September 8, 2021: We all log in to our machines to get started with our day. While this used to be just a terminal at your desk or workstation, the devices are with us all the time. Admission criteria for backup, compute, network, and storage relies on a consistent authentication model. Role-based access criteria is even more important as directory authentication is scaled and shared. Development of a consistent approach towards the development of controls will provide for an authoritative source of resources to access and control systems. As the access model for healthcare evolves, are we seeing steps taken that are going to change how we interact with technology? There have been a lot of breaches reported in the media – not just healthcare, but surrounding every organization in the world – is this the starting-point for our global remediation?
Join our webinar “Coming Through a Ransomware Event – Best Practices and Lessons Learned” on Thursday, October 7th at 11:00 AM eastern time. We are going to take a unique look at the Sky Lakes Medical Center ransomware event with guests:
S5: Modern Access Models for Access Management and Directory Services with Sirius and Duo
Transcript – Sep 8, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. Our topic for today is modern access models for access management and direct resources. Our sponsor for today is Duo.
[00:00:25] We want to invite you to a special event that we have coming up Thursday, October [00:00:30] 7th at 11:00 AM eastern time. We are going to take a unique look at a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Gaede, joining us. That is a health system that was ransomed.
[00:00:45] And we have Lee Milligan the CIO for Asante. Asante is the EHR host for Sky Lakes. They’re the community connections for Sky Lakes and they’re going to recount the events and the effects that it had on the interconnected health systems. Some of the [00:01:00] things that they did that they believed, worked pretty well and some of the things that they think could have prepared them better for the event.
[00:01:08] We’re also happy to be joined by our guest today, Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event, straight through to the end. And I believe with his insights and the CIO’s experience, this discussion is going to provide valuable insights into the best practices that are being adopted across the industry and maybe that you could adopt. [00:01:30] So we would love to have you join us. And if you want, you can provide us questions ahead of time. It’s in the sign up form, and we will make sure we address as many of those as we possibly can. So there’s a webinar Thursday, October 7th at 11:00 AM. Eastern time, you can sign up on our website thisweekhealth.com/register.
[00:01:48] Our topic for today is modern access models for access management and direct resources. Our sponsor for today is Duo. Let’s get to it. Matt interesting topic. [00:02:00] I hear this phrase all the time. Identities new perimeter. Is that along the lines of what this is? Or is it bigger?
[00:02:05] Matt Sickles: Yeah, that’s one component. You have to be much more granular when you look at it, but yeah it’s who you are, where you want to get to and what you’re trying to do. So think about that. We can now start to look at, are you supposed to be doing it? Should you be doing it? And when can you do it? And those are some pretty cool things. I like the fact that our directory services are evolving, but the brutal fact is [00:02:30] I mean, we’ve been using the same directory service baseline since the early two thousands. We have upgraded in place our directory system and as those directory systems are getting older and older, they start to bring on more risk because they have been upgraded in place.
[00:02:49] There has not been a solid health check on them. So this is one of the most risky areas of all organization, not just healthcare, but all organization across the globe right [00:03:00] now.
[00:03:00] Bill Russell: It’s interesting because I’m talking to more and more of these companies that are looking at the behavior on the, on the network. And the behavior of data movement and those kinds of things. That really starts with identity. Identity of newest person, identity of your computer system, of which system you’re accessing it from, where you’re accessing it from.
[00:03:21] They bring all that data together and they say, Hey, you know what? That laptop should never access that smart pump over there. That’s the kind of sophistication that [00:03:30] we are hearing about in terms of these tools that people are bringing to bear, but it starts with a solid foundation of the right access management and the right direct resources.
[00:03:41] Matt Sickles: Yeah. And I can remember back to one of the first design and architecture engagements that I was working on with role-based access control. We were talking about directory services and how we would actually define when should someone be working, when should they be [00:04:00] accessing a computer? So we built the system and we forgot one key component is that people go on vacations people aren’t available.
[00:04:08] So then we looked at integrating with the HR system. So now we start to think about, okay, are we really getting to a point where that we need to have that user behavior analysis and information to the point where that we know when a person is working, where they’re working and what they’re working on.
[00:04:26] Well effectively. Yes. I mean, if we don’t have a good understanding of [00:04:30] that, how is all of the alert system that is responding to going to be meaningful? How are we going to start picking that apart without picking up the phone every time and calling the individual, we start to see these behaviors. We see the consistencies, and most importantly, we define and see the outliers.
[00:04:47] Bill Russell: You know, you have mentioned the fact that our direct resources is aging in terms of the things that we’ve been using. But you also mentioned in the last show, we talked about the evolution from on-prem [00:05:00] to cloud. Are we seeing the directory services systems start to morph and have systems that that can provide that identity infrastructure across the entire the entire enterprise, be it in the cloud or on prep?
[00:05:14] Matt Sickles: Yeah and we used to look at Federation of our directory service to make sure that it was accessible by our partners, our contract firms, and any of the third party resources that we needed access to when they started [00:05:30] having much more access need. We started to integrate our directories. As we look at merger acquisition and divestiture activity, we see a lot more activity.
[00:05:40] Most of the directory services as mentioned are getting very old. They’ve been upgraded over time. But what we don’t always look at from a a compelling topic is what do we want to do next now in a cloud workload, if we go to an Amazon and Azure environment or Google environment in [00:06:00] the three major public clouds, there are building capabilities to do this.
[00:06:04] If a new organization, that’s a startup, regardless of the industry wants to be effectively secure. They can go follow the path to success out of any of the public cloud platforms. Our directory services on premise need to evolve as the cloud has. So that’s going to be a very compelling and important topic as well.
[00:06:26] Now, when I look back at most [00:06:30] of the breaches that we have been involved with from a response perspective, it’s very interesting because it all comes down to access. It all comes down to credentials and permissions, but most importantly, we forget the fact that those are all sourced in one directory, one directory service, and it was never designed to be a security or a repository of security information.
[00:06:55] Bill Russell: Yeah. So those, those elevated privileges aAre really accessible through that directory [00:07:00] so that this has to be a core component of any security model I would assume. Why is that overlooked?
[00:07:06] Matt Sickles: I wish I had a quick answer for that. I don’t know is the response. But some of the discussions that we’ve gone through of why it’s overlooked is that that is not a security component.
[00:07:18] Our infrastructure team takes care of the active directory. Our directory service module is in the cloud and that’s our cloud team. Security has not always been involved with the identity access [00:07:30] management provisioning and deprovisioning over the last several years. We’re seeing that change drastically the policy and the need to have a much better control plane in place is something that we all desire with the cloud.
[00:07:43] I think that that was really the change. As we’re going through all of these breach responses as well. We’re looking at it, you hit it on the nail, right? It is different privileged and elevated permission accounts throughout the system that privileged access management is [00:08:00] violated. Passwords are stored in text documents.
[00:08:04] They are in clear text on the devices, ransomware and malware is written to harvest that data, but we’ve, we could just do one thing and we could do one simple thing in organizations, which is layer on a multi-factor authentication into every privileged account we would drastic. Significantly reduce any event because only credentials that have elevation [00:08:30] can make major change.
[00:08:31] If change control and change management is in place and an effective elevator permission structure with a multi-factor authentication, something you have and something that is going to be a very, very important part of solving this problem.
[00:08:48] Bill Russell: So you talk about modern models for access management. Multifactor authentication is one of those modern models. Are there other things that we’re seeing in the industry to address this?
[00:08:59] Matt Sickles: [00:09:00] Yeah. So if we take a look at the individuals, that’s one of the easiest to solve. We could give everyone a token. We could force them to have a secondary login. That is a real impact to the user experience. That’s probably why it is not implemented more in healthcare systems.
[00:09:16] It’s a drastic workflow impact to the operations. A lot of organizations have figured out how to put that into their workflow getting into the patient room, not affecting it, but we also want to make sure that [00:09:30] we’re being consistent on how that’s applied. In a new modern system. We also have to take a look at those service accounts, the things that are driving, all the systems in the background.
[00:09:40] So not just multi-factor authentication, but a holistic privileged access mechanism and privileged service management for their environment. So all of these access credentials, all of the service accounts, everything that runs the systems, the servers, and the footprint of a modern [00:10:00] healthcare system need, they need drastically to have this layer of management.
[00:10:04] If that was in place, we would see only a fraction, a minimal fraction of the events that are occurring today.
[00:10:13] Bill Russell: Wow. So people are getting in via ransomware, but once they get in via ransomware, that’s how they move around. And that’s how they take control of significant systems.
[00:10:22] Matt Sickles: Yeah. The dwell time is increasing. These attacks are sophisticated. So when we take a look at, okay, once you have the keys to the [00:10:30] castle, this is what a modern attack firm is going to do. They’re going to go in and they’re going to manipulate things based on their permissions. So if you’re a domain administrator, you’re going to start going and locking systems down that lateral movement, as you described, going from system to system, and you may be unmonitored or even unnoticed for months, if not years in an environment, those are the types of attacks that could really be prevented.
[00:10:56] That lateral movement stops after computer one. [00:11:00] So where we see a one to many relationship and most malware and or ransomware attacks, The one-to-many relationship can be made a one-to-one this attack can stop there. And that is how a modern directory is doing that. I give a lot of credit to the public cloud providers.
[00:11:16] They have come up with a very straightforward approach for organizations that don’t have a legacy directory system to spin that up right away. We see that in all three of the major cloud platforms. So if we think about what [00:11:30] they’re doing, right, why not apply some of that logic that is used right now in the public cloud providers put that back on premise and follow a lot of those good practice to reduce the threat.
[00:11:40] Bill Russell: Fantastic. All right. Special, thanks to duo for their partnership and making this content possible. Matt, as always, you really segwayed well into the next topic, which is going to be the evolution of ransomware. And thanks again for your time. Really appreciate it.
[00:11:54] Matt Sickles: Hey, thanks Bill.
[00:11:55] Bill Russell: What a great discussion. We want to thank our sponsors Sirius Healthcare and Duo, [00:12:00] who are investing in our mission to develop the next generation of health leaders. Thanks for listening. That’s all for now.