Skip to main content
banner image
venafi logo

SSH Study: Healthcare Organizations Are Leaving SSH Problems Untreated

SSH Study: Healthcare Organizations Are Leaving SSH Problems Untreated

SSH keys challenges for healthcare
March 5, 2018 | Eva Hanscom

Healthcare organizations care deeply about the protection and privacy of their patients. And they invest heavily in both because they know that the cost of a healthcare data breach can have profound human and monetary costs. Because of this effect, the industry is highly regulated and focuses heavily on cyber security practices, especially when compared to other sectors.

To comply with many of the standards impacting the industry, experts working in the healthcare sector must make sure their machine identities are secured. IT systems administrators use Secure Shell (SSH) keys to authenticate machine identities and to gain the highest levels of administrative access in healthcare organizations. This makes SSH keys very valuable assets to administrators, and unfortunately, to cyber criminals as well.

However, despite the inherent risk of SSH key abuse, these powerful assets are routinely untracked, unmanaged and poorly secured. Unfortunately, this can leave the key in the door for cyber criminals.

“It’s absolutely imperative that healthcare organizations secure their machine identities,” said Nick Hunter, senior digital trust researcher for Venafi. “The healthcare industry faces intense threats from cybercriminals and must comply with rigorous regulatory standards. However, some of the most valuable assets in the industry are often left unprotected.”

Venafi recently conducted a study that evaluated how healthcare organizations manage and implement SSH in their environments. With participation from 102 IT security professionals from the healthcare sector, the study reveals a widespread lack of SSH security controls.

For example, only 8% of respondents admit they have a complete and accurate inventory of all their SSH keys. If healthcare organizations do not know where their SSH assets are or how they are managed, they cannot determine if keys have been stolen, misused or should even be trusted.

Additional highlights from the study:

  • Unlimited users can generate SSH keys across many systems.
    • Nearly half (47%) of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems.
       
  • Users have continuing access to critical assets.
    • One third (33%) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to personally identifiable information (PII), critical healthcare payment data and sensitive systems.
       
  • No port forwarding can mean major problems.
    • 40% Forty percent of respondents said they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to bypass the firewalls between systems, a cybercriminal with SSH access can pivot rapidly across network segments.
       
  • SSH keys are rarely rotated, if at all.
    • 28% of respondents rotate SSH keys at least quarterly; 41% said they don’t rotate these keys at all or only do so occasionally. Attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.

“Unfortunately, this survey indicates that healthcare organizations are not securing all of the systems and applications that protect patient data. SSH keys provide elevated privileged access that must be protected with the same governance controls that are applied to administrator accounts and passwords,” concluded Hunter.

How healthy are the SSH assets at your healthcare organization?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

hands reaching out of laptop screen holding ballot box, another person's hand casting a vote
Encryption

Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.

Man standing in front of a cyber-secured world.

What If You Could Guarantee Eliminating Outages in Your Organization?

Next Gen Code Signing Venafi digital thumbprint

Next Gen Code Signing Takes Machine Identity Protection to the Next Level

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat