Vast majority of healthcare organisations leave SSH keys unmanaged and unsecured

By Venafi
Published: 9 March 2018

A new study has revealed how healthcare organisations manage and implement Secure Shell (SSH). Over one hundred IT security professionals from the healthcare industry participated in the study by Venafi, which exposed a widespread lack of SSH security controls.

According to the research, even though SSH keys provide the highest levels of administrative access, they are routinely untracked, unmanaged and poorly secured. For example, only 8% of respondents admit they have a complete and accurate inventory of all their SSH keys. If healthcare organisations do not know where SSH assets are or how they are managed, they cannot determine if keys have been stolen, misused or should even be trusted.

“It’s absolutely imperative that healthcare organisations secure their machine identities,” said Nick Hunter, senior digital trust researcher for Venafi. “The healthcare industry faces intense threats from cybercriminals and must comply with rigorous regulatory standards. Unfortunately, this survey indicates that healthcare organisations are not securing all systems and applications that protect patient data. SSH keys provide elevated privileged access that must be protected with the same governance controls that are applied to administrator accounts and passwords.”

Key findings of the study include:

  • Nearly half (47%) of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems. This limitless access to unrestrained assets and controls leaves organizations without a clear view of SSH keys and no insight into the trust relationships established by them.
  • One third (38%) of respondents admit they do not actively rotate keys, even when administrators leave their organisations. This can allow former employees ongoing privileged access to personally identifiable information (PII), critical healthcare payment data and sensitive systems.
  • 28% of respondents rotate SSH keys at least quarterly; 41% said they don’t rotate these keys at all or only do so occasionally. Attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.
  • 40% of respondents said they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to bypass the firewalls between systems, a cybercriminal with SSH access can pivot rapidly across network segments.

The study was conducted by Dimensional Research in November 2017. It analysed responses from 102 IT and security professionals in the health care sector. Respondents have in-depth knowledge of SSH and are located in the US, UK and Germany.