The recent ransomware attack on the NHS highlights just how vulnerable the healthcare sector is in today’s digital age. In just the first week following the attack, over 800 planned operations needed to be rearranged – and that was only across the two most affected NHS Trusts. Fast forward five weeks, and the number of cancelled appointments and procedures have grown to more than 6,000. If the disruption to patient care wasn’t enough, almost 400GB of private information was leaked online, with the hackers demanding £40m in ransom from the NHS.
This attack has made it clear that cyber criminals take no prisoners when it comes to critical services and infrastructure. It also highlights vulnerabilities within the wider healthcare ecosystem, as the NHS confirmed its patient data, managed by blood test management organisation Synnovis, was stolen in the attack.
Cyber criminals are increasingly targeting supply chains across multiple industries, looking to find gaps in organisations’ security posture. In particular, healthcare organisations like the NHS are viewed as an ‘easy ride in’ to sensitive databases due to their complex webs of access and reliance on third parties. Non-employee identities like contractors, suppliers, travel nurses and medical students are easier for malicious actors to hack and exploit if not protected in the same way as permanent staff.
With this in mind, and amidst proposed legislation to strengthen digital supply chains for public services, let’s explore how the healthcare sector can better combat the challenges associated with non-employee labour to prevent the wrong identities from creeping into its systems.
A surge in non-employee identities: why this deepens the hacker pool
Nearly half of today’s enterprises are comprised of non-employee identities that can access internal networks. This is especially true for the healthcare sector, which has seen a drastic influx of travel nursing and contracted physicians since the pandemic as labour shortages continue to rage on.
Additionally, the NHS alone currently employs 1.5 million people, yet only 1.3 million of those people work on a full-time basis. Whilst the benefits of non-employee identities are vital in the healthcare industry to plug resourcing gaps and fill staff shortages, this growing reliance on third-party labour has simultaneously introduced new security challenges and risks.
One of the key risks associated with the volume of identities working within internal healthcare systems is the potential for unauthorised access to confidential patient data. Without proper visibility and management of identities, employees’, as well as non-employees’ accounts could be overprovisioned. This means users are granted too much access to systems and files beyond what their roles and responsibilities should allow, increasing the number of potential entry points for cybercriminals seeking to exploit vulnerabilities in a company’s security infrastructure. With little oversight over third party non-employees, this lack of visibility could make a breach far more likely.
Prescribing a proper dose of identities access in healthcare
One of the biggest issues that sets the healthcare industry apart when it comes to managing non-employee identities is the sector’s use of legacy technology and manual processes. The healthcare sector frequently works with students and medical schools to teach the doctors, nurses and physicians of tomorrow. However, this makes the industry more prone to receiving student information through unstructured data – information hidden within spreadsheets and emails, which requires a significant amount of manual effort. This risks opening up a can of worms, as non-employee data isn’t continuously managed and updated.
When managed through manual methods like spreadsheets, non-employee details are not regularly monitored, leading to a build-up of unauthorised access. Additionally, these spreadsheets can lie dormant for months at a time, giving organisations no indication of when non-employees leave the company, or if their role changes. This means that access privileges are not removed when an employee moves on or changes roles – increasing the risk of compromised access or a data leak.
When non-employees and their access needs are managed separately from the rest of the business, the opportunity for risk grows, as user information and access rights are scattered across different areas of the business – hindering visibility. To prevent against a potential compromise, companies need to manage both types of identities – employees and non-employees alike – in a centralised way, so that they have clear and holistic visibility across all identities and their access.
To better manage the identity explosion and keep track of everyone in an internal network, healthcare companies should work closely with security experts to get non-employee risk management processes up and running. Such processes allow organisations to execute risk-based identity access and lifecycle strategies for third-party non-employees. This would enable healthcare companies to implement more stringent access controls to reduce the risk of unauthorised access – granting access permissions to contract workers on a “need-to-know” basis only. In other words, only allowing access to the necessary applications and data at the right time — nothing more, nothing less. By doing this, companies can untangle this complex web of access and have better, more holistic visibility over who has access to their patient data and where it is being shared.
Regular check-ups required, with X-ray transparency
Keeping track of employees and non-employees effectively means ensuring that these identities are managed centrally and intelligently. With AI at the core of a unified identity security solution, organisations can quickly analyse vast amounts of data to detect patterns indicative of potential threats. Technology such as this is vital in allowing organisations to see, manage, control, and secure all variations of identity. Whether it’s a malicious cyber criminal trying to gain access to sensitive data, or an innocent employee or non-employee accidentally clicking on a deceiving link, businesses can respond more quickly to shut down any risk that could result in a data breach.
Additionally, healthcare organisations need to foster a collaborative approach to managing their identities, and this starts by working closely with HR teams. HR and IT teams need to be in sync. They need to know who is managing what types of employees, where their information is being stored and what access is being given to them or removed when they are being onboarded or offboarded. Both teams need to work together to create a transition plan for when people are moving from a non-employee role to an employed role, and manage access based on this.
With 93% of healthcare organisations experiencing an identity-related security breach in recent years, healthcare organisations must prioritise staying one step ahead of cyber criminals. With patient wellbeing as well as confidential data at stake, the risk is too high otherwise. As such, implementing stringent identity security protocols within the sector cannot be overlooked. Leveraging developments in AI technology and fostering a unified approach to identity security will be vital in achieving visibility over who has access to what within critical systems.
Regardless of employment status – whether part time, full time, temporary or contracted, organisations must uncompromisingly manage and control access rights for all users. Protecting sensitive data will be crucial in the sector’s efforts to mitigate the risk of another malicious cyberattack.
By Gregg Hardie, Public Sector Director at SailPoint
