HTN Survey reveals the complexities of managing Third Party Access
Martin Knight, International Sales Manager for Privileged Access Management at Imprivata, reflects on the results of a recent survey by HTN on current NHS practices around managing third-party access and how cyber tools such as privileged access management solutions can help keep the NHS supply chain secure.
The NHS increasingly works with a range of third-party suppliers which provide specialised services such as blood tests, access security for staff, and document and financial management. These collaborations are vital to help deliver and enhance the levels of service and care expected by patients, but they can increase security vulnerabilities.
Keeping the backdoor locked shut against attacks
Providers in the NHS supply chain usually need elevated access to sensitive NHS data, systems and processes. Unfortunately, the last 12 months has seen numerous cyber security breaches with such organisations providing the weak link in defences. Third parties have been used by cybercriminals to gain backdoor access to the NHS itself, which often leads to ransom requests and the unavailability of vital services for weeks at a time.
A recent survey by HTN on healthcare network management, asked a series of questions about organisations’ current practices around managing third-party access, covering onboarding, deprovisioning, audit trails, and more. Respondents came from organisations across the NHS and beyond. 47% currently utilise enterprise directory services such as Microsoft Active Directory and a Virtual Private Network (VPN) to grant third-party access to their networks. 29% use access management solutions; 12% desktop sharing tools; and 12% vendor-supplied solutions.
There can be high associated costs of employing a VPN and an Access Directory (AD) account and there are many risks associated with this approach. If you provide someone with AD credentials, you cannot be certain whether they are sharing credentials or even if they are still employed by their organisation. It is challenging to prevent lateral movement which can leave you wide open to breaches.
Controlling privileged access for internal staff
The survey also sought to understand how organisations manage privileged accounts for internal staff. 39% of respondents reported utilising a second elevated active directory account; 3% shared credentials; 31% used their personal Active Directory account; and 27% employed cyber tools such as a privileged access management (PAM) solution.
The use of a second elevated AD account brings risks. As users require two passwords to gain access, they may need to write these down to remember them. Additionally, we must consider how access changes as individuals progress through the organisation and their roles evolve. Are we still tightly controlling their access levels?
Sharing the administrative burden
A better approach we’d suggest involves asking vendors and users to create their own accounts through their own domain email address. This largely shifts the administrative burden of the time needed to create an account onto the vendor, not your internal team. This can make great savings in the process if your organisation has a plethora of vendors with large numbers of employees.
This also removes the risk associated with vendors needing to know domain credentials with the risk of them jumping across to a different application on the server. This offers more control, and means organisations can ‘keep the keys to their kingdom’ internally, without vendors ever k nowing what they are.
Account allocation and password rotation for privileged accounts
The survey asked about handling the rotation of passwords for privileged accounts. 10% of respondents said that they were using a credential vault; while 53% reported that this was automated through a PAM solution; 20% said that this was done manually; and 17% reported that passwords are not rotated.
There are risks with not having some kind of password rotation in place, particularly for elevated accounts that can offer ongoing access to different systems. There’s always the risk of an unauthorised person finding that password and gaining access. Using a PAM solution does take away the heavy manual processes and you also build up an audit log of who’s changed a password and when they’ve done it.
The survey also asked whether every vendor user for their organisation had a dedicated individual account. 77% reported that their organisation does create an individual account per user; 6% said that vendors shared accounts; and 17% reported a mix of shared and individual accounts.
Even though most allocate individual accounts, there’s still no guarantee as to who is actually using those accounts or whether the accounts are being shared.
Audit trails and deprovisioning access
The HTN survey found that 29% of organisations didn’t have an audit trail or video recording of vendor sessions. If issues do occur it can be a lengthy process going into an AD account and trying to pinpoint when an issue actually happened, so not having a simple audit solution in place can put a lot of pressure on internal teams.
With Imprivata’s PAM solution a full HD video recording is available of each vendor session. You have the option to keep the full video recording or an abridged version which simply shows key movements and streamlines the process.
When it comes to deprovisioning access, 51% of survey respondents said access is automatically deprovisioned after a set time; 39% responded that access is manually revoked, but not always in a timely manner; 10% reported that they don’t always know when a vendor no longer needs access, or can often have access longer than is needed.
Automatic deprovisioning is relatively simple when you have a relationship with a vendor for a defined period, but manually deprovisioning on an ad-hoc basis requires a team and the capacity to go through vendor accounts to look at metadata relating to last logins. If someone has left the business, while they may no longer have access to their organisation’s account, they could still have access to their AD account. A PAM cyber tool can automate deprovisioning, recognising where there hasn’t been a login for a set period of time or access has been attempted outside ‘normal hours’.
Onboarding vendors
Survey respondents were also asked about the onboarding process for new vendor access at their organisation, with 33% reporting there was a manual process to create an account and provide VPN access; 21% stating that their organisation has a dedicated team who handles vendor onboarding; 15% provisioning an account to a remote access or virtual desktop solution; and 31% sharing that they had ad-hoc processes in place depending on the vendor and access needed.
Ad-hoc processes create challenges for organisations, because if you have 20 vendors coming into the network, that could mean managing 20 different processes for gaining access. From an internal point of view, manually creating accounts offers control over that, but there are still risks, which can be mitigated through the use of a PAM solution.
Preventing vendors gaining lateral access
The final question from the survey asked respondents whether their organisation had the capability to prevent lateral movement once a vendor is inside their network. 50% said that they did have this in place; a further 37% said that this was somewhat in place with more complex firewall configurations; and 13% reported that this was not in place at their organisation.
Having a PAM solution removes the need to configure firewalls for specific use cases, allowing the definition of access to specific applications or servers. If vendors try to hop onto another server they won’t know the credentials, because these are injected directly into the session when the vendor joins. Keeping that password away from users and vendors offers an additional layer of security. All they know is the password they’ve created themselves to gain access to the portal. They don’t know the credentials to move laterally to anywhere else.
Key learnings from the HTN survey
There are grave security risks around not having complete control over individual accounts and who is using them. With VPN and AD account access a vendor could come in over the weekend and make changes to a network or system which could cause issues come Monday morning. Having a PAM solution in place is crucially important so you can define what times vendors have access and there’s a workflow in place to meet that just-in-time access requirement.
The tendency is for people to use the simple and ‘cheaper’ route of VPNs but that introduces increased risks and creates issues with auditability. Organisations need to consider how much time it takes internal teams to create and manage vendor accounts and the effort in tracing problems and security breaches should they occur.
Imprivata’s PAM solution delivers enterprise-grade, simple, secure remote access, sharing some of the administrative work with the vendor where appropriate. Things which may have traditionally taken days can be done in just a few clicks, which not only saves time, but also makes ensuring network security that much easier.
Imprivata’s PAM solution also provides multi-factor authentication (MFA) which ties into a vendor’s own MFA solution, meaning users need to provide a second layer of authentication to access systems, by receiving an email to their domain email address. If a user leaves a business their email is one of the first things to be removed providing another simple method of protecting your systems.
Learn more about Imprivata’s PAM solutions and the benefits they offer for network access management.
Watch our on-demand webinar: Understanding Imprivata 3rd party vendor access
Visit us at Digital Health Rewired, Stand I30. Dr. Sean Kelly, will be presenting on the Digital Transformation Stage on 18 March. Register here: Events and Webinars Listing | Imprivata UK