Just over a year ago, North Country Healthcare relied on VPN access for every vendor, leading to what its chief information officer described as another piece of paper with login credentials sitting out in the open on people’s desks.
As a non-profit, federally qualified health center, NCHC serves 12 communities across northern Arizona and has grown significantly over the last few years to meet community healthcare needs.
Now working with some 100 providers and serving 50,000 patients a year, it has had to partner with more technology vendors to continue providing quality care and services for its rapidly expanding community.
“I was constantly concerned about who had the credentials to access our environment,” said Jon Smith, CIO at NCHC. “With VPN access, it’s difficult to track down and monitor whose credentials are in use, who is using them, what they have access to, and managing when they should expire. You can put some restrictions in place, but with a VPN, you still don’t have full control over third-party access.”
Compared to other industries, the healthcare sector suffers more cyberattacks, with medical breaches up 55% in 2020 and the cost of an average breach ranging from $7 million to $15 million. So a nonprofit like NCHC has zero margin for error.
“Well-versed in cybersecurity before joining NCHC, I knew that most of these breaches begin with third-party vendors, especially those that provide managed IT services,” Smith said. “At the same time, NCHC is a nonprofit healthcare center with limited internal resources, and we rely on third-party vendors. I quickly realized we needed to implement a better vendor access management solution to ensure NCHC’s security as we continue to grow.”
Initially, NCHC was working to discover a way to improve VPN access. Staff members were working 80-hour weeks just to stay on top of access management and security for the organization. Like most IT executives, Smith typically gets hundreds of pitches from technology vendors that fill up his inbox and voicemail. When he heard what SecureLink had to offer, though, he asked for a demo.
“Now, not only are we in control of the access and credentials, we’ve also been able to set up each individual’s access at such a granular level based on the principle of least privilege, that we’re no longer concerned about users abusing their access to that degree.”
Jon Smith, North Country HealthCare
“SecureLink was not the VPN access improvement that we initially were searching for,” he explained. “Instead, it eliminates the issue of VPN vulnerability altogether. SecureLink proposed their zero trust network access solution for third parties, which begins with the assumption that individuals are a threat – rather than trusted – and are treated accordingly.
“The vendor’s network access is provided on a least-privilege basis, meaning our vendors would have access to only what they need, when they need it and nothing more,” he continued. “The solution would provide network access based on the zero trust principle and grant NCHC granular controls and permissions with the ability to restrict third-party remote access to only the application they need and nothing more – all of which I found very appealing.”
Additionally, with the proposed solution, NCHC could store and inject credentials to avoid having to share usernames and passwords with third-party representatives, removing the risk associated with keeping track of credentials on sticky notes, he added.
MEETING THE CHALLENGE
After the initial setup process, SecureLink almost immediately eliminated the “sticky note” concerns with vendors. With no more VPN to access, NCHC’s vendors no longer had to write down shared VPN passwords.
What’s more, because NCHC’s vendors were now logging into SecureLink instead of directly into NCHC’s systems, the provider organization could add in an additional layer of security with more complex passwords.
“Additionally, SecureLink’s intuitive vendor onboarding process quickly freed up our administration team to tackle other pressing concerns,” Smith noted. “Now that NCHC can put in account expiration dates and track vendor activity, it’s really easy for us to know who is accessing which NCHC systems, and more important, who isn’t.”
The security vendor’s web-based remote access significantly reduces the risk of a third-party breach while streamlining NCHC’s vendor access management, he said.
“Besides providing NCHC with the tools to granularly control and isolate third-party access, the solution also supports all the connectivity requirements our third parties have: RDP, SSH, Telnet, VNC, as well as any TCP or UDP protocols and any native tools that the third-party vendor may have,” he explained. “It’s a comprehensive remote access security solution that uses a zero trust model to protect our network from potential data exposure.
“We effectively secured access to our electronic health records, for our application management and records management partners, and to segmented portions of our local network to our managed network partners and our physical security partner,” he added. “Whenever we need someone to gain access, even for a short period of time, we know that it’s going to be done securely and recorded.”
When NCHC was relying on VPN access to secure its network, it was not able to monitor accounts for when vendor credentials should expire. Now, more than half of the accounts created have expired.
Moreover, the vendors associated with these accounts have not asked for their credentials to be renewed. This is beneficial from a security standpoint for NCHC because it knows those credentials are not out there to be used anymore.
“Now, not only are we in control of the access and credentials, we’ve also been able to set up each individual’s access at such a granular level based on the principle of least privilege, that we’re no longer concerned about users abusing their access to that degree,” Smith said.
“We also were able to identify services that were mission critical and ensure that they’re only accessed during non-production time, or that access is requested if it’s needed during production hours.”
ADVICE FOR OTHERS
“You need to be fully aware of the risks that are associated with using security measures such as VPNs versus zero trust network access,” Smith advised. “Outsourced technology vendors typically are short-term contracts with healthcare organizations, and simply because their work is done does not mean they are going to safely discard their credentials.”
An extra level of security to limit these credentials, in terms of access to information and access time period, matters for information as sensitive as medical records and systems.
“When you outsource infrastructure solutions, it has to be accompanied by elaborate security to protect the organization’s internal infrastructure,” he said. “You may not realize the cybersecurity risk within your organization, but looking at recent cases like the ransomware attack on Eskenazi Health, you’ll see that it can happen anywhere if you’re not prepared for threats from the beginning.
“This technology is truly one that completely solves one of the larger risks in an organization, and at the same time provides your organization the ability to audit all external access,” he concluded.