Managing Third Party AccessYou may not even know about all the applications and support logins that vendors use on your applications, systems, and networks. Vendors may set up admin passwords and share them with their whole staff to support you. If they have unlimited access to the systems out there and the usernames and passwords never expire or log off automatically that is certainly not secure. How do you manage all of those?  If there are things that automatically log in and run, what about those?  Managing Third Party Access may be a bigger issue than most of us realize.

HIPAA For MSPs Managing 3rd Party Access
00:00:00 00:00:00

In this episode:

Special shout outs and speaking dates

Severino speaks about enforcement plans

Managing Third Party Access

Special shout outs

  • Shout out Smythe Duval who mentioned us on the Compulink discussion board. Extra credit points?  YES = 4
  • Shout out to John Dubinsky from Maven Group who mentioned us a good bit on Podnutz – The Computer Repair Podcast #231 about HIPAA https://www.youtube.com/watch?v=uDxGUFfe3og – How many points will David give him?  4

Speaker Dates

  • South GA MGMA – June 21, 2017, Valdosta, GA
  • The Atlanta Association of Legal Administrators – July 19, 2017, Atlanta, GA
  • North Metro MGMA – Oct 17, 2017, Kennesaw, GA
  • Georgia Association of Orthopedic Executives, Nov 2017

In the news:

http://www.hipaajournal.com/ocr-director-stresses-importance-of-keeping-health-data-secure-8788/

Speaking at the Health Datapalooza yesterday, Severino said he viewed himself as the ‘top cop’ of health IT and confirmed he is taking his new role seriously and that he “came into this job with an enforcement mindset.”
Further settlements with covered entities found to have ignored HIPAA Rules are to be expected. Severino highlighted the most recent OCR settlement – the $2.5 million penalty for CardioNet – as an example of just how important it is for healthcare organizations of all types to ensure that reasonable steps are taken to safeguard patient data and ensure ePHI remains confidential. He also referenced the introduction of HITECH explaining how it increased the allowable fines for non-compliance with HIPAA Rules.

Ransomware attacks have attracted his interest. While ransomware is mostly used to extort money from healthcare providers, Severino pointed out that ransomware attacks can result in “data being compromised, destroyed, gone for ever,” and confirmed that “it’s very likely the organizations will have to report it to OCR.” As with all breaches impacting more than 500 individuals, ransomware attacks will be investigated. OCR could fine organisations that fail to implement defences against ransomware and ensure all sensitive data are backed up.


Today’s topic: Managing Third Party Access

You may not even know about all the applications and support logins that vendors use on your applications, systems, and networks. Vendors may set up admin passwords and share them with their whole staff to support you. If they have unlimited access to the systems out there and the usernames and passwords never expire or log off automatically that is certainly not secure. How do you manage all of those?

If there are things that automatically log in and run, what about those?

First, this is not an easy problem to solve but it is on all those IT and software vendors out there to step up and solve this security problem. Here are some of the things that are happening out there on your systems and you don’t even know about it.

  • IT companies all have the main admin username and password that the whole staff has access to
  • All the different applications have support logins or admin logins
    • Admin of whole system
    • Admin of database
    • Admin of
  • Automated scripts that login as admin and run things
  • Windows (Server) services that login as admin and run things
  • Website vendors that have admin control of your site
  • One username and password for the copier vendors
  • Admin on the firewalls and access points
  • Admin on the medical devices and all of their settings

How bad can it be?

A case in the news involved a tech admin that was let go. Weeks before he was let go he had changed the admin password to their G Suite or O365. No one knew it and no one knew it had changed. He said he would be glad to give it to them if they hired him as a consultant to do the “work”. The fee was $200,000. They went to court over it. Finally, the vendor reset them but eventually the court ruled for the employer – in this case.

These super powerful user names can be hacked / used by staff that know them. You can’t defend against this at all.

How can you manage third party access?

Identify

  1. Start with a list of all your software vendors and IT service providers based on the list above – they should all be BAs
  2. Contact each of them and determine what they have (start with the highest risk ones which you should know from your BA list):
    • Do you have any default usernames and passwords that your device, team, systems, applications use that always work to access that resource?
    • What about these other kinds of user names
      • Usernames to access your network (VPN?, Windows?, Remote Access they set up?, FTP?)
      • User names for network devices like firewalls, access points, printers, copiers, medical devices, etc.
      • Usernames to access your applications (special security tools, Quickbooks, EHR, PM, network shares)
      • User names that run automated scripts
      • User names that run system services
  3. Are admin rights included on any of the user names they do have in place?
  4. How do they manage security of the usernames and passwords with access to your systems?
    • Use complex passwords for all user names and make sure they are changed regularly
    • Change the passwords each time an employee leaves
    • Never use the same password for all clients
    • Use password manager tools that do not let employees know the actual passwords themselves?
    • Limit access to the usernames and passwords to the minimum staff necessary to support you

What do you do with the information once you have it?

Protect

Once you have that information you can pretty easily know the ones to be highly concerned about and begin to deal with them.

Ultimately, you want them to have unique usernames and passwords for everything they do. If you see that someone did something you should know who that is not that is was one staff member of three different vendors who all know how to login as admin to your systems. You also want to know that they have a secure method for handling them just like you do for your staff.  One of the hardest parts of managing third party access is feeling confident that they are protecting that access information and limiting the people who are allowed to know and use it.

Also, make sure their sessions automatically log off and disconnect just like everyone else.

Tech people are used to having their way and no one questioning them so they may push back. Send them to listen to this episode.

Make managing third party access a part of all vendor reviews

It doesn’t matter what you do they need to have this kind of access to support you and do their jobs. BUT… they need to treat their power responsibly.  Managing third party access ends up being a subset of managing your BAs.

It is very hard to get a lot of people to see the big picture around their jobs. *I used to explain to techs all the time that just because it was easier for you to tell them to wipe and restore does not mean it is easy for them. You just shut down a business for a whole day and may have cost the company more than you make in a year. *

The same can be said for tech staff’s tunnel vision when it comes to the use of these authority levels in the background or when they are performing tasks.

…with great power there must also come — great responsibility!
Uncle Ben Parker to Peter Parker, aka Spider-Man
OR Winston Churchill in 1906 if you need a real person


There are so many different ways that vendors of all sorts have used their controls to access and run systems it may take some time to find them all.  But, even missing one could leave you open to a breach. It is well worth taking the time to have them account for what happens behind the scenes.  Once we sat down and started going through this with a few clients we learned that managing third party access will become a whole new line item on our to-do lists.

Remember, HIPAA is not about compliance, it’s about patient care.