SSH Study: Healthcare Organizations Are Leaving SSH Problems Untreated

Healthcare organizations care deeply about the protection and privacy of their patients. And they invest heavily in both because they know that the cost of a healthcare data breach can have profound human and monetary costs. Because of this effect, the industry is highly regulated and focuses heavily on cyber security practices, especially when compared to other sectors.

To comply with many of the standards impacting the industry, experts working in the healthcare sector must make sure their machine identities are secured. IT systems administrators use Secure Shell (SSH) keys to authenticate machine identities and to gain the highest levels of administrative access in healthcare organizations. This makes SSH keys very valuable assets to administrators, and unfortunately, to cyber criminals as well.

However, despite the inherent risk of SSH key abuse, these powerful assets are routinely untracked, unmanaged and poorly secured. Unfortunately, this can leave the key in the door for cyber criminals.

“It’s absolutely imperative that healthcare organizations secure their machine identities,” said Nick Hunter, senior digital trust researcher for Venafi. “The healthcare industry faces intense threats from cybercriminals and must comply with rigorous regulatory standards. However, some of the most valuable assets in the industry are often left unprotected.”

Venafi recently conducted a study that evaluated how healthcare organizations manage and implement SSH in their environments. With participation from 102 IT security professionals from the healthcare sector, the study reveals a widespread lack of SSH security controls.

For example, only 8% of respondents admit they have a complete and accurate inventory of all their SSH keys. If healthcare organizations do not know where their SSH assets are or how they are managed, they cannot determine if keys have been stolen, misused or should even be trusted. 

Additional highlights from the study:

• Unlimited users can generate SSH keys across many systems.
  • Nearly half (47%) of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems.
     
• Users have continuing access to critical assets.
  • One third (33%) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to personally identifiable information (PII), critical healthcare payment data and sensitive systems.
     
• No port forwarding can mean major problems.
  • 40% Forty percent of respondents said they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to bypass the firewalls between systems, a cybercriminal with SSH access can pivot rapidly across network segments.
     
• SSH keys are rarely rotated, if at all.
  • 28% of respondents rotate SSH keys at least quarterly; 41% said they don’t rotate these keys at all or only do so occasionally. Attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.

“Unfortunately, this survey indicates that healthcare organizations are not securing all of the systems and applications that protect patient data. SSH keys provide elevated privileged access that must be protected with the same governance controls that are applied to administrator accounts and passwords,” concluded Hunter.

How healthy are the SSH assets at your healthcare organization?

Related posts

• HIMSS Survey: How Well is the Healthcare Industry Protecting Your PII?
• SSH Security Prone to Attacker Incursion
• 4 Ways to Start Protecting Your SSH Keys