HC3 focuses on remote identity management for healthcare organizations, provides mitigations

The Health Sector Cybersecurity Coordination Center (HC3) unit of the U.S. Department of Health & Human Services (HHS) revealed Friday that hackers can target institutions by capitalizing on gaps in user access protocols, hiring processes, and mitigation capabilities to conceal some aspects of their identity and attention. The agency evaluates that identity verification, fraud detection, and user authentication are imperative when implementing an Identity and Access Management (IAM) program.

“The global digital transformation era has changed how enterprises interact with customers, clients, and employees,” according to an HC3 analyst note released Friday. “A comprehensive Identity and Access Management (IAM) program allows all parties to build mutual trust when performing transactions both online and in person. Institutions are under pressure to transition high-risk interactions online, ultimately expanding their threat landscape. Security professionals and institution leaders are becoming increasingly faced with fraud from misrepresentation of identity. Balancing establishing trust in a user’s real-world identity and optimizing user experience can be challenging.” 

The analyst note also added that insider threats could be one of the most harmful to healthcare organizations, as these include individuals within the organization who wittingly or unwittingly expose sensitive data like personally identifiable information (PII), proprietary data, etc. “These individuals can be a trusted third-party or an employee – they are entrusted with knowledge about an organization’s products, services, strengths, and weaknesses.” 

The HC3 outlined that hackers attempt to approach/recruit employees and even leaders to commit potentially even more disastrous acts. Surveying IT and security executives by industry, cybersecurity professionals found that employees and leaders are increasingly being approached to assist in nefarious insider threat activities, such as ransomware attacks. 

“Regardless of the size of the institution or business, insiders consistently prove to be one of the biggest threats to organizational security. Leaders and administrations can work together throughout the hiring and employment processes to significantly curb and mitigate insider threats,” the HC3 analyst note said. “By implementing and designing an IAM security framework and technologies which tie your governance and subsequent policy rules into a centrally managed identity and access system, the ability of your organization to prevent and detect insider threats will be greatly enhanced.”

The agency said that without well-thought-out and implemented IAM policies, organizations can be susceptible to individuals who have misrepresented their employment history, applicants who have committed crimes or offenses under a different name than the one provided during the hiring process, and candidates with employment sanctions for the industry. 

“More than ever, those inside the network cannot automatically be trusted. Stringent IAM policies should be in place to protect against compromises and data leaks,” according to the HC3. “These policies include identity proofing, which focuses on cases when an organization is interacting with someone for the first time (account openings, registration, or enrollment), and identity affirmation, which is verification that a real-world identity exists and that the individual claiming the identity is the true owner of that identity and is genuinely present during the process.”

Data released by the Federal Trade Commission (FTC) Consumer Sentinel Network Data Book revealed that there were 5.2 million fraud reports in 2022, with identity theft and imposter scams representing the top two categories, respectively. Cybercriminals will look for avenues to manipulate and obfuscate their true identities for gain. 

The U.S. Treasury, the State Department, and the Federal Bureau of Investigation (FBI) have issued alerts warning businesses that North Korean cyber criminals are posing as remote IT workers for hire from the U.S., Eastern Europe, Japan, South Korea, and China. The scammers also sub-contracted with other more legitimate workers to enhance their credibility. The threat emphasizes the need for a strong IAM program to protect data from espionage, intellectual property theft, and spills. 

The HC3 said that effective mitigations need to span the entire enterprise to proactively create robust policies to evaluate, identify, and mitigate insider threats. It recommends pre-employment screening and hiring to identify red flags; while employment policies must create and communicate clear organizational policies, including baseline behavior, monitoring network activity, and conducting routine and mandatory insider threat physical security and cyber-security awareness training. 

Lastly, post-employment policies should be established to retrieve equipment, terminate access, and review intellectual property agreements with separated employees. Additionally, a review of intellectual property and/or non-disclosure agreements with separated employees must be carried out.

It is also recommended by cybersecurity governance agencies that organizations form a multi-disciplinary threat management team to collaborate along all business lines, including upper management, to mitigate insider threats. A disciplined threat management team can prevent and respond to insider threats by monitoring, surveilling, investigating, escalating, responding to incidents, containing, post-response, and remediating.

Earlier this month, the HC3 identified vulnerabilities affecting the health sector in June and called for prompt attention for their remediation. The HC3 bulletin has identified security loopholes in hardware from various vendors, including Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMware, and Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. HC3 recommends in its monthly cybersecurity vulnerability bulletin immediate patching of all vulnerabilities with special consideration to the risk management posture of the organization.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.