Putting too much trust in technical controls could be a big mistake in a provider organization’s security strategy, according to Jeffrey Wilson, director of information services in assurance and IT security at Albany Medical Center.
While controls such as encryption and access management go a long way toward securing patient data, employee training remains “absolutely indispensable, absolutely top of the priority list,” Wilson says in an interview with HealthITSecurity.
The cyberattack at Anthem, which compromised records for close to 80 million of the payer’s customers, is among the recent breaches attributed to stolen employee credentials rather than lack of encryption.
“So you can encrypt all day long, you can build Fort Knox, you can build the most sophisticated castle that you’ve ever had, with all kinds of defenses known to man,” Wilson says. “But if somebody’s going to hand over the keys, it’s game over.”
He also stresses the need for role-based access–and an ongoing review of that access.
“Organizations need to put the effort into attaining some clarity on the roles within the organization and have that translated into system access,” he says, describing the problems associated with longevity. “[I]t’s like a snowball rolling down the hill. The longer you’re there, the more access you accumulate. And that’s the exact opposite of what we’re trying to achieve.”
He says organizations should be conducting ongoing risk assessments, determining whether the controls in place are the right ones and making sure they’re being vigilant day to day.
Sudhakar Gummadi, chief information security officer at California-based Molina Healthcare, recently said that there is great need for privileged access management. Privileged access, which IT workers use to do their jobs of building and maintaining the infrastructure, essentially gives them the keys to the kingdom. These days, though, it doesn’t make sense to offer them 24/7 privileged access, Gummadi said.
A report from the U.S. Office of Personnel Management’s Office of the Inspector General nearly a year before a recently announced breach of Mountlake Terrace, Washington-based payer Premera found a number of vulnerabilities. Among its recommendations was for Premera to require multi-factor authentication for access to the computer room.
View the original content and more from this author here: http://ift.tt/1I3F2WP
from health IT caucus http://ift.tt/1I3F0hx
via IFTTT
No comments:
Post a Comment