How a Healthcare Provider Secures Its Cloud Infrastructure
Insights from a healthcare security executive on how automating risk mitigation and compliance boosted their cloud infrastructure security.
For healthcare provider organizations like IntelyCare, moving IT operations to the cloud to properly support remote workers can be a scary proposition. The ever-increasing amount of cyberattacks can cause many sleepless nights for anyone in charge of IT systems and sensitive data. Fortunately, there are a variety of cloud security solutions on the market to ensure that admins can rest easy and healthcare provider organizations can continue their vital work.
IntelyCare provides a digital staffing platform that matches our nursing professionals with open assignments at our healthcare facility partners. Our platform helps our partners manage their internal workforce and connect in real-time to a pool of over 24,000 credentialed nursing professionals to fill their open shifts.
Our cloud infrastructure at risk
As a data-driven technology company, we use an architecture and development model for our applications that is agile, enabling us to quickly evolve. This means we can continuously add new capabilities to better meet the needs of our nurses, while at the same time ensuring our facility partners can stay properly staffed.
But this flexibility comes with challenges. Our system contains sensitive data, such as medical records, vaccination information, and Covid test results. Furthermore, every state in the country has different data regulations. While we're not a HIPAA entity, we do employ thousands of nursing professionals, so we have an extensive database to maintain and protect.
Given the nature of cloud infrastructures - in which thousands of human and service identities are granted access to resources - our data is at risk. We wanted a deeper, more granular way of understanding how identities are interacting with our cloud environment, so we could quickly detect and remediate these risks. We also needed to implement the principle of least privilege to properly govern access to our resources.
Lastly, we needed to comply with CIS Benchmarks, which requires us to continuously identify and correct any misconfigurations.
Hundreds of risky entitlements fixed
So, we made 'trust, but verify' our first order of business. Using a land-and-expand model, we initially focused on our staging environment to detect and remove all overprivileged configurations. This was made possible through an automated solution provided by Ermetic.
Through dashboards and reports that can be easily shared with our various teams, Ermetic gives us granular visualization and analysis of all of IntelyCare’s cloud identities and associated entitlements.
Using automated remediation, we fixed hundreds of risky entitlements in our QA systems in the first half of 2021. After two months of seeing no disruptions to our business from the automation, we moved to remediate lower priority risk items that had also been detected. We then turned our attention to deploying CIS best practices, such as specifying and configuring multi-factor authentication.
Improved compliance, automation — and trust
This project has enabled us to significantly improve our cloud security posture. We use the compliance reports generated by Ermetic to communicate progress to executive leadership, increase collaboration between Security and DevOps, and equip Engineering with a remediation and least privilege “playbook.”
We plan to expand this automation to enforce least-privilege in all of our cloud environments, including Kubernetes Security Posture Management for Kybernetes environment and production applications.
Throughout this project we've used incremental steps to build trust with our Security, Development and Engineering teams around the infrastructure and then in our production environment. We started with quick wins that were relatively easy to implement, such as multi-factor authentication (MFA) and encryption. By focusing on publicly accessible resources that pose the biggest risk, our Security lead and other risk teams can come in behind them to supplement their work.
Gaining visibility into our cloud environment was crucial in understanding how resources were being used and where we had security gaps. Using automation allowed us to eliminate exhaustive manual processes and perform in minutes what would have taken two or three security people months to accomplish.
This article was authored by Larry Viviano, Director of Information Security, IntelyCare
Click here for the video on IntelyCare's use of Ermetic.