaint Center in 2022.² These attacks, combined with the growing number of other cybersecurity incidents, have prompted officials to call for increased regulations on the healthcare sector.

In April, Microsoft joined U.S. software firm Fortra and the Health Information Sharing and Analysis Center (H-ISAC), a cyberthreat-sharing group for U.S. healthcare providers, to take technical and legal action against ransomware groups using illegal legacy copies of Fortra’s threat simulation tool Cobalt Strike to target healthcare organizations. This attack method has reportedly been linked to 68 ransomware attacks and has impacted healthcare organizations across more than 19 countries, costing millions of dollars in post-attack expenses.

How NIST 800-66 Rev.2 is likely to impact healthcare systems

One prominent voice on regulatory change in the healthcare sector is Senator Mark Warner of Virginia. His recent white paper, Cybersecurity is Patient Security, details cybersecurity issues across the industry and outlines potential policy options to mitigate them.³ He also explores which incentives or penalties should be enacted for compliance or non-compliance with federal regulations.

While some penalties currently exist through the Health Information Technology for Economic and Clinical Health (HITECH) Act, many federal analyses and industry reports find that organizations lack appropriate protections. The federal government is initiating guidance and new mechanisms to increase protections for patients’ electronic Protected Health Information (ePHI) and other sensitive data.

For example, the National Institute of Standards and Technology (NIST) is in the process of updating its “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” documentation.⁴ Also known as NIST 800-66, this guidance was initially released in October 2008 as a tool to educate audiences on addressing HIPAA security standards and guide organizations in implementing an information security program. Its most recent iteration, NIST 800-66r2, contains several new additions.

Access management features prominently in the initial draft of NIST 800-66r2.⁵ This is especially timely, since 93% of all Microsoft investigations during ransomware recovery engagements revealed insufficient privilege access management and lateral movement controls, and 86% revealed the improper configuration of identity providers.

The core access management descriptions added to NIST 800-66r2 are:

• Decide and document how access to ePHI will be granted for privileged functions.
• Consider whether multiple access control methods are needed to protect ePHI according to the results of the risk assessment.
• Modify personnel access to ePHI as needed, based on review activities.
• Consider implementing a user recertification process to ensure that least privilege is enforced.

These recommendations, however, come with certain nuances. Security teams need to balance the demand for increased data privacy with the rapid pace of care. Many healthcare practitioners need the ability to act quickly for greater patient and financial outcomes –without navigating burdensome access controls. So, where does that leave security professionals?

The future of access management in healthcare

Artificial intelligence (AI) is one of the most promising new additions to the field of access management. Security teams can now leverage machine learning to analyze how users are interacting with patient data and to identify risky behavior patterns.

This is critical, especially considering that insider risks accounted for nearly 35% of unauthorized access incidents during the third quarter of 2022.⁶ AI can help security teams scale their efforts by dynamically adapting policies and technologies to critical risks as they change, limiting the need for manual intervention from security resources and maximizing coverage over potential data security incidents. This tactic is known as adaptive protection.

For example, a user may attempt to access a larger number of patient records than normal or to view patient records that fall outside of that user’s specific practice or location. Based on this risky behavior, the machine learning model can automatically tailor data loss prevention (DLP) controls to revoke access privileges or to force reauthentication prior to allowing the user to perform a function – such as downloading a file.

If the user holds a privileged admin role and has previously engaged in risky behavior, a stricter DLP policy can automatically be applied to them to help mitigate those risks and minimize potential negative data security impacts early on. And when the user’s risk level lowers, an appropriate policy can be dynamically applied to match the normalized risk level. This enables low-risk users to maintain their productivity while high-risk users can be addressed – without placing an additional resource constraint on healthcare security teams.

Harden security while aligning to industry best practices

It bears repeating that healthcare systems should continue to approach access management through the lens of Zero Trust.⁷ Currently the gold standard in cybersecurity protection models, Zero Trust is based on three core principles: verify explicitly, use least-privileged access and assume breach. Some organizations still lack capabilities to verify identities by checking the device used and the location of the authentication attempt and additionally to enforce least privilege to only the functions the user absolutely needs for a set period of time.

Regardless of whether or not the federal government decides to implement further penalties for failing to comply with any potential cybersecurity regulations, healthcare systems have a chance to align with industry best practices by strengthening their access management policies and adopting Zero Trust principles at the same time.⁸ By doing so, they’ll be better equipped to protect patient data moving forward.

References

1. S. Department of Health & Human Services. October 2022. The security rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html.
2. Schwartz, J. Healthcare providers and hospitals under ransomware's siege. The Edge. https://www.darkreading.com/edge-articles/healthcare-providers-and-hospitals-under-ransomware-s-siege.
3. Office of Senator Mark R. Warner. November 2022. Cybersecurity is patient safety.https://www.warner.senate.gov/public/_cache/files/f/5/f5020e27-d20f-49d1-b8f0-bac298f5da0b/0320658680B8F1D29C9A94895044DA31.cips-report.pdf.
4. National Institute of Standards and Technology. July 21, 2022. Implementing the Health Insurance Portability and Accountability Act (HIPAA) security rule: A cybersecurity resource guide. https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/draft.
5. 2023. What is identity and access management (IAM)? https://www.microsoft.com/en-us/security/business/security-101/what-is-identity-access-management-iam.
6. Henriquez, M. November 10, 2022. Insider threat peaks to highest level in Q3 2022. Security Magazine. https://www.securitymagazine.com/articles/98591-insider-threat-peaks-to-highest-level-in-q3-2022.
7. 2023. What is Zero Trust architecture? https://www.microsoft.com/en-us/security/business/security-101/what-is-zero-trust-architecture.
8. 2023. Evaluate your Zero Trust security posture. https://www.microsoft.com/en-us/security/business/zero-trust/maturity-model-assessment-tool?activetab=solution-wizard%3aprimaryr1.