SSH Keys: Security Asset or Liability for Health Care?
With the extensive network systems found in the health care industry, SSH keys are widely used to provide privileged administrative access and to secure machine-to-machine automation for important business functions. However, SSH keys are routinely untracked, unmanaged and unmonitored. This lack of visibility and control can create HIPAA violations by not adequately restricting access to Electronic Protected Health Information (ePHI). If SSH keys are not surely managed, the organization does not know who has access.
Only eight percent of heath care companies have accurate SSH key inventories. In addition, nearly half allow all or most of their administrators to manage SSH keys for the systems they control, resulting in an ad hoc process using inconsistent security practices. With no expiration and a lack of life cycle management, health care organizations can wind up with millions of SSH keys and a broad attack surface for insider threats and cybercriminals.
In this session, we'll examine SSH study results that reveal widespread lack of security controls for SSH keys in the health care industry. We'll discuss the common mistakes that almost all health care organizations make around security, policy, and auditing practices when managing SSH keys. We'll note the SSH key risks that are not addressed by IAM/PAM solutions and why they are probably some of the biggest risks in your network. The session will conclude with a 4-step approach to protecting SSH keys in health care networks.