Venafi Study: Study: 92% of Health Care Organizations Leave SSH Key Privileged Access Unmanaged and Unsecured

LAS VEGAS (HIMSS18, Booth 10750) – March 7, 2018 – Venafi®, the leading provider of machine identity protection, today announced the results of a study of how health care organizations manage and implement Secure Shell (SSH). Over one hundred IT security professionals from the health care industry participated in the study, which reveals a widespread lack of SSH security controls.

According to Venafi’s research, even though SSH keys provide the highest levels of administrative access, they are routinely untracked, unmanaged and poorly secured. For example, only eight percent of respondents admit they have a complete and accurate inventory of all their SSH keys. If health care organizations do not know where SSH assets are or how they are managed, they cannot determine if keys have been stolen, misused or should even be trusted.

“It’s absolutely imperative that health care organizations secure their machine identities,” said Nick Hunter, senior digital trust researcher for Venafi. “The health care industry faces intense threats from cybercriminals and must comply with rigorous regulatory standards. Unfortunately, this survey indicates that health care organizations are not securing all systems and applications that protect patient data. SSH keys provide elevated privileged access that must be protected with the same governance controls that are applied to administrator accounts and passwords.”

Key findings of the study include:

* Nearly half (Forty-seven percent) of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems. This limitless access to unrestrained assets and controls leaves organizations without a clear view of SSH keys and no insight into the trust relationships established by them.

* One third (thirty-three percent) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to personally identifiable information (PII), critical health care payment data and sensitive systems.

* Twenty eight percent of respondents rotate SSH keys at least quarterly; 41 percent said they don’t rotate these keys at all or only do so occasionally. Attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.

* Forty percent of respondents said they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to bypass the firewalls between systems, a cybercriminal with SSH access can pivot rapidly across network segments.

The study was conducted by Dimensional Research in November 2017. It analyzed responses from 102 IT and security professionals in the health care sector. Respondents have in-depth knowledge of SSH and are located in the U.S., U.K. and Germany.

Additional Resources:

Blog: SSH Study: Healthcare Organizations Are Leaving SSH Problems Untreated

2017 SSH Study: Health care - Executive Brief

eBook: How Safe Are Your SSH Keys?

Solution Brief: Manage and Secure SSH Keys

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise —on premises, mobile, virtual, cloud and IoT — at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the world's most demanding, security-conscious Global 5000 organizations, including the top five U.S. health insurers, the top five U.S. airlines, four of the top five U.S., U.K. and South African banks, and four of the top five U.S. retailers. For more information, visit: