A seamless IAM solution for healthcare organizations offers potential for productivity, security gains.
Ten years ago, most health system information technology leaders did not have Identity and Access Management (IAM) at the top of their priority lists. Provisioning and deprovisioning new clinicians so they could begin seeing patients was primarily a manual operation, done by IT staff. But today most Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) recognize they need a detailed and sophisticated IAM strategy. So, what changed?
First of all, the federal HITECH Act of 2009 provided subsidies for more providers to implement electronic health records (EHRs), so the number of hospitals and physician offices with EHRs skyrocketed. Clinicians began using many other digital systems connected to the EHR. These investments in health IT meant clinicians were faced with multiple logins, which, over time, can contribute to physician burnout. Easing that process with single-sign-on capabilities helped spur the growth of IAM solutions. In addition, the Meaningful Use reporting requirements tied to those EHR subsidies, as well as HIPAA security requirements, meant that IT teams had to start thinking about their ability to verify and track who had access to which applications and data, which led them to consider multi-factor authentication.
CIOs and CISOs realized they had to be prepared for audits to ascertain that employees who had access to protected health information (PHI) had the proper permissions. But did they even know who had access to PHI or a way to determine if they should have access?
Many health systems had avoided doing the necessary identity governance work because it can be difficult and time-consuming. It requires IT to build a relationship with colleagues in human resources to determine employee roles from job descriptions and assign software application access permissions to those roles. Unfortunately, a health system could have twelve thousand positions and five thousand job descriptions. Narrowing those down and defining roles requires observation and analysis. For instance, it might require studying the applications that a few pediatric nurses have access to, creating a definition of the software required for that role and allowing all other pediatric nurses to have access to those applications.
Cybersecurity threats on the rise
In addition to ever-changing federal regulatory requirements about auditing access to sensitive health information, the rise of cybersecurity concerns, including ransomware, insider threats and vulnerabilities related to connected medical devices, has put pressure on IT and security executives to up their game.
In 2017 the U.S. Department of Health & Human Services convened a healthcare industry cybersecurity task force, which issued a report making several recommendations, including requiring “strong authentication to improve identity and access management for healthcare workers, patients and medical devices/EHRs.”
Stating that the delivery of healthcare is founded on the establishment of a trust relationship between and among providers and patients, the task force noted that the foundation of this trust is the belief and confidence in the identities of the individuals involved (providers and patients). “Through strong identity and access management practices, this trust relationship should be extended to the medical devices that are used to provide patient care,” their report said.
The HHS task force described how clinicians in a hospital setting are required to access multiple computers throughout the facility repeatedly (up to 70 times per shift) as they deliver care to patients. “In order to authenticate their identity so that they can perform common tasks (e.g., access a patient’s medical record, order diagnostic tests, prescribe medication, etc.), a clinician typically enters his or her user name and a unique password. This widely used, single-factor approach to accessing information is particularly prone to cyber-attack as such passwords can be weak, stolen, and vulnerable to external phishing attacks, malware, and social engineering threats.”
Addressing ‘Shadow IT’
One nagging problem that faces security officials who need to know the identities and roles of all the people connected the health system network has been labeled “shadow IT.” This is when departments or individuals set up their own servers or deploy applications or cloud services without the direct oversight of the central IT organization.
For instance, a cardiovascular institute or radiology group could have its own servers and applications that are not tied into a hospital’s Active Directory system. When someone who works in that group leaves the organization, central IT might have a good process for de-provisioning them out of Active Directory. But the “shadow IT” server in radiology may not “know” that a person has left the institution. Although the person no longer has Active Directory credentials, they might have credentials on a PACS (picture archiving and communications system). If they can still get access to the PACS system, they could use that to gain access to other parts of the system. Central IT might not have assurance that people who were provisioned have been properly de-provisioned from all the applications to which they had access. The perimeter back door is open for cyber-intruders.
In March 2019 networking vendor Cisco published the results of its CISO Benchmark Study of more than 3,200 IT security leaders from 18 countries. The report noted that health systems must look at what’s happening inside as much as outside their organization, and be aware that some criminals can log in rather than break in. “This drives the need for better multi-factor authentication,” the study noted. “Nowhere is the need more apparent for balancing the need for Health IT security (letting the right people in) with supporting seamless business (not hindering the people you do let in with a clunky user authentication experience).”
In Cisco’s survey, only 54 percent of respondents said that, in their organization, “access rights to networks, systems, applications, functions and data are appropriately controlled.” And only 53 percent said, “We do an excellent job of managing human resources security through employee onboarding, and good processes for handling employee transfers and departures.”
Traditionally, most hospitals and integrated delivery networks have under invested in IT security, so there is still a lot of room for improvement. A 2017 KLAS/CHIME benchmarking report surveyed close to 200 healthcare IT security leaders. Only 16 percent reported feeling that they have a fully functional security program. More than half of the organizations that are still developing their security program are spending less than 3 percent of their total IT budget on security. Also, 32 percent of respondents said that they have not implemented an IAM solution yet or are using a homegrown solution.
The KLAS/CHIME report also noted an evolution in titles and responsibilities for cybersecurity. Forty percent of organizations have a vice president or C-level in charge of their program. About half of these are CISOs; the other half are CIOs/CTOs. Their executive brief notes that “compared to those in an IT role, respondents with a security background more often report having a vice president or director (often a CISO or security director) in charge of their security program. They are also significantly more likely to have a cybersecurity framework in place and a deeper breach-readiness level.”