Victor/Adobe Stock
Why Healthcare Needs Cloud-Based Identity Management
An increasingly complex digital environment necessitates a new scalable approach to identity management that safeguards sensitive data and streamlines access.
The decision by healthcare organizations to reduce IT costs by moving infrastructure to the cloud is creating a new challenge for security professionals to protect their digital assets while enabling more users to access systems and services.
These organizations are managing more digital identities and even more data access entitlements. Without automating identity management activities, they run the risk of creating gaps in security and compliance and introducing delays in giving access to users with an urgent need for data.
Taken holistically, identify management comprises two components: the management of access to networks and systems and the management of rights to access applications and data. However, traditional identity management solutions are not well suited to complex IT environments where data access needs are continually changing for both employed and non-employed staff.
Fortunately, new cloud-based identity management solutions are capable of keeping pace with internal and external threats to sensitive data.
Identity Management in the Cybersecurity Age
In 2018, the Department of Health & Human Services identified the five "current most impactful cybersecurity threats" facing healthcare in a guidance document aimed at helping providers manage cybersecurity threats and protect sensitive health data:
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
In technical documents accompanying the guidelines, the federal agency detailed the critical role of identity and access management policies and systems to address three of these five challenges.
"HIPAA describes the key principle of minimum necessary, which states that organizations should take reasonable steps to limit uses, disclosures, or requests of PHI to the minimum required to accomplish the intended purpose. This same principle applies to reducing the attack surface of potentially compromised user accounts. By limiting access, you can limit the scope of a ransomware outbreak or data attack," the report stated.
Implementing a robust identity management model requires the coordination of IT, security, and human resources staff, according to the report. Best practices for identity management require healthcare organizations to conduct numerous activities — ranging from establishing identities and provisioning access to authenticating and auditing access.
"These processes should account for volunteers, locums, contractors, students, visiting scholars, visiting nurses, physician groups staff, billing vendors, visiting residents, organ procurement organizations, special statuses (such as emeritus professors), and third-party vendors that require access to provide services to your organization," the report added.
Respondents to a 2018 HIMSS-SailPoint survey of healthcare organizations indicated that insider threats posed as much harm to health data security privacy as external threats. Among organizations currently implementing or managing cybersecurity solutions, 43 percent viewed insider threats as of greater concern while 35 percent perceived the threats to be of equal importance.
Despite these levels of concern, providers lag in their adoption of identity management technologies. One-third of respondents applied identity management solutions to half of their applications, suggesting the existence of numerous security and compliance gaps within the past year.
What's more, of those invested in identity management solutions currently, most rely on directory group memberships to determine access rights (61%) and many employ manual permission assignments to safeguard access to sensitive data (48%).
"Given that provider organizations are continuously on-boarding and operating numerous applications, it is imperative that these critical gaps are addressed to protect sensitive information stored in systems, applications, and file storage folders," the report stated.
These findings indicate that a significant number of providers lacks the means to manage users at a granular level, potentially exposing sensitive data to risks as a result of accidental, negligent, or malicious behavior.
Robust Identify Management in the Cloud
Traditional methods for managing identity were designed for local access, relying on on-premise directories to restrict access to information and services based on the business needs of end-users. At health IT infrastructure becomes more decentralized, that approach doesn't work.
The need to manage users and access in a unified manner within a complex digital environment has given birth to cloud-based identity management solutions, which allows organizations to support the needs of authorized end-users and prevent unauthorized access by bad actors. So what is it?
Cloud-based identity management technologies move directories to the cloud enabling the system to authenticate and authorize users irrespective of their physical location. What's more, these cloud services allow organizations to house and maintain their identity management policies in a centralized location, the single source of truth for users and access.
Given the diversity of devices and number of applications now supported by healthcare organizations — some onsite, others off — cloud-based identity management offers the flexibility and scalability necessary for an industry in digital transition. With a centralized directory and a means to customize access based on the different needs of organizations and personnel, healthcare organizations can decouple their identify management policies from their IT infrastructure. Doing so allows these organizations to add new technology and users as well as the retire legacy systems and access for individuals having changed roles.
What's more, cloud-based identity management technology is able to leverage advancements in artificial intelligence (e.g., machine learning tools for automating identity management processes). The cloud is uniquely positioned to scale quickly to support resource-intensive services that require large amounts of data and processing power to function effectively.
Cloud-based identity management systems and services are a logical choice for healthcare organizations, especially those lacking sufficient resources and staff. For the same reason that cloud computing can reduce IT costs, cloud-based identity management can reduce the burden on small IT and security departments and enable these professionals to focus on supporting clinicians and patients.
________________________________________
About SailPoint
SailPoint enables healthcare provider organizations to cost-effectively protect healthcare data, reduce financial risk from poor audit performance, and avoid disruptions to patient care. Infused with artificial intelligence, its predictive identity governance anticipates how access should change, shows where attention is needed, and recommends actions. Ideally suited for healthcare, the SailPoint platform increases IT and operational efficiencies by automating processes and simplifying the on-boarding and management of complex healthcare user populations (employees, affiliated physicians, contractors and others). SailPoint is consistently recognized by Gartner, Forrester and KuppingerCole as the leading authority on identity governance, and the preferred partner for numerous healthcare organizations.