A Healthy Plan: The Three Critical Components of a Successful Identity and Access Management Strategy
Applying IAM practices to cyber networks and systems
Most homeowners come up with well-established “rules” for their houses: They don’t allow anyone and everyone to come inside. And, for those who are part of the household, there are certain places which are off-limits. A child does not, for example, bring the Nintendo Switch to the study when mom is writing an annual corporate report. The dog can roam freely in the basement and kitchen – but definitely not in the master bedroom.
So if we’ve set up such rules for our homes, why don’t we – as members of the healthcare industry – do the same for our cyber networks and systems? Fortunately, we can. Through practices collectively known as Identity and Access Management (IAM), IT departments centralize, standardize and automate users’ allowable entry to networks, systems, files, data, apps and other resources.
Partial adoption of IAM capabilities
To date, we’re just scratching the surface as to IAM’s potential: The global IAM market is expected to grow from $7.94 billion in 2016 to $20.87 billion by 2022, according to projections from Stratistics MRC. Yet, despite the anticipated adoption, current research findings convey a state of IAM capabilities that’s divided between the “haves” and the “have nots” among healthcare organizations and companies in general:
- Only one of ten healthcare organizations indicate that they’re leveraging IAM as a highly impactful component of their cybersecurity strategy, according to the “Cybersecurity 2017: Healthcare Provider Security Assessment” report from the College of Healthcare Information Management Executives (CHIME) and KLAS Research. One-quarter have either purchased an IAM solution but have not yet implemented it, or aren’t implementing anything.
- Nearly three-quarters of healthcare professionals use colleagues’ passwords to access electronic health records (EHRs), according to survey research published by Healthcare Informatics Research, and 57 percent say they’ve done this 4.75 times on average. Literally 100 percent of medical residents admit to the practice, along with 83 percent of interns and 77 percent of students.
- Nearly three of five senior-level IT security professionals still rely on manual processes – as opposed to automated ones – to control and audit access to critical systems, according to research from SPHERE Technology Solutions. More than three of ten rate their organizations as “low” in terms of overall IAM maturity.
- Companies considered at the highest level of IAM maturity, however, are seeing significant benefits, according to research from Forrester Consulting. They experience one-half the number of breaches (5.7 on average over a two-year period) than the least mature organizations do (12.5), with 43 percent of high-maturity businesses indicating that they’ve never had a network breach. As a result, the estimated value of their losses due to attacks is much smaller – $4.3 million over the two-year period, as opposed to $9.5 million for the least mature organizations.
- What’s more, nine of ten of those at the highest level of maturity are deploying integrated IAM platforms, according to the Forrester research. When asked to rank the benefits of IAM, top performers cited improved privileged activity transparency (51 percent), reduced findings from compliance audits (51 percent), greater individual accountability (49 percent) and the elimination of redundant IAM tech (46 percent).
The growing urgency of greater IAM adoption
Healthcare organizations will need to strongly consider more investment in IAM practices and solutions, according to a U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force report published in June. The “Report on Improving Cybersecurity in the Health Care Industry” recommends stronger authentication to “improve identity and access management for (healthcare) workers, patients, and medical devices/EHRs.” Too often, clinicians, support staff, patients and additional users simply enter passwords to call up systems, according to the report, when biometrics, tokens, multifactor authentication, wearable tech and mobile technologies could provide better protection while building a “trust relationship” with patients.
It doesn’t help that developing an effective IAM program is more complicated than ever, especially as healthcare organizations maintain tech apps and functions both on-premise and in the cloud. With all of the options out there, there are a myriad of platforms that we depend upon, with their own security procedures. Still, whether your organization runs its tech solutions on-premise, in the cloud or a mix of both, you can implement a strong IAM program which greatly protects your network and systems across-the-board – as long as you include the following three, critical components:
A thorough inventory
Whether you run a small, rural clinic or a multi-location healthcare corporation with 40,000 employees, you must conduct a top-to-bottom inventory of all users and their roles. You then match roles to appropriate access areas – a nurse has to call up patient data, for certain. But sensitive company fiscal files? Not so much. As part of this effort, in addition to documenting what people can call up, you need to determine what they can do with it, i.e., “read only” or make changes to a particular file.
Because this amounts to a tall order for large enterprises, you probably want to consider applying risk-based principles to inventory prioritization. In other words, focus on those who deal with the most – and most sensitive – data first. This would include financial executives and data analytics team members, the latter because they pretty much have access to everything.
Enterprise-wide usage identification
This is where you find out what users are actually accessing, as opposed to what they’re supposed to access. As you conducted segregation of duties in step one, you now deploy automated analytics tools to examine activity logs and identify whether employees (not to mention contractors and additional third parties) are entering into areas which do not appear to serve a legitimate, work-intended purpose. The facilities supervisor, for instance, may check room temperature levels for patients. But he has no business pulling files which contain the health insurance information of those patients.
Once you’ve inventoried roles and identified the degree of appropriate and inappropriate activity via automated analytics tools, you cannot “set it and forget it.” You have to constantly monitor what’s going on to ensure individual roles align to allowable actions. The tools must be capable of adjusting to changes in responsibilities – when a surgeon is promoted to chief of staff, her duties will expand and, accordingly, so should her access to various parts of the organization. When the surgeon leaves for another hospital system, however, the cybersecurity team has to eliminate any access to internal assets.
To make such oversight possible, the automated analytics product needs to deliver a “single pane of glass” view of activity. Your cybersecurity team should not have to click from one screen to another to track individual tech systems, file-sharing interactions and email exchanges. With a cohesive and unified monitoring experience, the team will be best positioned to view – and respond to – everything in real-time.
At our homes, we don’t “set rules” to dictate a “Department of No” environment. Instead, we seek to establish a sense of order, so that a closed door at the very least tells a child to “Knock Before Entering.”
Similarly, IAM enables healthcare organizations to incorporate the same manner of guidelines and enforcement, so a lab worker is granted authority to review medical records, as opposed to such authority being assumed and allowed with little to no restrictions. Through effective inventory, identification and monitoring, an IAM program doesn’t inhibit business at hand. It supports it – building widespread confidence among managers, employees and patients that everyone is accessing what they’re supposed to, and nothing more.