Most homeowners come up with well-established “rules” for their houses: They don’t allow anyone and everyone to come inside. And, for those who are part of the household, there are certain places which are off-limits. A child does not, for example, bring the Nintendo Switch to the study when mom is writing an annual corporate report. The dog can roam freely in the basement and kitchen – but definitely not in the master bedroom.
So if we’ve set up such rules for our homes, why don’t we – as members of the healthcare industry – do the same for our cyber networks and systems? Fortunately, we can. Through practices collectively known as Identity and Access Management (IAM), IT departments centralize, standardize and automate users’ allowable entry to networks, systems, files, data, apps and other resources.
To date, we’re just scratching the surface as to IAM’s potential: The global IAM market is expected to grow from $7.94 billion in 2016 to $20.87 billion by 2022, according to projections from Stratistics MRC. Yet, despite the anticipated adoption, current research findings convey a state of IAM capabilities that’s divided between the “haves” and the “have nots” among healthcare organizations and companies in general:
Healthcare organizations will need to strongly consider more investment in IAM practices and solutions, according to a U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force report published in June. The “Report on Improving Cybersecurity in the Health Care Industry” recommends stronger authentication to “improve identity and access management for (healthcare) workers, patients, and medical devices/EHRs.” Too often, clinicians, support staff, patients and additional users simply enter passwords to call up systems, according to the report, when biometrics, tokens, multifactor authentication, wearable tech and mobile technologies could provide better protection while building a “trust relationship” with patients.
It doesn’t help that developing an effective IAM program is more complicated than ever, especially as healthcare organizations maintain tech apps and functions both on-premise and in the cloud. With all of the options out there, there are a myriad of platforms that we depend upon, with their own security procedures. Still, whether your organization runs its tech solutions on-premise, in the cloud or a mix of both, you can implement a strong IAM program which greatly protects your network and systems across-the-board – as long as you include the following three, critical components:
Whether you run a small, rural clinic or a multi-location healthcare corporation with 40,000 employees, you must conduct a top-to-bottom inventory of all users and their roles. You then match roles to appropriate access areas – a nurse has to call up patient data, for certain. But sensitive company fiscal files? Not so much. As part of this effort, in addition to documenting what people can call up, you need to determine what they can do with it, i.e., “read only” or make changes to a particular file.
Because this amounts to a tall order for large enterprises, you probably want to consider applying risk-based principles to inventory prioritization. In other words, focus on those who deal with the most – and most sensitive – data first. This would include financial executives and data analytics team members, the latter because they pretty much have access to everything.
This is where you find out what users are actually accessing, as opposed to what they’re supposed to access. As you conducted segregation of duties in step one, you now deploy automated analytics tools to examine activity logs and identify whether employees (not to mention contractors and additional third parties) are entering into areas which do not appear to serve a legitimate, work-intended purpose. The facilities supervisor, for instance, may check room temperature levels for patients. But he has no business pulling files which contain the health insurance information of those patients.
Once you’ve inventoried roles and identified the degree of appropriate and inappropriate activity via automated analytics tools, you cannot “set it and forget it.” You have to constantly monitor what’s going on to ensure individual roles align to allowable actions. The tools must be capable of adjusting to changes in responsibilities – when a surgeon is promoted to chief of staff, her duties will expand and, accordingly, so should her access to various parts of the organization. When the surgeon leaves for another hospital system, however, the cybersecurity team has to eliminate any access to internal assets.
To make such oversight possible, the automated analytics product needs to deliver a “single pane of glass” view of activity. Your cybersecurity team should not have to click from one screen to another to track individual tech systems, file-sharing interactions and email exchanges. With a cohesive and unified monitoring experience, the team will be best positioned to view – and respond to – everything in real-time.
At our homes, we don’t “set rules” to dictate a “Department of No” environment. Instead, we seek to establish a sense of order, so that a closed door at the very least tells a child to “Knock Before Entering.”
Similarly, IAM enables healthcare organizations to incorporate the same manner of guidelines and enforcement, so a lab worker is granted authority to review medical records, as opposed to such authority being assumed and allowed with little to no restrictions. Through effective inventory, identification and monitoring, an IAM program doesn’t inhibit business at hand. It supports it – building widespread confidence among managers, employees and patients that everyone is accessing what they’re supposed to, and nothing more.