Why is Zero Trust and Identity & Access Management becoming a Hot Topic for the NHS?
As we enter a new year, Zero Trust and Identity & Access Management have become an increasingly hot topic. This is due to the urgency of protecting sensitive data following the increase in data breaches and acknowledgement of the need to modernise. Health sciences and healthcare organisations manage highly variable workforces, in addition to a heterogeneous landscape of technology, data, and resources. It is therefore crucial (now more than ever) to provide the appropriate entities with the correct access. The implementation of an IAM solution with Zero Trust will not only help with compliance of legislations, regulations, standards, and guidelines, but support the NHS Trust’s journey to regaining control.
The year 2021 presented a new era of working for many of the more traditional organisations – flexible and remote working.
Following the COVID-19 pandemic, the ability to work flexibly become a priority for the National Health Service (NHS), and following the NHS People Plan, it was made clear that addressing the (health) needs of its people was vital for the future of the NHS.
As a result, flexible and remote working increased significantly within the NHS.
We saw average number of weekday meetings increasing by 567% from 13,521 to 90,253 in the height of the pandemic, with NHS staff run virtual team meetings, case presentations, handovers, and reaching sessions, in the newly adopted hybrid fashion.
Subsequently, this drastic change had an increasingly positive impact on NHS colleagues, with respondents indicating increased productivity, better turnouts for meetings, and ultimately, an improved work-life balance – an area of significant importance for the NHS in attaining and retaining talent.
However, whilst the pandemic presented new, modern, and innovative ways of working for the healthcare sector, what the year also presented, was a year of increased cyber-attacks, data breaches, and ransomware attacks.
NHS data protection risks: unauthorised access, employee error, and malicious insiders
At the height of the pandemic, many speculated the negative impacts working remotely would have on organisations’ cyber security practises – this included data protection risks.
These speculations were soon supported by research, whereby in Q1 and Q2 of 2021, 727 security incidents were publicly disclosed. As opposed to Q3 and Q4 when COVID-19 restrictions eased, were fewer.
Computer and Network Security organisation, IT Governance, separated the security incidents of 2021 to reveal more about how they happen and who is to blame.
You can find more detail on the findings here.
What was revealed?
Employee error was the culprit of many data breaches. Resulting in organisations suffering a total of 292 data breaches. Negligence and accidents were amongst the most common cause.
IT Governance noted that these mistakes, several of which involved healthcare facilities, included sending information to the wrong person, leaving physical or digital files in a public place, or failing to install updates, and resulting in physical assets becoming compromised.
Unauthorised access accounted for 29% of the total data breaches in 2021. Suggesting that authorisation and access management is a clear area for improvement amongst organisations and sectors.
Malicious insiders were another cause of data breaches. In fact, 47 incidents were conducted by current or former employees deliberately – stealing sensitive data or sabotaging the organisation.
So, why has Identity & Access Management become a hot topic this year?
Studies show that this is the third consecutive year that the health sciences and healthcare sector combined, has suffered the greatest number of data breaches. With 277 recorded incidents, that account for 297 million breached records.
As a result, and in alliance with its Digital, Data, and Technology Standards framework, independent Trusts are now setting out to reach a ‘new bar for [service] quality and [operational and security] efficiency’. And are seeking to attain full control of their facilities and infrastructures.
To procure these bars, follow standards and guidelines, and comply with legislations and regulations, the NHS are now acknowledging the importance of control and security and must start with their security. Subsequently, focusing on their Identity & Access Management (IAM) and governance solutions.
The National Health Services X (NHSX), holds the responsibility for setting national policy and developing best practice for NHS technology, and digital and data. Their current goal is to:
“…investigate how identity capabilities can be used, optimised, and organised to support the delivery of healthcare services. As well as identify appropriate technologies the work will also understand the challenges and limitations associated with their adoption.”
The work the NHSX have currently set out for themselves includes:
- Developing a standardised and consistent identity for patients and citizens across all of health and social care
- Developing strong authentication and access control methods to ensure access to local, regional, and national services and data
- Supporting the development of a digital staff passport for across health and social care to provide a record of all professional qualification, training, and capabilities
As stated by the NHSX, the combination of identity and access management with workforce management, will enable the NHS to reduce the “logon burden”, accelerate workforce mobility, and work to address the connectivity, skills, and cyber security challenges.
Remote working, personal devices, and lack of security protection
The rise in remote working, for starters, has forced many employees to rely upon technology and its advancements, utilising their personal devices to connect with the resources, data, and applications, of their Trust.
The trouble is, this new way of working and increased reliance on technology outside of the organisation, doesn’t hold the same security protections that organisational systems offer. This places NHS Trust’s in a far more vulnerable position, as there is now an increased risk of sensitive information falling into an insecure environment.
Multiple accounts, re-cycled passwords
Independent Trusts also have multiple user accounts within their infrastructure to access different resources. The trouble with this, is that remembering each, and individual, vastly different password can be difficult, frustrating, and time-consuming. As a result, passwords are typically recycled and reused.
The problem is, once hackers have identified one password, it can act as an access portal, opening each single account where that password is being used – especially where the site, application, or resource being used does not encrypt passwords.
If this doesn’t worry you, maybe this will… According to a survey conducted by Google, after initiating warnings of a breach, only 26.1% used the opportunity to migrate across to stronger passwords, whilst 25.7% of users opted to ignore the warning. This information alone provides insight into the potential security breaches the healthcare are susceptible to, having that independent Trusts ignore the significant importance of identity, access (subsequently least privilege (PoLP)) and governance.
Lack of governance, IAM, and least privilege
Following on from the use of passwords, is the current lack of governance on identities and least privilege access.
Least privilege, a key-phrase often referred to as the principle of least privilege (PoLP) is the practice of restricting access rights for accounts, users, and computer processes, allocating resources to those absolutely required to perform authorised activities and routines.
The lack of comprehensive identity & access management (IAM) in healthcare results in weaker authentication and access control. Without effective access controls and robust, and adaptive authentication methods, it is difficult to see, control and, ultimately, authorise the right employees. So, if you’re wondering ‘should the NHS invest in Identity & Access management solutions?‘, the answer is absolutely yes.
One trust solution is no longer enough ‘proof’
The fact is one trust is who the NHS are. For years the National Health Service organisation and independent Trust’s have trusted passwords as being enough proof of identity, and consequently granting access. But with today’s technology and the advanced abilities of individuals, sole password granted access is no longer enough.
The general solution for corporate access and identity management
To start, and to protect again all risks, work should be carried out on corporate laptops. Organisations should take the time and make the effort to implement security controls.
This should include, multi-factor authentication (two-factor authentication as an absolute minimum), which should diminish risks of unauthorised and illegitimate entities gaining access to accounts.
Necessary tools should be put in place to defend against potential risks, including anti-malware software and up-to-date applications.
These solutions combined, will allow an organisations IT team to have complete visuals over its IT infrastructure, allowing for real-time monitoring of malicious activity.
For efficient and effective access management, it is advised for healthcare organisations to compartmentalise identities into three key areas for function, administration, and access to data.
The role of Zero Trust in Identity Access Management
‘Zero Trust’ – the latest buzz word of the technology industry. So, what is ‘Zero Trust’ and what role does it play in Identity & Access Management?
Traditionally, organisations have used location, ownership, and control of physical assets as an implicit proxy for trust. Meaning that it was easy for systems to assume an entity with the correct login credentials (typically usernames and passwords) was exactly who they said they were and was subsequently granted access.
Today, however, this is a flawed security paradigm.
‘Zero Trust’ is a cybersecurity model, used within and alongside Identity & Access Management solutions. It is a paradigm whereby trust is never given implicitly but is continuously evaluated as a protection of resources.
The Gartner perspective on Zero Trust:
‘Zero trust is a security paradigm that replaces implicit trust with continuously assessed explicit risk/trust levels based on identity and context supported by security infrastructure that adapts to risk-optimize the organization’s security posture’
The fact is, to implement Zero Trust a solid identity foundation is required.
Therefore, several elements must be determined and in place prior:
- Directories and Trust relationships must be identified
- SSO must be implemented, and MFA activated
- Third party identity management must be standardized
- On-premises directory servers must be “locked down”
- Directory of behavioural monitoring must be enabled
- A strategy for machine identities must be built
Where do we start with Zero Trust?
Once identity foundations are put in place, organisations should begin with networks.
Former models focused on connecting, and then authenticating. Now, the focus is on authenticating and then connecting.
“Never Trust, Always Verify”
The key with Zero Trust, is to extend Trust.
It is to always assume compromise. Location does not and should not provide implicit trust and therefore access. Authenticators are used to establish trust through user and entity identity – context is an additional element to determine access top. Risk-appropriate and least privilege access is supplied, based upon level of trust and in accordance of policies.
Ultimately, with Zero Trust, everything is continuously monitored – identifying anomalies and excessive risk.
Here is a list of recommendations, as suggested by Neil MacDonald, VP Analyst of Gartner:
- Get the identity foundation in place
- Implement conditional access for all, MFA for remote access
- Implement PAM (or at a minimum, MFA) for all admins
- Zero trust network access (ZTNA [replaces legacy VPN])
- Encrypt all data at rest in public clouds with customer-controlled keys
- Remove admin rights from most Windows users
- Segment end-users off the data centre network
- Segment (ringfence) critical applications
- Pilot RBI for uncategorized sites or external URLs in email
- Implement lockdown/allow-listing on critical servers. Engage with dev to scan containers for new apps. For Kubernetes, link dev scanning to admission controller
Why the NHS need modern authentication
NHS Trusts must have firm control over employee access to mitigate any possible data breaches, leaks, or serious security incidents.
Incorrect allocation of an identity to an application, obscure role definitions, or inaccurate classifications can result in employees having to too much or too little access, causing disruption to users’ productivity and consequently halting business operations.
An effective IAM solution will not only contribute towards the Trusts’ protection from compromised credentials, but it can also contribute towards improved business productivity, seamless functioning of digital systems, increased efficiency, lowered costs, and improved information governance.
Modern Identity & Access Management solutions incorporate a range of capabilities
As opposed to using multiple singular technologies or tools, modern authorisation management solutions incorporate a range of capabilities.
These capabilities can be broken down into four areas, administration, audit, authentication, and authorisation.
Administration refers to the management of users and subsequently their accounts. Auditing refers to the collection of, and analysation of logs, applying segregation of duties (SoD) controls. Authentication includes the capabilities of multi-factor authentication (MFA) and single sign-on (SSO). Authorisation refers to the control of users, dictating who users are allowed where, as well as the systems and data they are permitted with access to.
Modern authentication delves deeper than the surface usernames and passwords. It provides a proxy for managing identity, and promoting the security of data, resources, and the infrastructure of the NHS Trust.
Security is crucial due to the nature of the NHS, and the responsibilities it holds for the protection of the U.K. citizens sensitive data.
With modern ID, access, and authorisation solutions, the NHS can expect enterprise-scale authorisation, federation, and entitlement. In addition, they too can easily provision and deprovision users – as the enter the organisation as new starters, as colleagues leave, or as and when entities move around based on their roles and managerial status changes.
Auditing, monitoring, and enforcing new, or amended security policies is another key feature of modern authentication systems.
NHS Zero Trust and IAM solution: Shaping Cloud
Shaping Cloud offers bespoke IAM solutions, allowing your NHS Trust access to applications, data, and other information seamlessly and securely on any device from any location.
This further permits your Trust to remain productive and on-trend with technological development – meeting the needs and requirements of both the organisations and citizens.
Our integrated Identity & Access Management service provides expert consultancy, design, development, implementation, integration, and managed support throughout.
Working with you, we take the time to fully understand your systems, data and applications, current backup, and retention policies, as well as your business needs, requirements and more. This ‘discovery phase’ allows us to determine the design and configuration of your new Identity & Access Management solution.
Shaping Cloud ensure quality assurance throughout. Providing on-going support, assistance, and advice. Testing will be carried out by our cloud engineer experts, allowing you to rest assure that all migrations, configurations, or creation of solutions are smooth-running with minimal disruption and impact.
Ready for change? Book in a call with one of our specialists, or contact us directly today on hello@shapingcloud.com. If you have any additional questions, please fill out our ‘Get in Touch’ form below – we would be more than happy to help.