[podcast] Healthcare IAM, MFA, and PAM Oh My
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
On this episode # 3 Jim and Jeff talk about Kacy Zurkus' article "Healthcare Organizations Too Confident in Cybersecurity" for InfoSecurity Magazine and why multi-factor authentication (MFA) isn't more widely adopted. Jeff also poses a question to Jim: Do you choose MFA or Privileged Access Management (PAM) first if you can only do one?
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #3 Full Transcript:
Identity At The Center #3: Healthcare IAM, MFA, and PAM Oh My!
Jeff: Welcome to the Identity at the Center podcast, episode number two. My name is Jeff Steadman and I'm here with Jim McDonald. We are both strategic Identity and Access Management advisors with Identropy Advisory Practice. If you're looking for Identity Access Management talks, you have come to the right place. On this podcast, we talk about a wide range of IAM related topics. It might be current events, things we see come up during our consulting engagements or other things that we just think you might find interesting. If there's a particular topic or you'd like us to give us some feedback or questions. Always e-mail us at firstname.lastname@example.org
Hi Jim How are you doing?
Jim: Hey, Jeff, we're going to talk about an article that we found www.infosecurity-magazine.com and it's called Health Care Organizations Too Confident in Cyber Security as written by KC Zoras. I don't want to scare folks away. We're not only going to talk about health care organizations. I think the discussion today will going to talk about this article. We're going to talk about that industry. But the things we're going to talk about are going to be applicable to almost any industry. But the article really pulls out some of the key points that Casey found in a white paper on the LexisNexis Risk Solutions Web site called the State of Patient Identity Management. And there's a link in her article. So the focus of that article is really on patient portals. And really what the article is implying is that there's a higher degree of confidence in the security controls than is warranted in these patient portals. And that is she kind of highlights a few of the statistics that were in the white paper. And there's a good data diagram as well where, the use of multi-factor authentication is kind of low relative to what you would expect on the Internet facing Web site where critical data that is protected by HIPA would really be stored.
You would expect a much higher use of multi-factor authentication because the bottom line is passwords need to die. I'm probably being preaching to the choir, to anybody who's listening to this podcast, but we all know the weaknesses and passwords and a lot of them are because we are humans. We use the same password from website to website. Once one of those Web sites gets cracked that and there's a data breach, the users and passwords get dumped and put on the dark web put up for sale. We've seen some of the prices for standard user name and password being super cheap pennies per account. So anybody can go out and get these accounts and then just run them through a bot and try to log into your banking Web site or various other Web sites that you use. And so, multi-factor authentication is a control, while not perfect. And there are multi-factor authentication can mean many different things. It's still a lot better than passwords. And so the article really goes into that. And Jeff, I know you're going to highlight a few of those statistics that were in that article.
Jeff: I think the thing that jumped at me in the first part as I read it is. That the Cyber Security folks at these health care organizations said that they thought they were pretty confident in their strength of their Cyber Security, but really only like two thirds of them were using multi-factor authentication. So, I'm not sure if those numbers just don't kind of play out too well for me. If things are if you're more confident about it, I think you'd want to put more M.F.A. in place when it comes to that. But most of the health care organizations are only using usernames and passwords. Two thirds of them have multi-factor, which is great. Somehow that doesn't jibe with me that, you know, people being confident there's obscurity. I would think you'd want to have more of a say in place, which is interesting because a lot of them their budgets are staying the same. So even though health care breaches are rising and they've increased year over year, the budget being the same is probably not keeping up with the different types of attacks are going on. So things that call center fraud bot attacks, crypto mining, those are those are all things that happen. They happen pretty commonly, especially in the health care side for whatever reason, there was one the statistics I saw there were almost half of health care organizations have experienced some sort of crypto mining.
And that's a crazy number if you think about it’s got to be lucrative. Otherwise, you know, the attackers wouldn't be going after it. But there's clearly more work to be doing within the health care side. I understand there's a lot of typical health budget challenges that might be in that space. But if you think about it from a cost, it’s roughly 400 bucks per user per patient data that gets stolen. the average number of breaches are a number of records that might be taken out. You're probably looking at one and a half million, two million bucks to recover from that. So that's a pretty expensive Way to try to manage things if you're not putting enough security up front. I think M.F.A. is a huge part of that. I don't I don't know why it's not standard for it for more folks. I understand the cost associated with it, but I guess why do you know from your perspective, why do you think MFA is not just a given at this point, given how bad passwords are?
Jim: Well, one thing I was thinking as you were talking about, that there's a disconnection between the confidence level and what we as practitioners consider being basic minimum. And I think it probably ties back to a little bit on who was interviewed for the study and do they share that point of view with us? Some people might think, well, MFA is not a realistic for our users and they're more thinking about it from the user interface perspective. Heck, as practitioners, we need to balance usability and security to be can't just say it's got to be the most secure every time. But at the same time, I guess what I'm saying is that is it might not be the CISOs of the health care organization of the hospital in this case that are where respondents to the survey, to this, feeding into this white paper. It might be people who are more on the business side who deal with the complaints of like I can't create an account or I don't have the same phone number anymore. So I can't get the SMS. And so they might be thinking that, hey, multi-factor authentication is just not realistic for our user population. We have a lot of people who are older or sick and they just don't want to deal with it.
So we're not going to put them through that. It's just not for us. And that's really, I think, become kind of an out of date to a certain degree and out of date argument, because I think most people are starting to realize the number of data breaches that are happening. It's just the risk is unacceptable and especially when it comes to health care data. But in my experience of working with hospitals, most of the CISOs that I've interacted with, usually the patient portal is not under their operational control, but they do set policies for the organization. So they may set a policy that M.F.A. is required. But a lot of times what I've seen is that there is a carve-out that you know. That requirement is just focused on employees or just focused on administrators. So in other words, they soften the policy because there's so much pressure in the organization to make things more users friendly. And I guess it was as I was reading the article, I'm thinking these couldn't be sees those who are confident in username and password as an approach.
Jeff: it's kind of like lowest common denominator security, right in trend designed for the easiest way for people to get access. But unfortunately, user password alone just isn't enough. I wonder if the population continues to age, if folks who are maybe in their 20s, 30s, 40s now as they started at the age where they are taking having to take advantage of more health care services. If folks that have grown up on MFA will expect it, in the next 10, 20, 30 years, whenever that may be. Whereas the folks who maybe who are using it today that are on the upper end of the range, you know, the age range didn't really grow up with that. And it's not really second nature to them like it is for weather practitioners or even just folks who have had more experience with it. I think things like Apple they have MFA on their ICloud accounts, whether it's perfect or not is kind of relevant to me, they have something, but they've made it easy enough where the vast majority of their users seem to have it enabled. The ads are taking advantage of it. I wonder if that will extend to things like patient portals in the future.
Jim: I think that, look; my dad does not have a smartphone.
It's kind of mind-blowing, but it's just he doesn't have a place for it in his life. There's no computer at home. I know other people who have a smartphone and don't have a computer at home, and usually the people have the smartphone and no computer at home are more in the workforce today still. So, I think you're right. I think that from my perspective, it's ubiquitous. But I'm a technology person. And I have to keep reminding myself that even though I think that Multi-factor Authentication is simple and using authentication apps is simple. I think for a lot of people, it's not.
Jeff: Yes, that's true. I mean, trying to balance that is certainly interesting, Interests. M.F.A., all the things can and should be the motto.
But, it’s kind of balance that usability with the security which I get. I think there is probably some more interesting technologies that are coming down the pipeline that will make M.F.A. easier. I think of things like windows, Hello. You can look at your computer and it'll authenticate you. That just became phyto to certify. So that'll be interesting to see how Microsoft is able to leverage the true password, password less experience when it comes to log into windows. Apple, you can already log in with the touch idea behind the scenes, but there's still a password somewhere. We've been hearing the passwords dying for years and I don't see it quite yet, but it seems like it's always getting pretty close here, especially over the last couple of years.
Jim: I've noticed I'm an iPhone user. I've noticed when I go and register with a Web site or an app, Apple's I here use a strong password. You look at the password that it's recommending and it's one that nobody could ever guess right at full time. There are a lot of Web sites to say we can't accept this password. Nobody goes outside of their password for policy. But just assuming that it does go through and you register now, it works with my iPhone.
And as long as I have my Apple I.D. and everything is sinking up with the apple cloud, it'll work with my Apple laptop. But if I go to a Windows computer, I'm never going to know that password that we're going to be able to log in except within that ecosystem. So it's kind of a partial solution.
Jeff: Yes, it's a lot of pain in the butt, right. Because you've got to go into your iPhone, find your passwords. It's buried in the settings. It's just it's not a user friendly experience. I like LastPass. That's the one that I use. So I had that set up across my iPhone, both my Mac and my Windows and my tablet. And I've made that actually my default password manager for my iPhone and for my tablet so that everything kind of stays in sync. It's not a perfect solution, but it works pretty well, good enough for me, at least from a matter of perspective, to be able to keep track of the different passwords I'm using for different sites.
Jim: I like it to everybody who I've ever known who uses it are either technophiles or I.T. people. So, I don't think it's a good solution to solve this problem for patient portals.
But I do think, as an individual, you want to put up the best defenses for yourself. It is a good solution.
Jeff: Yes, definitely. But this is a little bit of a side topic. But what are your thoughts on social identity and logging into things like a patient portal? Would you consider if you're a CISO, would you consider allowing people to log in with their Facebook or Google or soon to come? Know the apple like E social login?
Jim: That's a great topic and I want to rely on it.
I think one thing people believe is that, Google or Apple or Microsoft that it's you wouldn't get fish or you wouldn't be able to get hacked.
I don't think that's true at all. And I generally find that, most of the CISOs are in business People that we work with don't feel like it's a sufficient enough control to use a social provider.
So while I think technologically speaking, it's a great solution, I think there are confidence issues in it.
Jeff: Yes, well, especially now privacy concerns. Everyone’s concerned about Facebook and what data you're giving them same thing on Google. Apple has tried to stake a claim here, especially recently, about being more privacy focused. But even their open I.D. implementation isn't really following all the standards. So there is there are certainly some things there to think about. From a consumer standpoint, it's certainly easier, I think, if I'm given the choice rather than creating a new account or using already established Prudential, typically used more as that was Prudential, but I know that I have M.F.A. enabled on that ends that I feel more confident security around that rather than just giving yet another idea of the password to some other database somewhere out there that chances are at some point will become compromised. So I see the balance of it. And I certainly don't see. Enterprise solutions inside the firewall, so to speak, taking their social log in, but I think it's almost become standard for external facing systems, especially the consumer side, to have some sort of social log and credential I it all. In addition, security, It also offloads the user management component of it behind the scenes.
Jim: It all flow certain portions of it. I think for a patient portal, I'd like to see it as an option if I was a patient. Log in. I don't have Facebook myself. I got rid of my account a couple of years ago and I found that pretty limiting in terms of there is a lot of Web sites that have Facebook as the only social option. Usually Google is one of them. And I do have a Google account, of course. And so, a lot of times I'll use that as well. And if that's an option, I generally prefer to use it.
Jeff: So let's talk a little about priorities, because something that comes up quite a bit right is what you do first? Money is typically something you have to be very concerned about when it comes to budget and resources. So I have proposed a scenario here and. Right. So let's say you're one of these CISOs and you are, let's say, at a hospital and you do not today have MFA or any type of Privilege Access Management solution in place. Which one are you going to go for first?
Jim: It's a good question. So I think the scenario that you're proposing is hung on the CISO at the hospital and I have a separate budget for internal separate from my patient portal. Patient portal is something that is generally budgeted outside of I.T. or at least outside of information security. So working with my budget first and there's a big difference. So I've worked with some very large hospital organizations or they have dozens of locations. I've worked with single location hospitals in the past. And generally speaking, their budgets differ quite a bit, especially for identity and Access Management for information security in general. The first thing I would always want to do because free is have good policies and policies that enforce HIPA guidelines and kind of need to know. So I'd want to work within a framework specific to my industry and make sure that my policies align with those industry standards at a minimum. And really, if you're getting push back at that point, you need to say time out.
These are things that we are forced to comply with from a regulatory perspective. Within that, you need to have good controls for knowing who has access to what, having appropriate levels of insurance on log in. So that's you know, whether that's M.F.A. or password username pass or whatever it is, you need to make sure that you have those highlighted or those accounted for in the policy and then you need to guard the keys to the kingdom. So identifying what is Privilege Access and making sure the appropriate controls are on that. Now then the question becomes, if you're on a shoestring budget, how do you get in compliance with those policies? Or more directly to your question is if you have to choose from. So I think when you're balancing that, that need to secure the data with that tight budget, you need to prioritize. And your question, I think was OK, if your two choices were Privilege Access Management and MFA, I would say it had to start off with, this is a bit of a cop out answer.
Jeff: I hear it coming.
Jim: You're coming right again to do at least a minimum amount of both, OK? Like, for example, MFA, you need to have an MFA for administrative accounts. If people are log in to, say, your office 365 or into your Google Apps, whatever you using, it's on the Internet and you're talking about like your top level administrators. I'm sorry. You need to enable MFA for those folks. Privilege Access Management side, I think you also need to have some controls. And here's the thing with M.F.A. and with Privilege Access Management, what would hold you back from just going and doing both? If money wasn't a concern, it would be kind of cultural issues. So with MFA, sometimes it's hard to roll out this new service to all of your users, I mean, we don't. We're talking abstractly about the “users”; do these people understand the technology? Do they have a device that can be used as the second factor or you're going to have to buy keys for them and things like that? And on the Privileged Access side, there's user Sara as well. I mean, you're talking about faulting passwords, vaulting service accounts, things like that.
But I really do think, kind of that minimum level for PAM, you need to be vaulting shared passwords. So, ideally, you're doing something where nobody knows what the passwords are. And I mean, we've worked with clients before where they keep the passwords in a spreadsheet and encrypted spreadsheet or password protected spreadsheet. But I mean, let's be realistic. If you gave me a copy of a password protected spreadsheet, I'm sure to find some script that would break it in no time.
Jeff: It's pretty trivial.
Jim: It's very trivial. So I think you need to be doing a bare minimum level of each year. You can go and find even if it's the cheapest solution for that password vault, just don't ignore it. And then you need to do M.F.A. for your administrative accounts, where you get the bang for the buck.
Next, I think is going to be you're going to have to look at those scenarios and say, which of these can I. look, I'm a big proponent of doing your risk and reward analysis, obviously with a ton of risk in that if somebody fumbles their privileged credentials, you can have a major breach of all kinds of data.
But a lot of times the investment to actually go ahead and you properly vault all those passwords, all those service accounts which you might not even know what they're being used for anymore. Monitoring administrator sessions, that's a big investment. It's program on the M.F.A. side. I kind of went over some of the objections that you're running into there. So where's your risk and reward? I think if you are an organization that has a lot of your services in the cloud, you're using Salesforce and you're using workday. I think you get more bang for your buck by doing M.F.A... If your organization saw as most of your assets kind of behind the firewall, I think you'd probably get more bang for your buck by doing Privilege Access Management and making sure that the guys and gals who have keys to the kingdom, don’t really get your temper early issuing access and then you're automatically logging them, in other words, people don't know the passwords. That's where I think you would get the best value.
Jeff: I think that's a very logical, well thought out plan of attack.
And I think you cheated a little bit on the answer, but I'm going to give it. Judges are giving thumbs up. I liked the idea of splitting it because. You can spend a little bit here and a little bit there and see a major improvement from a maturity standpoint, doing a little bit of both versus try to focus on just one which might take it longer. So, definitely Admins, people who need the M.F.A. in place and should have it because of the privileges they have. But then also in those shared accounts, services, those sorts of things is makes a lot of sense. So, I totally agree with what you just laid out.
Jim: I was going to point out one thing, which is something I brought up in that whole answer, which was you might get objections from people who don't want to use their smartphone for corporate business because they're paying for their phone. They don't want to get their SOL, a Microsoft Authenticator app or whatever, and I mean that doesn't happen.
Jim: Where it happens. We run into it right here.
Jeff: And there's like this expectation, right, that well, if the company is putting making me put this on my phone, then they have to pay for it. There’re a lot different schools of thought of it, obviously, but I don't subscribe to that. I think that if you're being asked to you, if you're being given access to something that you have, it is within your rights to try and make sure that you're filing proper security guidelines or just don't access it on that device, but the whole putting things on phones that I was just kind of bugged me, but certainly happens quite a bit. And the conversations we have, but they start to look at other things, too, lyou can always do things like physical tokens you can hand out.
Jim: Physical tokens only become a real concern when you get into we need to buy a lot of them and then we need to have lifecycle management for them. You know, if it's we're only going to reserve them for when someone's being a butt-head and doesn't want to use their phone. OK, and maybe you're buying 100 of them and it's not that big of a deal. But you have to buy thousands of them and then manage the lifecycle because people are going to lose them. I mean, that's human nature. Then it can be less attractive of the solution. But I know where I've really found the objections is when you start talking about workers who are, maybe in like a not information workers, not people who sit in an office all day. They're either people who are in a factory, maybe union, maybe not, or people who are in really privacy driven countries like in the European Union, things like that. That's where I see that objection come up the most. What about you?
Jeff: that's the same thing. It's those regions and those types of workers that typically have to have those types of issues with it. I think most the I.T. people; they're out there can understand that some sort of virtual token or soft token is going to be part of their life. It's been around, I think, long enough where people kind of understand it. So, you certainly see less of that, I think, on the I.T. side. But, once you get outside the I.T. world, that's I think there are certainly openings for that. But it's that behavior change. It's the culture. I can certainly see companies that have been kind of born in the cloud and have always had some level security fit that it just becomes second nature. And this is just what we do, we have this token and this is how we manage it and we log in.
One of my former roles was responsible for managing RSA tokens. And we would order hundreds of these at a time for a large organization. And just the logistics involved of getting them, making sure we had the right ones, making sure we had the C.D. file. This is how far back this goes, right? The C.D. with the seed file that you put on the RSA server and then getting it shipped out to the right areas and to the right persons, then getting it activated. It's just there's so much work that used to go into managing a hard token. It's become quite a bit easier, some of the more self-service options that are available. But I don't miss that part of that role. One one bit.
Jim: I mean and I think a lot of the app based like authenticator apps, you've really just shifts the complexity. It's easier, but it shifts the complexity of the user. So a lot of times you have to download the app, log in with it, and then go and scan a QR code. And I just try to picture my dad going through that. He could never do that. He would just he would unless he absolutely had to do it to get like his money or something like that. I think he would just throw in the towel.
So there comes a fall bag is like the SMS text.
Jeff: This is better than nothing, but certainly not the most secure method to deliver.
Jim: Correct. You're the last thing I was just gonna bring up on the Privileged Access Side is, some of the objections that you can get there. Usually it's a smaller population of users, but they're very technically savvy.
So they can come up with a lot of reasons why a quote-unquote won't work. Sometimes you'll be outsourcing a lot of your either network management or server management to a third party, maybe a big outsourcing company. And they may have contractual objections. So, again, I'd say start small vault passwords that the best would be check and check out or automatically log in. But even if you could just implement it and focus on some high risk servers and then expand if you will and spread your breath over time.
Get those contractual objections. Eventually the contract is going to have to be renewed. Make sure to get those requirements put into the next contract. Things do change in attitudes to change, especially when you get something up and is successful and you have internal stakeholders who are saying this is actually good. It's great. I don't need to worry about remembering my password anymore because I think a lot of the objections to PAM start out there. They're given as logical objections, what if it is 2:00 in the morning and somebody calls me and I don't have access? You know what I do call wake somebody up and it's like, OK. But behind the scenes I was a system administrator. So I know it's kind of like you like having that level of access that nobody can look over your shoulder or stop you from doing anything. I used to be in that role. So I kind of get that feeling of power that you want to maintain when they get taken away from you. You lose that power and it's not a great feeling. So that might be a little bit behind it. But I feel like all you can do is win them over by doing a good job. If you don't have the kind of the ability to just drive down this, what we're going to do, whether you like it or not. And so I'd say get something small start, especially if it's budget driven and then expand the service over time. As you get more budgets, more licenses, add more end points and eventually you have a good privileged Access Program going.
Jeff: I think once you get it started right; it becomes easier to show the value of it being able to demonstrate with numbers. Here's what we're protecting. Now, here's what's not being protected and being able to justify additional spend by using metrics as is another good way to to get things going. I think we've. We should probably leave it there for now. So I think that the summary is let's starting with M.F.A. on the Admins. Let's get, you know, a little bit of a vault setup. Start with some core systems and then, like you said, lantern expanding move from there. Generate, if you can, some metrics to drive awareness around the effectiveness of what you're doing and try to get more budgets that way.
All right, I think we'll call it for today. And thank everyone for listening and we'll talk you down the road.