Perils of privileged access in the wrong hands highlighted in key new NHS document

The dangers of privileged access misuse are highlighted as a critical concern in a new cyber strategy for the NHS.

The potential ‘insider threat’ posed within the health and social care sector by staff or contractors is cited within a plan to promote cyber resilience across the health and care sectors by 2030.

What is the insider threat?

Whilst attention is often focused on hackers and external threats, the risk from, for example, a disgruntled employee or someone with third party access, can easily be overlooked.

In such examples, someone may try to do damage or steal customer information before leaving the organisation.

The new NHS Cyber Strategy document raises the threat of “people working in or near to the health and social care sector seeking to misuse their privileged access.”

It echoes concerns highlighted by The National Cyber Security Centre (NCSC). The NCSC identifies Privileged Access Management software as a solution, saying “PAM provides many benefits”, including being a “strong deterrent against the insider threat, where a legitimate system administrator may consider abusing their access.”

Is it the insider threat always malicious?

There’s a less obvious threat from insiders that is not about malice or intent - the over-enthusiastic amateur. That is, someone who has managed to get admin credentials then tries to make changes they’re not fully trained for. It may be that ‘privilege creep’ has occurred, whereby gradually a member of staff gains necessary permissions to various systems and it goes unnoticed.

It’s too easy for these staff members to inadvertently make a catastrophic change such as shutdown all internet traffic through the firewall or delete customer records, as happened at the UK Home Office.

What else does the new NHS strategy cover?

The strategy document focuses heavily on ransomware attacks, which it says, “in health and social care could lead to significant distress and potential harm for patients, service users and staff”.

It cites the example of The Health Service Executive (HSE) in Ireland, which suffered a major ransomware attack which caused 80% of the HSE IT environment to become encrypted.

The Government is set to release more details of the new strategy over the course of the next few months, including an update to the requirements that NHS bodies are expected to adhere to – the DSP Toolkit.

The DSP Toolkit is an online tool for all affected organisations to show they are practicing good cyber and data security. Self-assessments must be completed annually and twice a year for those in category 1 and 2 – NHS Trusts and ‘arm’s length’ bodies such clinical commissioning groups. Compliance is required of all service providers ranging from local authorities to GP practices and business partners.

There are already parallels between the DSP and Cyber Essentials and it appears the Government is trying to create consistent standards and bring them together. We’ll be keeping a close eye on developments and providing more guidance when the DSP changes are revealed. For now, how do they stand?

What do the current DSP requirements say?

The existing requirements ask NHS IT leaders to “closely manage privileged user access to networks and information systems supporting the essential service”.

They must ensure that “logs, including privileged account use, are kept securely and only accessible to appropriate personnel”.

These should be “stored in a read only format, tamper proof and managed according to the organisation information life cycle policy with disposal as appropriate”.

The requirements also focus on removing or disabling “unnecessary user accounts”, advising NHS IT teams that “privileged user access is also removed when no longer required or appropriate”.

The ‘tool tips’ suggest that “former employees', guest and other unnecessary accounts are routinely and promptly removed or disabled from internal workstations, Active Directory domains and other user directories.  

The DSPT also prompts NHS IT staff to consider the extent to which third parties are being granted privileged access and if it’s being limited to a set time to “mitigate the danger of security breaches”.

That’s because it’s hard to ensure third parties have the same level of security hygiene and also to prevent them sharing credentials.

What role does technology play?

Many of the requirements of DSP centre on human factors – training, awareness, and so on. Though important, they depend on underlying technology to support those best behaviours.

For example, it’s one thing to train team members to use best practice for choosing passwords, but that should be supported by the systems being used to ensure compliance.

As the NSCS says, PAM software can play a key role in preventing the insider threat and limiting security risks around privileged access more generally. And it can help to ensure DSP compliance.

How can Osirium help?

We’re already trusted by approximately a quarter of all NHS Trusts –more than 50 – to manage their privileged access security. These organisations have seen the benefits of Osirium PAM, along with our other solutions – from enabling DSP compliance, including speeding up assessments, and more.

They include The NHS Midlands and Lancashire Commissioning Support Unit (MLCSU) and NHS Lanarkshire - the third largest NHS authority in Scotland.

MLCSU Senior Project Manager Glenn Hollywell said: “It’s been a really good relationship with Osirium, and nothing was too much trouble. They’ve been very responsive and supportive.”

Mark Grant, IT Infrastructure Operations Manager at NHS Lanarkshire said: “Selecting Osirium PAM wasn’t just about the robustness of the solution and the competitive price. It was also the professionalism of their engagement and the excellence of their support.”

Find out more about how Osirium PAM and automation can help NHS bodies and health providers.

Call us on +44 (0)118 324 2444 or email via Contact Us | Osirium

Related Topics