Access Management: how leaders can minimize disruption from cyber attacks
Access management affects whether your service line is disrupted for one day or three months when an attack happens.
Articles about ransomware seldom mention the lack of access management, which contributed to this incident. The fact is, in those incidents, a threat actor managed to compromise an account with enough access and privileges to perform encryption.
For example, when a global administrator or an enterprise administrator account is compromised, it has enough access and privileges to encrypt most systems in the organization. The more systems that get compromised, the longer it takes to restore the service line. Therefore, managing and monitoring privilege accounts are critical.
This post will look at access management as described by the Health Industry Cybersecurity Practice (HICP) document, products to implement these practices, and the cost of this service.
Looking at HICP’s Access Management practice requirement
Access Management is concerned with the digital identity lifecycle.
It starts with creating an individual account for each user and avoiding sharing accounts. Next, each account is assigned access permissions (provisioned) appropriate for each user’s role. Then, we implement automatic log-off, single sign-on, and MFA to minimize the chance of it being compromised. When the staff is no longer with the organization, disabling their account will disable access to all systems.
For example, a doctor’s office may have 4 roles: physicians, front office, business operation, and clinical support. Each role will have different access control and privileges that determine which data and systems are accessible by each role, e.g., practice management system, revenue cycle management system, EHR, etc.
The user would use the same account to access different systems (a single-sign-on system). The system administrator will assign different permission to this account as they get promoted or change roles. When they leave the company, disabling their account will prevent access to all the systems.
With cloud-based services, the technology required to implement access management is now more accessible than ever for small organizations. Therefore, leaders should consider implementing access management to enhance their organization’s security posture.
Looking at Azure Active Directory (AAD) for access management
First, I have to say that Microsoft does not sponsor this post. I went down the Microsoft route because they offer good and modern cybersecurity services at a price point that is reasonable for small organizations.
Small healthcare organizations need cybersecurity protection too, and they are the majority. One study counted that in 2018, 72.% of medical practices in the U.S. are 30 physicians or fewer [1].
Back to our story …
We looked at Microsoft 365 Business Premium previously for email protection. This package also includes Azure Active Directory (AAD) Premium 1 by default. We want to explore its identity and access management capabilities that comes with it.
Protecting user accounts
Relevant HICP access management features that are included in Premium 1 subscription:
- HR-driven provisioning (account creation)
- Automated user and group provisioning to app
- Single sign-on
- Multi-factor authentication
- Conditional Access
Following the life cycle approach, a few cloud-based HR systems can automatically create a new user account in Azure Active Directory (AAD). This feature is called “HR-driven provisioning” [2], marked as step 1 on the diagram below.
Next, once the new account is activated in AAD, it can trigger the app provisioning process [3]. This process will create user identities and groups in applications that this user needs to use. This feature is called “Automated user to app” and “Automated group provisioning to app” marked as step 2.
With the new AAD account created in these apps (EHR, RCM, PMS), users can log in using their AAD account. It works because the apps and AAD are designed to provide a single sign-on experience. In addition, since AAD provides authentication for this account, it can be set to also prompt for Multi-Factor Authentication (MFA). Please refer to this list for applications that support single sign-on and user provisioning with AAD [4].
If you have on-premise systems, it’s worth checking to see if they have a single sign-on capability, but it’s not enabled. Another possible scenario is that the vendor added this feature after implementation in your organization. In both of these cases, you could work with the vendor to get this feature activated for you.
Another important feature for access management is conditional access. With this feature enabled, AAD will consider several additional signals (or criteria) for authentication. For example, it can verify your group membership, IP location information, and device state [5].
Suppose a threat actor from overseas tries to compromise one of the administrator accounts; AAD can check which countries/regions this request is coming from and reject if it is not part of the trusted IP address range or from a trusted device.
Protecting Administrator account
We discussed necessary features to safeguard against misusing user accounts, but we should take extra caution when dealing with administrator accounts. For that, we look at Azure Active Directory (AAD) Premium 2 subscription.
Premium 2 provides the following features to ensure that the threat actor does not abuse and take over your administrative account.
- Privileged identity management [6]
- Identity Protection (real-time and offline risk detections) [7]
- Access review [8]
Privileged identity management (PIM) provides time-limited access for using the administrator account. That way, the extra privileges are only available for a specific time window and therefore not exposed for misuse 24/7.
Risk detection considers factors surrounding the sign-in event before allowing access. For example, it provides real-time risk calculation when they sign in from an anonymous IP address and unfamiliar sign-in properties. For offline calculations, it can leverage features such as Azure AD threat intelligence, checking known malicious IP addresses, two sign-ins from a geographically distant location, etc.
Access reviews allow the leader to audit user access to resources to ensure that it is still necessary and assigned to the right user. This feature is useful to safeguard against scope creep, where over time, a user gains more and more permissions as they change role. This feature is also handy to review permissions assigned to third parties that work in your organization as a part of third party risk management process.
Looking at the cost for an FTE physician with 3 support staff
Microsoft includes AAD Premium Plan 1 as part of Microsoft 365 Business Premium subscription [9].
The Premium 2 is $9/user/month and is required only for the administrator account with more privileges and is more susceptible to abuse.
Projected cost so far (1 FTE Physician + 3 support staff): $1,452/year
Note: Please let me know if you found other competitive services, and I’d be happy to review them.
Conclusion
Access management is critical to minimize business disruption, and this need is not limited to big organizations with a big budget.
With cloud-based services like Azure Active Directory Premium 1 and 2, it is now accessible for small-medium organizations to adopt access management practices as described by HICP.
References:
[1] https://www.statista.com/statistics/415971/size-of-medical-practices-in-the-us/
[3] https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning
[4] https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tutorial-list
[5] https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
[8] https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Originally published at https://healthcyberlab.org on February 1, 2022.
