Getty Images

H-ISAC Shares Identity Management Framework for Healthcare CISOs

Centered around governance, a new H-ISAC framework shows CISOs effective ways to implement identity and access management processes into overall enterprise security programs.

The Health Information Sharing and Analysis Center recently released an identity management framework for the healthcare sector, designed to help chief information security officers better manage identity and access controls and bolster enterprise cybersecurity.

H-ISAC previously released its initial white paper in October 2019, detailing the need for an identity-centric cybersecurity approach in healthcare. The most recent framework aims to enable CISOs to put the approach into action.

The latest insights provide CISOs with methods to architect, build, and implement an identity system able to defend against modern cyberattacks and support key business drivers. H-ISAC designed the guide to be agnostic to organization size, structure, and other particulars.

As a result, it’s not meant to prescribe specific solutions or tools for each organization. The CISO will need to first assess the organization’s resources and risks to determine the best way to apply the framework.

“Authentication, provisioning, authorization, and access control – these are all important technologies on their own,” researchers wrote. “When treated as point solutions and deployed in isolation, they fail to deliver a holistic approach to identity that can protect against identity-centric attacks.”

“Identity is not just about internal workforce; it’s about an organization’s entire ecosystem including customers and external partners,” they continued. “Identity should be owned and operated by an organizational function motivated by risk (e.g., the CISO), not one motivated by service levels and speed (e.g., the Service Desk or HR).”

To H-ISAC, integrating identity management into a holistic framework can empower the enterprise to better control the identity lifecycle of its employees, clinicians, patients, and business partners to defend against common cyberattacks, reduce risk, and increase operational efficiencies.

Credential Compromise was the leading goal of phishing attacks in 2018, according to Proofpoint. And throughout the year, hackers have continued to target user credentials to gain footholds into healthcare networks during the COVID-19 pandemic. Bolstering identity management programs can provide CISOs with better control over the vast amount of enterprise endpoints and its user ecosystem.

While most healthcare organizations leverage some form of identity and access management (IAM) tools, they aren’t effective as point solutions on their own. Researchers explained that instead, these components need to be applied to a greater holistic framework.

Healthcare organizations can leverage the framework to explore the varying components needed to implement this identity-centric approach to cybersecurity, as well as how these functions integrate with the overall security program of the enterprise.

Overall, the guide is meant to demonstrate ways healthcare organizations can enable users to securely and easily access resources, along with ways for the enterprise to protect against cyberattacks.

“We strongly recommend that IAM services, including the provisioning and deprovisioning of access, be performed within the security function, separate from shared IT services such as the help desk or infrastructure operations,” researchers explained.

“This ensures that access and authorization maintain a healthy tension with availability, and that one of the integral elements of protecting critical data and resources is not unwittingly sacrificed for temporary and potentially less valuable interests,” they added.

The framework centers around governance and administration, including directories, authentication, and access, privilege, access management (PAM), and other tools. CISOs will find ways to effectively implement those tools as part of a broader IAM system.

Organizations will also find insights on building identity directories, which H-ISAC said is the heart of any IAM system. Directories provide details on each user identity, from roles and accounts, to privileges and attributes. These must be closely integrated into other enterprise elements on both technical and governance levels.

CISOs can also leverage the framework to better understand needed authorization elements, as well as authentication and access tools.

The guide also contains real-life use cases for the framework, which sheds light on how different IAM components should be integrated and inter-related to the overall security of the enterprise. These cases include new employee on-boarding, changes to an employee’s role, third-party vendor credentialing, and new patient credentialing.

“By providing an explanation of key concepts, outlining a framework and best practices, investigating the various solutions and vendors, and highlighting the aspects of effective implementation, the H-ISAC intends to provide a holistic guide to assist CISOs in the health sector on how to best approach Identity and Access Management and its role in managing cybersecurity risk,” researchers explained.

H-ISAC plans to release subsequent insights to provide deeper analysis and guidance on these technologies in the future. Industry stakeholders are encouraged to share feedback and suggestions to H-ISAC.

Next Steps

Dig Deeper on Cybersecurity strategies