Healthcare Organizations need an Identity Hygiene Check Up

The recent data breach at Geisinger, a major healthcare provider, underscores the critical risks associated with delayed employee offboarding and unauthorized access. This breach, involving a former employee of Microsoft-owned Nuance Communications, highlights common gaps in identity governance and access management (IGA) that healthcare organizations should address to protect patient data and maintain trust.

Unpacking the Breach: Key Facts

• Scope and Impact: Over 1.2 million patients' personal information may have been exposed in a data breach.
• Delay in Notification: Law enforcement instructed Nuance to delay notifying affected patients to avoid interfering with their ongoing investigation. The former employee has been arrested and is now facing federal charges for accessing and potentially stealing patient data.
• Data Accessed: The compromised information varied but included personal identifiers such as names, birth dates, addresses, medical record numbers, and phone numbers. Notably, financial information and Social Security numbers were not accessed.
• Healthcare Cybersecurity Concerns: This incident highlights the growing challenges health systems face in safeguarding patient data. In 2023, large data breaches impacted over 134 million individuals, reflecting a 141% increase from the previous year, according to HHS' Office for Civil Rights.

A case of delayed offboarding turns toxic

On November 29, 2023, Geisinger discovered unauthorized access to patient information by a former Nuance employee, just two days after their termination. Nuance has been a Microsoft-owned business for over three years and provides information technology services to Geisinger. Despite the employee no longer being part of Nuance, their access credentials remained active, allowing them to view sensitive patient information, including dates of birth, addresses, medical record numbers, and other personal details for over one million patients.

This breach was significant due to the sheer volume of affected individuals and revealed the massive effects of delays in Geisinger's and Nuance's offboarding processes. The misstep of not immediately revoking access to critical systems upon employee termination demonstrates how inaction can have far-reaching consequences.

Insider Threat: A Growing Concern

Insider threats, particularly those from former employees, are increasingly recognized as a substantial risk to organizations. The so-called "termination gap"—the period between an employee's termination and the revocation of their access to company systems—represents a critical window during which unauthorized access is likely to occur. In Geisinger's case, this gap was only two days, but it was enough to compromise a vast amount of patient data.

“According to a 2023 report by Gartner, the average time to offboard an employee in many organizations is around 14 days, which can significantly increase the risk of unauthorized access.” – Gartner

The Role of Identity Governance and Administration (IGA)

The Geisinger breach also highlights the risk of relying on partially or inadequately deployed IGA solutions. Effective IGA is crucial for managing user identities and their access rights across an organization. It ensures that access to sensitive information is tightly controlled, and permissions are revoked as soon as an employee leaves the organization. In healthcare, where third-party vendors often have access to patient data, robust IGA practices are even more critical. This example is a stark reminder that failing to fully deploy and manage IGA solutions, which is the case for many healthcare organizations, can leave organizations highly vulnerable to data breaches and other security incidents.

The (Dis)illusion of Security from Single Sign-On (SSO)

Many healthcare organizations mistakenly believe that implementing Single Sign-On (SSO) is enough to secure their systems and protect sensitive patient data. While SSO simplifies the login process by allowing users to access multiple applications with a single set of credentials, it is not a standalone solution for comprehensive security.

SSO can indeed reduce the complexity of managing multiple passwords and can improve user convenience, but it does not comprehensively address broader issues related to identity and access management (IAM). For instance, SSO does not inherently enforce strict access controls or monitor user activities. If an SSO credential is compromised, it can potentially grant access to multiple systems and data sources, exacerbating the risk of unauthorized access.

To effectively protect sensitive data, healthcare organizations should combine SSO with robust IAM practices, including visibility into what apps have multi-factor authentication (MFA), regular audits of user permissions, and continuous monitoring for unusual activities. These measures help ensure that even if SSO credentials are compromised, additional security layers prevent unauthorized access to critical systems and data.

Moreover, organizations should avoid the misconception that SSO alone can replace a comprehensive IAM strategy. A holistic approach to IAM should include detailed policies for user access management, rigorous offboarding procedures, tools that facilitate policy enforcement, and regular training to promote security awareness among staff. By combining SSO with these practices, healthcare organizations can build a more resilient defense against cyber and insider threats and protect patient data more effectively.

The Role of Continuous Monitoring and Auditing

Continuous monitoring and regular audits are needed to prevent Geisinger breach-like incidents. These practices help organizations detect and address potential vulnerabilities before malicious insiders or external attackers can exploit them.

• Implementing Automated Offboarding Workflows: Leveraging automation to handle the offboarding process can reduce the risk of human error and ensure that access rights are promptly removed. Savvy’s automated workflows can trigger a series of actions, including revoking access, updating security groups, and removing the employee from all SaaS apps.
• Continuous Monitoring Tools: Tools like Savvy can detect unusual patterns that might indicate unauthorized access or misuse of sensitive data. By setting up alerts for specific actions, such as logging outside of SSO or apps with no MFA, healthcare organizations can quickly identify and respond to potential threats.
• Conducting Regular Audits: Regular audits of access rights and user activities can help identify and rectify discrepancies in user permissions. Organizations must adopt tools for access reviews of who has access to sensitive data, how that access is used, and whether access rights need to be revoked or modified.
• Continuous Access Monitoring: Savvy continuously monitors and detects when a user logs in directly to a SaaS app instead of logging in through your organization’s SSO. By monitoring for direct logins, Savvy ensures that users authenticate through your organization’s secure single sign-on (SSO) system. This reduces the risk of unauthorized access and potential data breaches, as SSO typically enforces more robust authentication mechanisms such as multi-factor authentication (MFA). Additionally, it helps maintain compliance with security policies and provides a centralized log for all access events, which is crucial for auditing and incident response.
• Identify Apps Without MFA Configuration: Savvy monitors and discovers SaaS apps without MFA and provides automated workflows to require users to adhere to the org policies and requirements. Savvy also goes beyond a single point-in-time review to provide continuous validation that MFA is enabled and that users are not circumventing the secondary authentication method, significantly reducing the risk of unauthorized access through stolen credentials.

The Importance of a Holistic IAM Strategy

A holistic IAM strategy that integrates multiple layers of security controls is essential for protecting sensitive patient data and mitigating the risks associated with insider threats and third-party access.

As healthcare evolves and adopts new technologies, the threat landscape will only grow more complex. ?Healthcare organizations can build a more resilient defense against the ever-present threat of data breaches and insider threats by learning from incidents like the Geisinger breach and taking decisive action to strengthen their security practices. The protection of patient data is not just a regulatory requirement but a fundamental responsibility that must be prioritized in every aspect of healthcare operations.

Combatting SaaS Challenges with Savvy

Savvy helps organizations overcome the challenges of managing their SaaS environments. With Savvy, organizations can discover where their authentication controls are weak, such as lacking MFA, and take steps to secure them. Savvy also surfaces toxic combinations of risk, uncovers hidden Business-led IT resources, and streamlines compliance and audit processes.