Privileged access management: the cyber priority for the healthcare sector
The news has recently been full of stories documenting the rise of technology in the NHS: from the role of artificial intelligence in treating Parkinson’s disease, to Matt Hancock’s call for a greater deployment and use of apps in our health service – there are seemingly never-ending opportunities for new technologies to revolutionise healthcare.
While this race to reap health benefits from technology is exciting, security must not be forgotten. Healthcare organisations now gather huge amounts of valuable data for hackers and the worst attacks are yet to come.
We often hear about the NHS in negative terms on the news, as the service can fall victim to hacks due to outdated and unsupported software. On the other hand, the growing cyber security skills gap makes it incredibly challenging to effectively protect against ransomware and internal threats to information such as electronic personal health information (ePHI). That’s without mentioning regulations around this information, such as HIPAA, HITECH and GDPR, which will increasingly tighten while also bringing in tougher penalties to those organisations that fail to comply.
The CyberArk annual Global Advanced Threat Landscape report revealed that 42% of security professionals around the world admitted that the biggest cyber threat faced was unsecured privileged accounts. When privileged access is concerned, all points of access on any machine or device must be secured. This includes the applications and medical devices that interact with critical systems and enable critical processes such as integrating patient diagnostics data from third-party services.
The key to containing a threat actor, be it internal or external, malicious or not, is to adequately manage privileged accounts, credentials and confidential information. The healthcare sector faces high stakes as it deals with huge amounts of sensitive patient data, so managing and securing privileged access must be a priority.
What does the current healthcare threat landscape look like?
Technology can indeed help modernise our healthcare system by allowing patients to immediately speak to GPs via video, or order repeat prescriptions through an app. But security must be embedded at the heart of these new innovations. A more connected health service will inevitably mean an expanded attack surface for hackers.
In this scenario, security can’t be an afterthought or a ‘bolt on’ consideration. With the spread of ePHI across networks, web portals and mobile endpoints, the risk to healthcare providers is only set to increase. The only way to reduce the risk of a data breach or cyber-attack is to implement a holistic security strategy for healthcare environments – including streamlined privileged access control.
- Healthcare providers: The route to digital transformation success
- The future for digitised healthcare
- Top 10 healthcare innovations for 2019
Our Global Advanced Threat landscape report also found that 52% of healthcare IT decision-makers don’t think they can prevent hackers from infiltrating their networks, putting customers’ PII at risk for 59% of them. The old approach of building ‘high walls’ to keep hackers away no longer works. Hackers will always find a way in – so healthcare organisations have to implement security tools that will assume attackers are already in to prevent them from gaining access to critical systems.
Tighter regulations, harsher penalties
Today’s regulatory environment is getting stricter while ransomware and other cyber attacks are gaining in momentum, making it difficult for IT teams to dodge hefty fines and ensure compliance.
But penalties are not the only threat for organisations. Operational costs for recovery can quickly add up after a breach – according to a Ponemon study, a healthcare data breach costs on average USD$380 per record – more than 2.5 times the global average across industries.
To show compliance with HIPAA HITECH, GDPR and other industry regulations now in place, healthcare companies must have access to documented, auditable proof of their efforts to protect privileged access at all costs. Audit trails demand a solution that enables comprehensive monitoring, recording and isolation of all privileged user sessions, detailed activity reports on critical ePHI databases and applications, fully searchable audit logs, and complete, multi-layered audit trail data protection.
How to deliver a modern, secure healthcare service
Privileged access management is crucial for healthcare companies to proactively protect against, detect and respond to attacks in progress before attackers wreak havoc. But managing privileges does not mean denying them – rather, it means controlling who has access to what and why. Managing privileged access is one component of a basic cyber security hygiene that can have a positive impact on an organisation’s overall security posture and compliance efforts.
Privileged access security can complement and work in tandem with existing security tools, allowing organisations to get more positive outcomes. It can provide automated, proactive, end-to-end detection and protection for all privileged access to systems containing ePHI. Privileged threat detection and analytics provides the ability to respond and remediate anomalous or high-risk activities. Monitoring the behaviour of privileged activity to ensure users are not disabling, circumventing or altering implemented security safeguards and controls is not only a best practice but often required by this new regulatory environment.
We are in an exciting age of innovative technologies. Apps, digitised systems and AI have the power to transform our healthcare system and improve patient care. But security has to come on this journey – from start to finish. Privileged access management is a much-needed step to secure healthcare organisations in the age of the ‘mass data breach’. With the right privileged access security steps set in place, a hacker’s capacity to escalate privileges and, in turn, access confidential information such as patient records will be mitigated. Too much is at stake if proper cyber hygiene is not woven into a healthcare organisation’s digital transformation.
C. Light aim to detect Alzheimer's with AI and eye movements
C. Light Technologies, a neurotechnology and AI company based in Boston, has received funding for a pilot study that will assess changes in eye motion during the earliest stage of Alzheimer's, known as mild cognitive impairment.
C. Light Technologies has partnered with the UCSF Memory and Aging Center for this research. As new therapeutics for Alzheimer’s are introduced to the clinic, this UCSF technology has the potential to provide clinicians a better method to measure disease progression, and ultimately therapeutic efficacy, using C. Light’s novel retinal motion technology.
Eye motion has been used for decades to triage brain health, which is why doctors asks you to “follow my finger” when they want to assess whether you have concussion. In more than 30 years of research, studies have revealed that Alzheimer’s disease patients' eye movements are affected by the disease, though to date, these eye movements have only been measured on a larger scale.
C. Light’s research takes the eye movement tests to a microscopic level for earlier assessments. Clinicians can study and measure eye motion on a scale as small as 1/100th the size of a human hair, which can help them monitor a patient’s disease and treat it more effectively.
The tests are also easy to administer. Patients put their chin in a chinrest and focus on a target for 10 seconds. The test does not require eye dilation, and patients are permitted to blink. A very low-level laser light is shown through the pupil and reflects off the patient’s retina, while a sensitive camera records the cellular-level motion in a high-resolution video. This eye motion is then fed into C. Light’s advanced analytical platform.
“C. Light is creating an entirely new data stream about the status of brain health via the eye,” explains Dr. Christy K. Sheehy, co-founder of C. Light. “Our growing databases and accompanying AI can change the way we monitor and treat neurological disease for future generations. Ultimately, we’re working to increase the longevity and quality of life for our loved ones."
At the moment developing therapeutic treatments for the central nervous system is difficult, with success rates of only 8% to go from conception to market. One reason for this is the lack of tools to measure the progression of diseases that impact the nervous system.
Additionally clinical trials can take a decade to come to fruition because the methods used to assess drug efficacy are inefficient. C. Light believe they can change this.
“Before this year, it had been almost 20 years since an Alzheimer’s drug was brought to market" explains Sheehy. "Part of the reason for this very slow progress is that drug developers haven’t had viable biomarkers that they can use to effectively stratify patients and track disease on a fine scale. The ADDF’s investment will allow us to do that."
C. Light has received the investment from the Alzheimer’s Drug Discovery Foundation (ADDF) through its Diagnostics Accelerator, a collaborative research initiative supported by Bill Gates, the Dolby family, and Jeff Bezos among other donors.
C. Light recently completed its second and final seed round raising $500,000, including the ADDF investment, which brings their total seed funding to more than $3 million. Second round seed funders included: ADDF, the Wisconsin River Business Angels, Abraham Investments, LLC and others.
The ADDF’s Diagnostics Accelerator has made previous investments in more than two dozen world-class research programmes to explore blood, ocular, and genetic biomarkers, as well as technology-based biomarkers to identify the early, subtle changes that happen in people with Alzheimer’s.