MedCity Influencers

How identity segmentation can reduce the attack surface for healthcare organizations

One of the most effective methods to reduce the attack surface is segmentation. But, what type of segmentation should be used — network-centric or identity-centric?

Data breaches with a connection to compromised privilege credentials are on the rise nationwide and continue to plague businesses in many critical infrastructure sectors including the healthcare industry.

According to Verizon’s 2021 Data Breach Investigations Report, 80 percent of breaches involve compromised credentials, one of the most common entry points for threats. According to the Cost of a Data Breach 2021 Report by IBM and the Ponemon Institute, compromised or stolen user credentials were the most common root cause of breaches in 2021, taking the longest time — an average of 250 days — to identify.

Meanwhile, the 2022 CrowdStrike Global Threat Report notes attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint. Instead, they are ramping up innovation on how they use identities and stolen credentials to bypass legacy defenses. In fact, 62 percent of attacks indexed in the fourth quarter of 2021 were non-malware, hands-on-keyboard activity, according to the report.

This is sobering news for healthcare providers, especially since consensus is that medical information is worth between 10 and 40 times more than credit card numbers on the black market. This is an alarming trend as medical records contain a patient’s social security number, which unlike a credit card number never changes. The potential for cybercriminals to hijack personally identifiable information (PII) and use a patient’s identity to commit fraud has become staggering. Medical record information can be used to purchase prescriptions, receive treatment or make fake medical claims.

Meanwhile, both healthcare organizations and their enterprise network and application infrastructure are undergoing digital and modernization transformations. Like the government and private sectors, healthcare institutions’ infrastructure are a mix of on-premises and cloud — a hybrid model consisting of on-premises servers, storage, cloud workloads, software-as-a-service (SaaS) applications, and laptops and workstation desktops (many in “work-from-anywhere” mode). Combined with an explosion of end-users, applications and devices that seem to always be in flux, the modern healthcare environment has introduced a much broader potential attack surface. Reducing that attack surface remains mission critical for cyber defenders.

One of the most effective methods to reduce the attack surface is segmentation. But, what type of segmentation should be used — network-centric or identity-centric?

Network segmentation vs. identity segmentation

Network segmentation has been around for many years and is considered one of the core elements in the NIST SP 800-207 Zero Trust Framework. Network segmentation is a strategy used to segregate and isolate segments in the enterprise network to reduce the attack surface.  Though network segmentation reduces the attack surface, this strategy does not protect against adversary techniques and tactics related to identity. In fact, the method of segmentation that provides the most risk reduction, at reduced cost and operational complexity, is identity segmentation.

Identity segmentation restricts access to applications and resources based on identities. These identities could be human accounts, service or programmatic accounts, and privileged accounts. With more than 80 percent of attacks leveraging user credentials, perimeter security should move closer to the user — the “last line of defense.” Identity protection is the most important aspect of a zero trust security framework, limiting the attack surfaces that can be exploited by adversaries. Identity segmentation enforces risk-based policies to restrict resource access, based on workforce identities.

Reducing cybersecurity challenges

An important capability of identity segmentation is the application of multi-factor authentication (MFA) to every application possible, even those that do not normally lend themselves to using MFA. By segmenting end-users based on behavior, cyber leaders can actually make cybersecurity less burdensome for workers who need to access the same applications many times throughout the work day, such as doctors and nurses. For example, doctors and nurses should not have to perform multi-factor authentication each time they access the same asset. Instead, security administrators can segment users that are low-risk versus those who need access to higher-risk assets based on the devices used, their identity and application used. Using these kinds of behavioral insights, MFA can be applied more regularly to those end-users who are demonstrating a higher-risk, while easing MFA challenges for end users involved in lower-risk workflow. The best identity segmentation solution will not treat every user the same.

Boosting the identity security posture

Network segmentation is an important piece in zero trust protection. However, healthcare IT and security teams can significantly reduce their organization’s threat exposure by focusing on the most important target of hackers: workforce identities. By applying identity segmentation and real-time detection and prevention of identity related incidents, healthcare organizations can gain attack path visibility across their identity landscape. They can limit the attack surface by continuously assessing gaps in identities in their hybrid IT environment. They can do this by adding frictionless, risk-based identity verification MFA and increasing security coverage, extending it across legacy systems and tools.

Cybersecurity programs are an incredibly important part of the delivery of modern healthcare. The industry continues to make great strides on their journey toward digital health transformation. Unfortunately, this journey has created unintended consequences, including the expansion of the cyber attack surface. Adversaries have taken advantage of those opportunities by holding healthcare systems hostage, deploying ransomware and stealing data. Healthcare organizations must now take the additional innovative step of transforming their cybersecurity programs. Security programs should not only support and protect their organization’s digital health investments but should also protect the healthcare team focused on delivering better, safer and easier-to-access care for patients and families.

But most importantly, they must build cyber programs that protect patients and families, making sure health systems are always available to meet the needs of the communities they serve. Modern digital healthcare delivery demands cybersecurity transformation.

Photo: Getty Images, weerapatkiatdumrong

Drex DeFord is executive healthcare strategist at CrowdStrike. Drex spent 20 years in the U.S. Air Force, including serving as chief technology officer for Air Force Health’s worldwide operations. After retiring from the military, he served as chief information officer at Scripps Health in San Diego, Seattle Children’s Hospital and Steward Healthcare. He is also Past Chair of the College of Healthcare Information Management Executives (CHIME) and served on the board of directors at the Healthcare Information and Management Systems Society (HIMSS).