Improving Management of Privileged AccessCISO Offers a Strategy to Help Thwart Hackers
The increasingly sophisticated cyberthreats facing the healthcare sector are making privileged access management more critical, says Sudhakar Gummadi, CISO at Molina Healthcare, a California-based managed care company that offers health plans and operates clinics.
Some security experts believe that several recent cyber-attacks in healthcare may have involved hackers taking advantage of privileged access credentials obtained through spear phishing attacks. That's why limiting those who have such credentials - and tightly restricting how and when they can be used - is essential, Gummadi says.
Providing privileged access 24 hours a day, 7 days a week greatly increase risks, Gummadi says in an interview with Information Security Media Group conducted during a recent conference hosted by the Health Information Trust Alliance. Systems administrators and others who have special access privileges should only use those privileges when absolutely necessary, he stresses.
"A database administrator or an Active Directory domain administrator having full access was OK a few years back. But now, due to the whole threat landscape, that's changed. So we need to have the controls in place ... on the endpoint, the servers, infrastructure, firewalls, routers, etc. Because what happens is that the hackers look for the privileged access, and once they have the keys to the kingdom ... they can do whatever ... because those particular credentials provide full access."
Once hackers can gain access to the environment, many other layers of protections can become moot, he point out. "It doesn't matter if data is encrypted... because [attackers will] be able to see the data" once they gain access to the systems, Gummadi says.
"Privileged access needs to be controlled in your environment, and it should have checks and balances and only be given on a need-to-know basis. Good controls in place won't eliminate the risk, but will minimize the risk."
While there are technologies that can help manage privileged access, "it's more of a culture shift," he says. That's because some systems administrators and others won't understand the growing need to "check in and check out" with their privileges, he explains.
"We also need to have password changes in intervals depending on the criticality of the business application and the data that particular credential is accessing."
In the interview, Gummadi also discusses:
- The biggest privacy and security challenges facing Molina Healthcare;
- Technologies and best practices that can help in privileged access management;
- Steps Molina Healthcare is taking to bolster security in the wake recent massive hacker attacks, including those against Anthem Inc. and Premera Blue Cross.
As vice president and CISO for Molina Healthcare, Gummadi manages the organization's enterprise security information technology group. Previously, he worked for Symantec and EDS Corp.