The IT Director at a large US healthcare provider believed his network was secure. But then an IT audit revealed problems with the security settings on hardware and applications at various sites. In one instance, a server that hosts a clinical trial application was configured with null administrator passwords. This made sensitive patient data available to anyone with physical access to the machine.
The concerned director contacted us. Without a means to continuously detect non-compliant hardware and applications deployed on the network, his organization risked data breaches and failed HIPAA compliance audits. He was eager to close any remaining security holes, and said his priorities were to:
• Remediate any remaining privileged account vulnerabilities.
• Detect new hardware and software components on the network, scan them for privileged account vulnerabilities, and immediately remediate the issue.
• Strengthen existing privileged credential controls to prevent access by unauthorized personnel or malicious programs.
• Monitor and control administrative access to servers and applications.
• Document the status of privileged access for HIPAA compliance audits.
How to Deal With a Dynamic Network
It’s a situation that we here at Lieberman Software encounter frequently. Whenever you deploy new computers and applications on a network, they can cause unforeseen security risks. Shared and default privileged account passwords are introduced through deployment scripts, ghosted images, default appliance credentials and developer “back doors.” And by not always documenting every privileged account credential embedded in their products, hardware and software vendors can also introduce a slew of security holes.
Once discovered, changing privileged passwords in embedded service accounts, system logins, and elsewhere introduces risk of disrupted service. System lockouts can occur when other, dependent services fail to update.
Regulatory compliance mandates covering most industries require you to discover and manage every privileged account introduced by new operating systems, applications and services. For example, PCI-DSS, HIPAA and others require default passwords to change when deploying new computers and applications.
Despite these standards, few organizations are able to comply because:
• Identity access management (IAM) frameworks don’t detect or control privileged identities.
• Organizations lack automated processes to maintain authoritative lists of the systems, applications and services where these credentials reside.
• Privileged account interdependencies are rarely documented. This means changing just one privileged password has the potential to lock out other, dependent services that share the same credentials.
Automatically Locate and Secure Privileged Identities
A server can have privileged identities present in local and domain accounts, in configured services and scheduled tasks, and in a range of applications including COM+ and DCOM applications, IIS websites, and databases such as Oracle and SQL Server. Multiply these by the many computers and network appliances in your organization to get an idea of the difficulty to document each account and its interdependencies. And then add another layer of complexity – changing each privileged account password frequently enough to meet regulatory mandates.
Fortunately, automated processes exist that can help organizations regain control in a cost-effective manner. Privileged identity management software can automate the task to discover privileged accounts, change privileged credentials according to the organization’s security policy, and facilitate rapid password recovery so that authorized IT staff can perform routine services and emergency repairs in an audited manner.
The Healthcare Provider Regains Control of its Network
As for the healthcare provider at the start of this post? They deployed our adaptive privileged identity management solution. The IT Director reported that the software achieved his goal of finding and remediating insecure privileged accounts on his dynamic network. However, he was surprised by how many issues were detected by the product.
Specifically, it helped his team find and address privileged credentials that were unnecessarily shared among different servers and applications. And, it detected many stale accounts that the IT team didn’t even know existed. He now feels ready for his next HIPAA audit.