If the Ponemon study were a horror flick, it’d be titled “The Login Came from Inside the System.” This week’s episode dives into the alarming trend of organizations handing out privileged access like Halloween candy — only to forget who’s still got it long after the party’s over. With 59% of breaches linked to insiders or third parties, and executives confidently sailing past the iceberg of reality, we explore what happens when no one’s really sure who can still get into the network. Spoiler alert: it’s not good. So grab your flashlight and audit logs — we’re heading into the haunted house of unrevoked access.
In this episode:
Access Granted… and Never Revoked – Ep 507
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Briefs
[03:31]Resolution Agreement with Guam Memorial Hospital Authority
Settlement marks OCR’s 11th ransomware enforcement action and 7th enforcement action in OCR’s Risk Analysis Initiative
An HHS investigation was initiated due to a January 7, 2019 complaint. The investigation revealed that around 5,000 individuals’ ePHI was compromised during a December 2018 ransomware attack on GMHA.
HHS received another complaint against GMHA on March 17, 2023, while they were still investigating the ransomware complaint. HHS’s investigation into the new complaint revealed that two former employees accessed GMHA’s network systems in March 2023 after their employment had ended.
What we appear to have here is a ransomware attack which was bad enough by itself. Then, to prove even further the lack of security controls they have former employees accessing systems while under investigation.
No shock here that the failure to conduct the SRA is the violation they settled on and didn’t go down the path to the others involved.
“Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.
They have a 3 year CAP – that normally just 2 years. But, they are paying only $25k which could have been negotiated down from a higher amount by the 3 year CAP agreement.
Access Granted… and Never Revoked
[10:28]Ponemon Report: Third-Party Privileged Access, Uncontrolled Risk
- Third-party and insider access risk is growing – Organizations report greater risk today compared to two years ago, especially with increasing overprovisioned access.
- Privileged users—both internal and external—are the biggest insider threat – Elevated access rights lead to a higher chance of breaches and errors.
- Confidence in managing access risk is low – Only 36% say they’re effective at managing these risks, highlighting a widespread gap in governance.
- Monitoring and centralized control are lacking – 69% of organizations do not have a unified, centralized access control strategy or continuous monitoring.
- Policy enforcement is inconsistent across third parties – Only 29% of organizations are highly confident in their ability to enforce access policies on third-party users.
- Access deprovisioning is poorly handled – 40% of organizations do not have a formal process for removing access when a third-party relationship ends.
- [27:30] 52% experienced a third-party related cybersecurity incident – These incidents stemmed from overprivileged access or access no longer needed.
- 59% of organizations had a third-party or insider-caused breach – These incidents occurred within the last two years.
- Zero Trust models are underutilized – Just 21% of organizations have adopted Zero Trust to help manage insider and third-party access risk.
- Executives are out of step with actual risk levels – There’s a significant disconnect between leadership’s perception and the reality of insider and third-party risk exposure.
At the end of the day, managing access shouldn’t be like trying to remember who still has a key to your old apartment. This episode laid bare how bad things can get when no one’s minding the digital front door — and yes, that includes copier techs, third-party vendors, and Bob from accounting who left in 2019. The fix? Get serious about access lists, deprovisioning, and maybe, just maybe, start doing those tabletop exercises instead of assuming nothing bad will ever happen. Spoiler: it will.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
