Privileged access management: the cyber priority for the healthcare sector
The news has recently been full of stories documenting the rise of technology in the NHS: from the role of artificial intelligence in treating Parkinson’s disease, to Matt Hancock’s call for a greater deployment and use of apps in our health service – there are seemingly never-ending opportunities for new technologies to revolutionise healthcare.
While this race to reap health benefits from technology is exciting, security must not be forgotten. Healthcare organisations now gather huge amounts of valuable data for hackers and the worst attacks are yet to come.
We often hear about the NHS in negative terms on the news, as the service can fall victim to hacks due to outdated and unsupported software. On the other hand, the growing cyber security skills gap makes it incredibly challenging to effectively protect against ransomware and internal threats to information such as electronic personal health information (ePHI). That’s without mentioning regulations around this information, such as HIPAA, HITECH and GDPR, which will increasingly tighten while also bringing in tougher penalties to those organisations that fail to comply.
The CyberArk annual Global Advanced Threat Landscape report revealed that 42% of security professionals around the world admitted that the biggest cyber threat faced was unsecured privileged accounts. When privileged access is concerned, all points of access on any machine or device must be secured. This includes the applications and medical devices that interact with critical systems and enable critical processes such as integrating patient diagnostics data from third-party services.
The key to containing a threat actor, be it internal or external, malicious or not, is to adequately manage privileged accounts, credentials and confidential information. The healthcare sector faces high stakes as it deals with huge amounts of sensitive patient data, so managing and securing privileged access must be a priority.
What does the current healthcare threat landscape look like?
Technology can indeed help modernise our healthcare system by allowing patients to immediately speak to GPs via video, or order repeat prescriptions through an app. But security must be embedded at the heart of these new innovations. A more connected health service will inevitably mean an expanded attack surface for hackers.
In this scenario, security can’t be an afterthought or a ‘bolt on’ consideration. With the spread of ePHI across networks, web portals and mobile endpoints, the risk to healthcare providers is only set to increase. The only way to reduce the risk of a data breach or cyber-attack is to implement a holistic security strategy for healthcare environments – including streamlined privileged access control.
- Healthcare providers: The route to digital transformation success
- The future for digitised healthcare
- Top 10 healthcare innovations for 2019
Our Global Advanced Threat landscape report also found that 52% of healthcare IT decision-makers don’t think they can prevent hackers from infiltrating their networks, putting customers’ PII at risk for 59% of them. The old approach of building ‘high walls’ to keep hackers away no longer works. Hackers will always find a way in – so healthcare organisations have to implement security tools that will assume attackers are already in to prevent them from gaining access to critical systems.
Tighter regulations, harsher penalties
Today’s regulatory environment is getting stricter while ransomware and other cyber attacks are gaining in momentum, making it difficult for IT teams to dodge hefty fines and ensure compliance.
But penalties are not the only threat for organisations. Operational costs for recovery can quickly add up after a breach – according to a Ponemon study, a healthcare data breach costs on average USD$380 per record – more than 2.5 times the global average across industries.
To show compliance with HIPAA HITECH, GDPR and other industry regulations now in place, healthcare companies must have access to documented, auditable proof of their efforts to protect privileged access at all costs. Audit trails demand a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs, and complete, multi-layered audit trail data protection.
How to deliver a modern, secure healthcare service
Privileged access management is crucial for healthcare companies to proactively protect against, detect and respond to attacks in progress before attackers wreak havoc. But managing privileges does not mean denying them – rather, it means controlling who has access to what and why. Managing privileged access is one component of a basic cyber security hygiene that can have a positive impact on an organisation’s overall security posture and compliance efforts.
Privileged access security can complement and work in tandem with existing security tools, allowing organisations to get more positive outcomes. It can provide automated, proactive, end-to-end detection and protection for all privileged access to systems containing ePHI. Privileged threat detection and analytics provides the ability to respond and remediate anomalous or high-risk activities. Monitoring the behaviour of privileged activity to ensure users are not disabling, circumventing or altering implemented security safeguards and controls is not only a best practice but often required by this new regulatory environment.
We are in an exciting age of innovative technologies. Apps, digitised systems and AI have the power to transform our healthcare system and improve patient care. But security has to come on this journey – from start to finish. Privileged access management is a much-needed step to secure healthcare organisations in the age of the ‘mass data breach’. With the right privileged access security steps set in place, a hacker’s capacity to escalate privileges and, in turn, access confidential information such as patient records will be mitigated. Too much is at stake if proper cyber hygiene is not woven into a healthcare organisation’s digital transformation.
How UiPath robots are helping with the NHS backlog
The COVID-19 pandemic has caused many hospitals to have logistical nightmares, as backlogs of surgeries built up as a result of cancellations. The BMJ has estimated it will take the UK's National Health Service (NHS) a year and a half to recover.
However software robots can help, by automating computer-based processes such as replenishing inventory, managing patient bookings, and digitising patient files. Mark O’Connor, Public Sector Director for Ireland at UiPath, tells us how they deployed robots at Mater Hospital in Dublin, saving clinicians valuable time.
When Did Mater Hospital implement the software robots - was it specifically to address the challenges of the pandemic?
The need for automation at Mater Hospital pre-existed the pandemic but it was the onset of COVID-19 that got the team to turn to the technology and start introducing software robots into the workflow of doctors and nurses.
The pandemic placed an increased administrative strain on the Infection Prevention and Control (IPC) department at Mater Hospital in Dublin. To combat the problem and ensure that nurses could spend more time with their patients and less time on admin, the IPC deployed its first software robots in March 2020.
The IPC at Mater plans to continue using robots to manage data around drug resistant microbes such as MRSA once the COVID-19 crisis subsides.
What tasks do they perform?
In the IPC at Mater Hospital, software robots have taken the task of reporting COVID-19 test results. Pre-automation, the process created during the 2003 SARS outbreak required a clinician to log into the laboratory system, extract a disease code and then manually enter the results into a data platform. This was hugely time consuming, taking up to three hours of a nurse’s day.
UiPath software robots are now responsible for this task. They process the data in a fraction of the time, distributing patient results in minutes and consequently freeing up to 18 hours of each IPC nurse’s time each week, and up to 936 hours over the course of a year. As a result, the healthcare professionals can spend more time caring for their patients and less time on repetitive tasks and admin work.
Is there any possibility of error with software robots, compared to humans?
By nature, humans are prone to make mistakes, especially when working under pressure, under strict deadlines and while handling a large volume of data while performing repetitive tasks.
Once taught the process, software robots, on the other hand, will follow the same steps every time without the risk of the inevitable human error. Simply speaking, robots can perform data-intensive tasks more quickly and accurately than humans can.
Which members of staff benefit the most, and what can they do with the time saved?
In the case of Mater Hospital, the IPC unit has adopted a robot for every nurse approach. This means that every nurse in the department has access to a robot to help reduce the burden of their admin work. Rather than spending time entering test results, they can focus on the work that requires their human ingenuity, empathy and skill – taking care of their patients.
In other sectors, the story is no different. Every job will have some repetitive nature to it. Whether that be a finance department processing thousands of invoices a day or simply having to send one daily email. If a task is repetitive and data-intensive, the chances are that a software robot can help. Just like with the nurses in the IPC, these employees can then focus on handling exceptions and on work that requires decision making or creativity - the work that people enjoy doing.
How can software robots most benefit healthcare providers both during a pandemic and beyond?
When the COVID-19 outbreak hit, software robots were deployed to lessen the administrative strain healthcare professionals were facing and give them more time to care for an increased number of patients. With hospitals around the world at capacity, every moment with a patient counted.
Now, the NHS and other healthcare providers face a huge backlog of routine surgeries and procedures following cancellations during the pandemic. In the UK alone, 5 million people are waiting for treatment and it’s estimated that this could cause 6,400 excess deaths by the end of next year if the problem isn’t rectified.
Many healthcare organisations have now acquired the skills needed to deploy automation, therefore it will be easier for them to build more robots to respond to the backlog going forwards. Software robots that had been processing registrations at COVID test sites, for example, could now be taught how to schedule procedures, process patient details or even manage procurement and recruitment to help streamline the processes associated with the backlog. The possibilities are vast.
The technology, however, should not be considered a short-term, tactical and reactive solution that can be deployed in times of crisis. Automation has the power to solve systematic problems that healthcare providers face year-round. Hospital managers should consider the wider challenge of dealing with endless repetitive work that saps the energy of professionals and turns attention away from patient care and discuss how investing in a long-term automation project could help alleviate these issues.
How widely adopted is this technology in healthcare at the moment?
Automation was being used in healthcare around the world before the pandemic, but the COVID-19 outbreak has certainly accelerated the trend.
Automation’s reach is wide. From the NHS Shared Business Service in the UK to the Cleveland Clinic in the US and healthcare organisations in the likes of Norway, India and Canada, we see a huge range of healthcare providers deploying automation technology.
Many healthcare providers, however, are still in the early stages of their journeys or are just discovering automation’s potential because of the pandemic. I expect to see the deployment of software robots in healthcare grow over the coming years as its benefits continue to be realised globally.
How do you see this technology evolving in the future?
If one thing is certain, it’s that the technology will continue to evolve and grow over time – and I believe there will come a point in time when all processes that can be automated, will be automated. This is known as the fully automated enterprise.
By joining all automation projects into one enterprise-wide effort, the healthcare industry can tap into the full benefits of the technology. This will involve software robots becoming increasingly intelligent in order to reach and improve more processes. Integrating the capabilities of Artificial Intelligence and Machine Learning into automation, for example, will allow providers to reach non-rule-based processes too.
We are already seeing steps towards this being taken by NHS Shared Business Service, for example. The organisation, which provides non-clinical services to around two-thirds of all NHS provider trusts and every clinical commissioning organisation in the UK, is working to create an entire eco-system of robots. It believes that no automation should be looked at in isolation, but rather the technology should stretch across departments and functions. As such, inefficiencies in the care pathway can be significantly reduced, saving healthcare providers a substantial amount of time and money.