IGA Tools Ensure that Healthcare Employees Get the Job Done While “Staying in Their Lane”

It takes a wide variety of employees accomplishing a vast range of tasks to make a healthcare organization work. But, today, these organizations face challenges in ensuring their staffers “stay in their lane” by not overstepping the boundaries of their roles.

Research nurses, for example, can write up orders for blood tests, but they’re not authorized to release the orders. That is the physician’s job.

A billing administrator may write up charges for a patient’s visit, but cannot actually receive the payment. Otherwise, the administrator could conceivably commit financial fraud by falsifying charges and pocketing the money.
For IT managers and teams overseeing electronic medical record (EMR) and other systems, enforcing the limitations of authorized activity for these and countless additional roles creates confusion and frustration. It amounts to monitoring in piecemeal fashion one siloed system after another, without a cohesive, unified way to “see” everything and respond accordingly.

The constant threat of cyber attacks linked to the employees’ behaviors – whether they intend to cause a hacking incident or not – makes the situation all the more foreboding. In the absence of an entirely integrated “eye” over all activity that is acceptable and that which is not, the healthcare enterprise remains highly vulnerable.

This is where Identity Governance and Administration (IGA) can step in to help. As defined by Gartner, IGA tools manage digital identity and access rights throughout multiple systems by aggregating, correlating and distributing related data to better control user access. Areas of focus include identity lifecycle/ entitlements management, access requests/certification, workflow orchestration and reporting.

Overall, the global IGA market is expected to increase to $5.8 billion in 2021, up from $3.2 billion last year, according to projections from IHS Markit. Clearly, significant concerns expressed by healthcare security and IT professionals make a strong case for across-the-board industry adoption, with the rising risk of employee-linked cyber attacks keeping them up at night: More than three of five healthcare organization IT and IT security practitioners rank malicious insiders as a top security threat, and 64 percent say the same about employee negligence or error, according to survey research conducted by the Ponemon Institute and sponsored by Merlin International.

In attempting to respond, organizations are most challenged by a lack of tools to monitor employees and other insiders (as cited by 27 percent of healthcare IT leaders), according to additional survey research from Imperva. Other challenges include inadequate staffing to analyze permissions data when employees seek to call up files, information, systems, etc. (as cited by 25 percent of survey respondents); the growing number of employees, contractors and business partners connecting to the network (24 percent); and the abundance of company assets stored within the network or in the cloud (24 percent).

IGA products tackle these issues head-on, allowing IT teams to “see” in real-time who is accessing what data and critical workloads – and whether that person’s job function is cleared for such privileges. IGA helps the teams flag behaviors on the part of users who may unintentionally invite risks, in addition to alerting them to when a malicious insider could be stealing or destroying data. It provides access control and audit log management, as well as privacy- and breach-management maps to satisfy security requirements of the Health Insurance Portability and Accountability Act (HIPAA) Audit Protocol. In fact, identity management/authentication is considered among healthcare IT and IT security practitioners as the most effective step in achieving security objectives, as cited by 71 percent of respondents in the Ponemon/Merlin International survey.

Beyond enhanced cybersecurity monitoring and mitigation, IGA solutions empower organizations to address the following, key needs:

Segregation of Duty (SoD) rules

This refers to the previously described scenarios involving the nurses, billing administrators and everyone else on staff who must “stay in their lane.” For starters, it’s simply the best way to run a healthcare organization. What’s more, HIPAA and other regulations require the enforcement of SoD.

Fortunately, with IGA-level visibility in place, leadership and IT teams acquire a “single pane of glass” perspective of their entire infrastructure access ecosystem (including cloud environments like Amazon Web Services and Microsoft Azure), file sharing/collaboration activity (such as the usage of Dropbox and SharePoint), EMR usage and enterprise resource planning (ERP)/business functions (Salesforce, PeopleSoft, etc.) Thus, when the annual audit comes around, IT won’t have to gather endless records from many siloes to demonstrate appropriate role/access authorizations and controls. Instead, it will collect the information from a single source.

Provisioning automation

Too many healthcare organizations are still saddled with traditional, time-consuming manual processes when bringing in new employees (or contractors) and configuring their user access authorizations. In this case, HR typically sends a notice to various managers about who’s coming in, and what they’re allowed to do, and IT manually sets up provisioning. If the users’ roles change, then the authorizations require (manual) updating. If they leave the company, then their access rights must be removed (again, manually).

IGA eliminates these tedious inefficiencies by automating all provisioning – from onboarding-stage authorizations to promotions/role expansions to the end of a user’s association with the organization. The solutions do this for temporary hires too: If a contractor is only supposed to work on-site for three months, IGA will automatically grant allowable access for those three months, and shut it off when the job is done.

Ultimately, that’s what IGA is about – users getting their jobs done, without going beyond any authorized activity. Managers and IT teams are no longer stretched from silo to silo attempting to track who’s doing what, nor do they spin into a mad scramble come compliance-time to prove that they’re in good standing. Everything is “all there … in one place.” As a result, healthcare organizations boost efficiencies and save on operating costs while focusing more on what they do best: improving the lives of their patients.

Electronic Health Records: It’s the Data. Not the App.

Organizations get locked into vendors’ apps

In seeking ways to gather and analyze – and hopefully act upon – electronic health records (EHRs), organizations are following a familiar path: They assess their needs, and then hire a vendor to support them. At this point, they’re locked into the selected vendor’s app, in terms of how they input, review and analyze data.

However, we now exist in an age in which data is delivering endless possibilities; when we pursue information discovery and seek to make good decisions from the resulting, newly acquired knowledge, we’re really only limited by our imaginations. Which is why traditional, vendor-centric approaches are no longer relevant.

In other words, it’s about the data. Not the app. Given that the EHR market is expected to grow to $33.41 billion in value by 2025, according to a forecast from Grand View Research, the stakes are too high to cling to antiquated models.

The limitations of vendors’ apps

Let’s illustrate with a realistic scenario: A patient encounters blood pressure issues, even though he’s already taking medication for his condition, so a hospital doctor writes up a new prescription. Because it’s new, the doctor wants the patient to take daily blood pressure readings with an at home monitor and report back. Steady information over a stretch of time, after all, provides more value than that observed during occasional office visits.

The data isn’t difficult to collect. The patient can do it on his own, and call it into the doctor’s office. But what if the existing vendor tool doesn’t allow for the inputting of daily blood pressure readings? What if it caps this inputting to, for instance, four readings a year? In this case, both the doctor and patient are stuck with what the vendor has to offer. Sure, the doctor can work through higher-ups at the hospital to see if the vendor would upgrade the app so it’s configured for daily blood pressure readings. But the vendor may have other upgrades they need to address first, putting new requests on the back burner for months or longer.

You can apply the same sort of scenario to a patient’s weight, heart rate, blood-sugar level, cigarette/alcohol usage or any one of a number of other components which lend insights into someone’s state of health. The information is ready and available. But if the solution isn’t configured to incorporate it into a data capture/analysis program, the information will end up in limbo.

Tailoring apps to organizations’ needs

So what’s the solution?

Again, it’s about the data. Or, more precisely, thinking “data first” and then app.

Organizations should initially consider what exactly they want to capture, whether it’s blood pressure readings, cancer screenings, cholesterol checks, smoking cessation success rates, etc. Then they can figure out what kind of app will work best. Tech innovation is driving swifter and greater adoption of agile practices. IT departments are now positioned to more readily and easily develop (or pay to have developed) mini-apps to perform specialized functions – further rendering obsolete the monolithic, rigid, “our way or no way” mega-vendor tools.

All that’s required is a secured, indexable database. With this, organizations and users input whatever they wish into the database, and then build mini-apps accordingly so teams create chart visualizations, analytics tools, treatment plans, etc.

Problems with the traditional model

To cite another scenario, let’s say that same hospital doctor from before would like to know if her patients were picking up their prescriptions in a timely manner. Obviously, her local drug stores would have to compile and report this information to her. They could even work together to set up an alert notification system should patients fail to pick up their prescriptions within two weeks. Sounds simple, right?

Not if we’re still talking about the traditional model: The doctor might tell the vendor what she plans to do, and the vendor could respond that their product isn’t configured for data related to prescription pickups. Further complicating things, the app may need to be work with multiple reporting systems used by the various drugstore companies with no way to determine if compatibility. Setting up a workable solution might take a year – or longer.

The modern approach

But through a modern, agile approach, the doctor simply comes up with a data collection/notification alert plan with the drug stores, has IT construct a secure, indexable database, and then design (or, again, hire someone to design) a mini-app to monitor prescription transactions, send alerts for late pickups and otherwise enable the doctor and her team to analyze various patterns within.

Or take another example: two or more unrelated entities (like a pharmacy and a diagnostics lab and a hospital) are all trying to get data into the same EHR, but if they don’t share the same EHR for the same patient (and they don’t) then they can’t do it directly. With a standard data-based health model they could throw transactions into the same pot to be discovered by relevant applications later.

A data-first strategy

The upshot: For too many years, organizations dependent upon EHRs have resigned themselves to an “If we build it, you will come” arrangement with their vendors, i.e., the vendor builds the tool, and organizations buy in and adjust to its quirks and limitations. And being that other hands-on health care priorities often take precedence, who could blame them?

But today, those same organizations can advocate for a “Let the data come first, and then we’ll build it …” strategy. By determining the intent of their discovery initiatives and data models, they necessitate COTS vendors and Open Source developers to build functionality around them. Subsequently, the market ultimately provides a better solution and HCOs end up with information that is more comprehensive, immediate, insightful and actionable – empowering them as more effective healthcare practitioners and better “custodians” of EHRs.

What Healthcare Organizations Should Consider Before Migrating to the Cloud

Limited cloud adoption

On the surface, findings from a Healthcare Information and Management Systems Society (HIMSS) research convey a sense that healthcare organizations are universally embracing the cloud. According to the study, an estimated 84 percent currently use cloud services.

But dig a little deeper and you discover that adoption is limited, especially for critical functions related to electronic medical records (EMRs) and enterprise resource planning (ERP). Only 34 percent of healthcare organizations have migrated clinical applications and data to the cloud, and just 32 percent use the cloud for archived data and Health Information Exchange needs. In addition, less than one-quarter are turning to the cloud for back office apps and data.

Key considerations before migrating

In my interactions with industry executives, many say they’re testing the waters, with email, file storage and the like. Even so, they’re reluctant to wholly replace in-house data centers with public cloud versions. Use of EMR, ERP and analytics vendor hosting is popular, however. But this should generally be considered as private cloud hosting in a geographically separate data center.

Yet, given the vast and often-reported benefits of the cloud – including the improvement of workflows through greater flexibility, collaboration, efficiency, rapid scalability, and productivity – many of these same executives are seeing advantages in an increased presence. In determining whether the cloud is right for an organization, I stress four key considerations:

1. Security remains the greatest concern

Indeed, security ranked #1 among adoption barriers in the HIMSS study, as cited by 54 percent of study participants. While the sentiment is understandable, I believe the issue is somewhat overblown. Cloud vendors have more security measures in place, with more infrastructure and power. If breaches do occur, they’re usually the result of employees not adopting proper guidelines and security best practices. In my experience, following a reputable cloud vendor’s rules will keep you as or even more protected than would keeping everything on-premise.

2. Network reliability can be uncertain

If you use a private host for your network, you likely have strong datacenter redundancy for maximum uptime. But if you’re running your network on a public cloud, you’re entirely dependent upon the internet. If your connection to the Internet goes down, you will lose access to business-critical resources until connectivity is restored. That’s a big gamble. You could reduce risk by paying for two or three regional internet services– but this may prove too costly for some organizations. And for those in rural areas, it’s not even feasible.

3. Speaking of costs…

If you’re planning to store massive volumes of data in the cloud, you’re looking at a hefty monthly bill – one that will typically exceed what you’d pay with an on-premise datacenter. That said, if you have a large amount of infrastructure which has to be replaced, it could make sense. You eliminate the “short-term pain” of a huge capital investment by rolling it into a monthly, operational expense. For some organizations, this approach may be more fiscally realistic.

4. “So what if we simply ‘dip our toes’ into the waters with a hybrid model?”

This comes up in my conversations all the time. Healthcare executives want to put “safe” data assets in the public cloud, and keep more sensitive/mission-critical ones closer at hand. However, hybrid models elevate the complexities of ID management. If you extend the network over a combination of on-premise, private hosted, private cloud and/or public cloud options, you create ID management issues which could result in operations disruptions and potential employee backlash over the inability to access the data, files and apps that they need to do their jobs. HIPAA data access logging and auditing become a larger and more diverse challenge.

Currently, there are few tools available which would help IT teams resolve these problems. We have experience at Merlin with a very powerful tool that provides a single “pane of glass” to manage identities across all environments and many key applications regardless of where they are hosted.

Weighing the pros and cons

As you can see, deciding whether to migrate significant IT functions to the cloud isn’t a “one size fits all” proposition. You must measure the pros and cons based upon your organization’s size, location, industry niche and other relevant factors, while also assessing the various comfort levels with any changes the cloud may bring. Finally, calculate expected ROI comparing it against the financial impact of not making the switch.

In other words, cloud migration is as much a business proposition as it is a “tech thing.” Proceed accordingly.

How Healthcare Organizations Can Reduce the Cybersecurity Risks of IoT

The increasing adoption of IoT

If you walk through the corridors of a hospital today, you will inevitably be surrounded by the Internet of Things (IoT). From X-ray machines to heart monitors to even HVAC units and refrigerators, healthcare organizations are turning to connected devices and machines to provide not only better care but an improved “patient experience.”

Because of this, the IoT’s presence within the industry is expected to increase rapidly for the immediate future: The IoT healthcare market is growing 30.8 percent every year and is projected to reach just over $158 billion by 2022, up from $41.22 billion this year, according to research from MarketsandMarkets.

By 2018, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently present within 64 percent of organizations) followed by energy meters (56 percent) and X-ray/imaging devices (33 percent). Four of five executives expect IoT to encourage more innovation, while about three-quarters anticipate that it will expand organization-wide visibility and boost cost-savings.

Proactive steps to prevent security breaches

Yet, there are concerns about the technology, as 89 percent of healthcare organizations have suffered from an IoT-related breach, according to the Aruba research. Hackers are well aware, of course, that IoT brings new vulnerabilities, and they are eager to exploit them. In April, testimony from a top Merck & Company cybersecurity executive before the House Committee on Energy and Commerce’s Oversight and Investigations Subcommittee validated the concerns.

“In just the last few years … we’ve seen more than a hundred million health records of American citizens (compromised or threatened) in a couple of well-publicized incidents,” said Terry Rice, vice president of IT risk management and chief information security officer (CISO) at Merck. “We have seen how software vulnerabilities in insulin pumps and pacemakers can be exploited to cause potentially lethal attacks. And we have witnessed entire hospitals in the United States and the U.K. shutting down for multiple days to combat ransomware infections in critical systems. Unfortunately, I believe these incidents underrepresent the risk we are facing.”

Given the developments, healthcare CISOs and their teams should consider the following proactive steps to prevent horror movie-like “Attack of the Connected, Wild Things” scenarios – steps that respond to both the technological and human-focused elements of this emerging technology:

Segment everything

You should create a dedicated, separate network for IoT. With a segmented architecture entirely fortified by its own firewalls, you ensure that IoT devices will never interact with the rest of your enterprise network environment – including patients’ personal information, fiscal reports, HR records, etc. Connected devices and machines will strictly communicate with the servers which support them, and the ports and destinations they serve. Thus, if attackers compromise them, there’s only so much damage they can do, because their activity and malware is sealed off from everything else.

Establish controls over implementation

Frankly, organizations are taking an “anything goes” approach with IoT – one that undermines their ability to properly oversee and control it. A facilities manager, for example, could decide to install a connected alarm system in the elevators. An anesthesiologist may plug in a new product to see how it works. Hospitals win research grants all the time, and these grants often arrive with IoT-enabled technologies to assess.

In too many cases, however, all of this takes place without bringing in the CISO. Non-IT executives approve of an acquisition, and their staffers simply “plug in” without thinking of whether they’re introducing new vulnerabilities. So, clearly, CISOs must work with C-suite leaders to come up with policies which will require the involvement of security teams with any IoT initiative, large or small, with threat vigilance always incorporated into the process.

Expanding visibility

The CISO’s mantra, “You can’t protect what you can’t see,” is more relevant than ever. It’s difficult to protect the enterprise, after all, if you don’t know who is plugging in what, and where. Through the effective, organization-wide visibility of all systems activity, you will receive notifications every time new IP addresses show up. When they do, you can verify whether they are properly sealed off within your segmented, IoT network. If they aren’t, you can shut them down until IT can locate them and redirect them to the segmented network.

Maximizing the benefits of IoT

As always, hospital executives, doctors, nurses and additional staffers are dedicated to delivering the best care available for their patients. More than ever, they’re discovering that IoT is making this possible. But to maximize the benefits of these innovations without placing the network, systems, and data at risk, IT must collaborate closely with operations/business units so IoT is sufficiently segmented, and nothing is introduced which can harm anything outside of its own, contained ecosystem. In other words, you can take advantage of many “good things” through these devices without unleashing an army of “wild things.”

Rise of Patient-Connected Devices Requires Commitment to Proven Cybersecurity Practices

Household IoT systems create new vulnerabilities

Healthcare is increasingly moving to the household: Driven primarily by testing, screening and monitoring products, the global home healthcare market is expected to surpass $364 billion by 2022, up from just over $239 billion today, according to a forecast from MarketsandMarkets.

Network connected devices – particularly those considered part of the Internet of Things (IoT) – account for a great deal of this demand. By 2019, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently deployed by 64 percent of organizations). As indicated, this adoption surge has extended into the home, with medical practitioners remotely monitoring just over 7 million patients worldwide – a figure that is projected to increase to 50.2 million by 2021, according to research from Berg Insight.

Life-threatening risks

If the bad guys start hacking patient-connected or embedded devices, there could be life-threatening outcomes. An adversary may, for example, manipulate a machine to inject a lethal dose of drugs. Or exact a ransom from a patient or their family. What’s more, it would be extremely difficult to identify the source of such a horrible attack. Patient-connected and/or implanted devices are rather rudimentary in terms of technology sophistication. They will not contain detailed log files of everyone and everything that has somehow connected to them, and they certainly won’t store enough information about IP addresses to lead investigators from an incident to a likely culprit.

Relatively recent recalls speak to the potentially dangerous risks which inadequately secured devices bring, including those used at home: In September last year, Abbott announced a voluntary recall impacting 465,000 pacemakers due to a possible hacking threat. In October 2016, Johnson & Johnson sent an official notification to 114,000 diabetic patients that a cyber attacker could exploit one of its insulin pumps, the J&J Animas OneTouch Ping, disabling the device or altering the dosage, according to the company.

Network separation and patching

While the scary scenarios call to mind something out of a sci-fi movie, our responses to the threats require a commitment to old-school remedies: network separation and patching

Through separation, vendors, hospitals, home healthcare providers, etc. work with patients to ensure the devices run within their own network, with their own routers and connective components. They will not, for instance, interact with other wireless networks in the home, such as a virtual personal assistant. The medical device is sealed off by firewalls and segmented setup/implementation so it only maintains connections between the patient and the healthcare provider who is monitoring the device.

Then, vigilant patching of the standalone network assures that the device remains current and well-defended. Because we cannot entrust patients with this role – most would not be capable of the patching, and, besides, a number of regrettable things could happen if they tried – the vendor and healthcare provider must proactively pursue this.

At Merlin International, we stay on top of the latest trends in healthcare technology and cybersecurity to offer the most timely and effective solutions and services to our customers. We understand and appreciate all of the good that medical devices can do – as well as the risks they introduce – and we plan and design our products to directly address this. If you’d like to learn more about what we do, then please contact us.

A Healthy Plan: The Three Critical Components of a Successful Identity and Access Management Strategy

Applying IAM practices to cyber networks and systems

Most homeowners come up with well-established “rules” for their houses: They don’t allow anyone and everyone to come inside. And, for those who are part of the household, there are certain places which are off-limits. A child does not, for example, bring the Nintendo Switch to the study when mom is writing an annual corporate report. The dog can roam freely in the basement and kitchen – but definitely not in the master bedroom.

So if we’ve set up such rules for our homes, why don’t we – as members of the healthcare industry – do the same for our cyber networks and systems? Fortunately, we can. Through practices collectively known as Identity and Access Management (IAM), IT departments centralize, standardize and automate users’ allowable entry to networks, systems, files, data, apps and other resources.

Partial adoption of IAM capabilities

To date, we’re just scratching the surface as to IAM’s potential: The global IAM market is expected to grow from $7.94 billion in 2016 to $20.87 billion by 2022, according to projections from Stratistics MRC. Yet, despite the anticipated adoption, current research findings convey a state of IAM capabilities that’s divided between the “haves” and the “have nots” among healthcare organizations and companies in general:

  • Only one of ten healthcare organizations indicate that they’re leveraging IAM as a highly impactful component of their cybersecurity strategy, according to the “Cybersecurity 2017: Healthcare Provider Security Assessment” report from the College of Healthcare Information Management Executives (CHIME) and KLAS Research. One-quarter have either purchased an IAM solution but have not yet implemented it, or aren’t implementing anything.
  • Nearly three-quarters of healthcare professionals use colleagues’ passwords to access electronic health records (EHRs), according to survey research published by Healthcare Informatics Research, and 57 percent say they’ve done this 4.75 times on average. Literally 100 percent of medical residents admit to the practice, along with 83 percent of interns and 77 percent of students.
  • Nearly three of five senior-level IT security professionals still rely on manual processes – as opposed to automated ones – to control and audit access to critical systems, according to research from SPHERE Technology Solutions. More than three of ten rate their organizations as “low” in terms of overall IAM maturity.
  • Companies considered at the highest level of IAM maturity, however, are seeing significant benefits, according to research from Forrester Consulting. They experience one-half the number of breaches (5.7 on average over a two-year period) than the least mature organizations do (12.5), with 43 percent of high-maturity businesses indicating that they’ve never had a network breach. As a result, the estimated value of their losses due to attacks is much smaller – $4.3 million over the two-year period, as opposed to $9.5 million for the least mature organizations.
  • What’s more, nine of ten of those at the highest level of maturity are deploying integrated IAM platforms, according to the Forrester research. When asked to rank the benefits of IAM, top performers cited improved privileged activity transparency (51 percent), reduced findings from compliance audits (51 percent), greater individual accountability (49 percent) and the elimination of redundant IAM tech (46 percent).

The growing urgency of greater IAM adoption

Healthcare organizations will need to strongly consider more investment in IAM practices and solutions, according to a U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force report published in June. The “Report on Improving Cybersecurity in the Health Care Industry” recommends stronger authentication to “improve identity and access management for (healthcare) workers, patients, and medical devices/EHRs.” Too often, clinicians, support staff, patients and additional users simply enter passwords to call up systems, according to the report, when biometrics, tokens, multifactor authentication, wearable tech and mobile technologies could provide better protection while building a “trust relationship” with patients.

It doesn’t help that developing an effective IAM program is more complicated than ever, especially as healthcare organizations maintain tech apps and functions both on-premise and in the cloud. With all of the options out there, there are a myriad of platforms that we depend upon, with their own security procedures. Still, whether your organization runs its tech solutions on-premise, in the cloud or a mix of both, you can implement a strong IAM program which greatly protects your network and systems across-the-board – as long as you include the following three, critical components:

A thorough inventory

Whether you run a small, rural clinic or a multi-location healthcare corporation with 40,000 employees, you must conduct a top-to-bottom inventory of all users and their roles. You then match roles to appropriate access areas – a nurse has to call up patient data, for certain. But sensitive company fiscal files? Not so much. As part of this effort, in addition to documenting what people can call up, you need to determine what they can do with it, i.e., “read only” or make changes to a particular file.

Because this amounts to a tall order for large enterprises, you probably want to consider applying risk-based principles to inventory prioritization. In other words, focus on those who deal with the most – and most sensitive – data first. This would include financial executives and data analytics team members, the latter because they pretty much have access to everything.

Enterprise-wide usage identification

This is where you find out what users are actually accessing, as opposed to what they’re supposed to access. As you conducted segregation of duties in step one, you now deploy automated analytics tools to examine activity logs and identify whether employees (not to mention contractors and additional third parties) are entering into areas which do not appear to serve a legitimate, work-intended purpose. The facilities supervisor, for instance, may check room temperature levels for patients. But he has no business pulling files which contain the health insurance information of those patients.

Continuous monitoring

Once you’ve inventoried roles and identified the degree of appropriate and inappropriate activity via automated analytics tools, you cannot “set it and forget it.” You have to constantly monitor what’s going on to ensure individual roles align to allowable actions. The tools must be capable of adjusting to changes in responsibilities – when a surgeon is promoted to chief of staff, her duties will expand and, accordingly, so should her access to various parts of the organization. When the surgeon leaves for another hospital system, however, the cybersecurity team has to eliminate any access to internal assets.

To make such oversight possible, the automated analytics product needs to deliver a “single pane of glass” view of activity. Your cybersecurity team should not have to click from one screen to another to track individual tech systems, file-sharing interactions and email exchanges. With a cohesive and unified monitoring experience, the team will be best positioned to view – and respond to – everything in real-time.

At our homes, we don’t “set rules” to dictate a “Department of No” environment. Instead, we seek to establish a sense of order, so that a closed door at the very least tells a child to “Knock Before Entering.”

Similarly, IAM enables healthcare organizations to incorporate the same manner of guidelines and enforcement, so a lab worker is granted authority to review medical records, as opposed to such authority being assumed and allowed with little to no restrictions. Through effective inventory, identification and monitoring, an IAM program doesn’t inhibit business at hand. It supports it – building widespread confidence among managers, employees and patients that everyone is accessing what they’re supposed to, and nothing more.

Reflections on HIMSS Discussions

Meeting HCO security needs on a budget

In the month since this year’s HIMSS conference no less than three data breaches involving the exposure of patient information have made the news. Though the methods by which the hackers gained access to this critical data varied – in one instance a malware attack, while data storage error and employee email were allegedly implicated in the others – the fact remains that healthcare organizations (HCO) are facing an increasingly uphill battle in securing the right technology and talent to avoid becoming tomorrow’s next headline.

While each HCO has a unique set of considerations and priorities, when it comes to data security nearly all are facing some version of the same challenge: finding the talent and technologies to meet both needs and budgets. Smaller organizations whose resources are often more limited seem to be struggling in particular. At HIMSS, a security analyst from a more modestly sized hospital shared with me that though he would like help there wasn’t the money to make hires, and even if the budget did exist he’d face the further difficulty of finding the right talent to fill positions.

The biggest challenge: staffing

In multiple conversations with HIMSS attendees, insufficient staffing was consistently noted as the biggest challenge to improving cybersecurity posture. This mirrors results detailed in our study ‘The State of Cybersecurity in Healthcare Organizations in 2018’, conducted in partnership with the Ponemon Institute and released immediately following the conference. According to 74 percent of respondents, the lack of in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks. As a result, organizations are looking to help augment the staff they do have with technological solutions. 

Among solutions gaining prominence with HCOs looking to improve security without breaking the bank are identity and access management tools. Affordable and unobtrusive, multi-factor authentication is proving popular for preventing password fraud, specifically among remote and privileged access users. Organizations have also seen luck implementing security information and event management (SIEM) solutions that aggregate data produced across networks, servers, databases, applications and devices.  But monitoring and managing SIEM data can be complex and time consuming, often requiring one or more dedicated staff depending on an HCO’s size. And finding the necessary expertise to quickly identify weakness and threats to IT infrastructure could prove problematic, with nearly 80 percent of Merlin study participants finding it difficult to recruit IT security personnel.

The affordable technological solution

According to the HIMSS participants with whom I spoke, the perfect technological solution would provide a 360-degree view of their cybersecurity with analytics and AI layered on top,  something we at Merlin are working to deliver.  In the meantime, our research shows there are plenty of lessons to be learned from high-performing healthcare organizations in significantly reducing cyber attacks. High performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices (a looming and largely unaddressed threat, according to HIMSS presenters).  These organizations are also proactively investing in employee awareness about cybersecurity risks – conducting audits and assessments, providing regular training and incentives, and conducting phishing tests, for example –   and ensuring third-parties safeguard patient information.  Implementing any one of these practices would improve cybersecurity posture critical to patient safety.

You don’t need to be a healthcare information and technology professional to recognize that HCOs are facing constant, increasingly destructive and costly cyber attacks.  Doctors will tell you that even small changes can deliver positive results to overall health. That advice could just as easily apply to cybersecurity. Only through the incremental implementation of both new technology and best practices can we protect patient data and access to essential care, and improve our overall IT health.

What Healthcare Organizations Need to Know about Blockchain

Blockchain: the next, great frontier?

Is blockchain the next, great frontier for healthcare? Or has the hype far surpassed reality – that it’s a pipe dream that could never conceivably work in such a complex and heavily regulated industry?

I believe the correct answer lies somewhere in between: Blockchain brings the promise of improved, more efficient information management, with possibly even better security. But, like any other technology that is new, complicated and disruptive, we should “walk before we run” by trying it out on a smaller scale to get a sense of “success stories” and “lessons learned” before expanding its reach.

At the very least, it’s encouraging to see that industry leaders are taking a close look at blockchains as a remedy for current information-management woes. The general public commonly associates the technology, understandably, with bitcoin and other cryptocurrencies. However, the actual innovation behind blockchains can apply to a far broader range of industries, including healthcare.

Traditionally, “owners” of particular patient information and other records store, keep and hopefully secure the data. If a vacationer has an accident at the beach, for instance, a physician from an oceanside clinic may need a prescription history of the vacationer from the family doctor from home, since the family doctor “owns” the information. The clinic has to request the history from the family doctor’s office – and if the accident occurs on a weekend, the information won’t be available until the following Monday.

Blockchains can help the industry “cut to the chase” by storing a vast array of data on linked, encrypted blocks which aren’t “owned” by any particular institution or person – circumventing cumbersome and complex procedures required to deal with a deluge of data that grows by the minute. The blocks are replicated throughout a network which is always kept in sync with consistent, updated information, producing a much-sought “single source of truth.”

Regardless of which healthcare organization employs them, users gain access to the blocks through authorization processes based upon the relevancy of the data to their job roles. From the patient care perspective, blockchain records could eventually include details about prior operations/illnesses, medications prescribed, blood work results, etc. From the healthcare provider administration and research side, they could cover clinical trials, insurance policies, billing accounts, etc. Note the use of the word, “eventually,” here, because we do not feel that such use cases are entirely possible right now – at least not without creating serious issues.

Despite the potential for obstacles, the industry appears poised to buy-in in a big way: The global blockchain in healthcare market will grow to $5.61 billion by the end of 2025, up from its current value of $176.8 million, according to a forecast from BIS Research. By sometime this year, no less than 86 percent of surveyed healthcare executives anticipate that their organization will finance blockchain applications in at least nine categories, with medical/health records (94 percent), billing and claims management (also 94 percent), medical device data integration (92 percent), asset management (91 percent) and contract management (90 percent) accounting for the top five categories for planned adoption, according to research from IBM.

When asked about the problems that blockchains could solve, healthcare providers cited inaccessible information (61 percent), information risks (60 percent), transaction costs (58 percent) and inaccessible marketplaces (58 percent), according to the IBM research.

But, to reach this point, we’d have to address the aforementioned obstacles, as posed by the following challenges:

Patient Identification

There is no unified, consolidated system for identifying every patient who would be connected to a blockchain. If a doctor and his team members in Detroit have to call up the medical history of a local patient named “Henry Brown,” how do they know they’re accessing information about the right Henry Brown? There are likely many people in the city with the same name. For blockchains to work as an all-encompassing, real-time repository of health records, we would need to develop – through the government and/or an industry effort – a reliable, comprehensive national patient identification database linked to all electronic medical records (EMR) systems to ensure that the right people are accessing the right information.

Data Volume

Blockchains are not currently designed to store very large files (radiology images, genetic testing results, colonoscopy videos, etc.). For now, this limitation will lead to the storage of large data “off chain,” with the blockchain itself strictly containing pointers to all the data.

Patient Privacy

Blockchains are inherently transparent – they reveal every transaction in the chain. This presents privacy issues, especially for patients. Blockchains for cryptocurrencies, of course, have gotten hacked, so the same likelihood exists for blockchains supporting medical purposes. One solution: Designating patients as the “owner” of their blockchains, just as cryptocurrency investors “own” their own e-wallets. If the patient owns a blockchain, the patient can decide who is allowed to view it on a case-by-case basis. Conceivably, the patient would also have to approve of the cybersecurity measures taken to protect the blockchain, or at least agree to absolve outside parties of any responsibility for a hack.

Authorized Access

Who should access blockchain, and how much should they see? How do you enforce authorized access? This necessitates understanding of contractual obligations between parties to take part in serial immutable transactions. Since these peers are frequently geographically distributed, a central entity would have to ensure that the contracts are adopted, executed, cataloged and auditable. They should adhere to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for storing the protected health information (PHI) of Americans, and the EU’s General Data Protection Regulation (GDPR). Because the communications need to be secured, highly effective encryption must not only secure the data in the blocks, but protect communication among the many peers. Existing systems will have to rethink how information is presented and consumed, since many were written in early days without interoperability in mind.

Information Validation

Medical records are incredibly intricate. They involve a myriad of dense data related to symptoms, treatments, tests, etc. How do users know that a diagnosis on the blockchain is the most recent and “true” one? Again, the clear establishment of the most recent and relevant data would require the government and/or industry standardization of the deployment of date/time stamps, statuses, and additional information-validation tools.

“Walk before we run”

Given the challenges, it’s inadvisable for the industry to dive “head first” into blockchain adoption. By definition, a disruptive technology, well, disrupts – often with both good and bad outcomes. If we focused on smaller and simpler business use cases – perhaps the tracking of joint implants or opioids, to cite two examples – we can improve the chances for positive experiences by standardizing practices as related to user authorization, privacy, information validation and security. With that, we can then decide how to expand (or not expand) our deployment. As a result, we’ll view blockchain not as some kind of new and mysterious and possibly risky disruptor, but as a better way to do what we do now.