The healthcare industry is speeding up its digital transformation — the impetus has become very apparent as we progressed through 2020. While we won’t see cloud hospitals any time soon, healthcare CISOs and IT pros are pushing ahead with digitizing the labor-intensive functions and workflows across their organizations. This transformation started long before the impacts of the novel coronavirus. However, the impact of COVID-19 on patient health and the health of medical professionals combined with updated requirements on how medical care is accessed and provided in a safe and secure manner has dramatically sped up this effort.
Developing interconnected health systems is top of mind for every medical industry IT expert. And the list of concerns is long:
- security of patient data required by HIPAA and other national regulatory frameworks,
- security and safety of network-connected medical devices and medical IoT devices,
- access control solutions to protect facilities and data security of support services like medical insurance.
For a medical industry CISO this means thinking through how these systems roll up to and connect to an identity and access management (IAM) system. It’s mandatory — from regulatory and operational standpoints — to document and understand access privileges: how, by whom, why, when and where resources are being accessed.
The slow death of passwords
Recently we spoke with a CA-based healthcare group Sharp HealthCare with 2600 physicians and more than 18,000 employees, on digitizing their organization. Unsurprisingly, the discussion soon turned to password management and the opportunities around switching to passwordless authentication.
“Our discussions with healthcare IT professionals frequently revolve around eliminating passwords – IT security administrators can’t stand them,” explains Bil Harmer, CISO and Chief Evangelist at SecureAuth. “Breached passwords provide the default way for hackers to escalate privilege — and they are too easy to acquire through social engineering and phishing. It’s just a weak form of authentication and it’s a lot of overhead to any IT department.”
The death of the password, despite a strong push by the Cloud IAM industry, is still far away as Bil explains: “By no means have healthcare organizations gotten rid of passwords. Over time the password is going to die, but this will happen at a different rate for each organization, and at a different rate for each user group it services – be it employees, service partners, or patients. Instead of having a password, healthcare organizations will offer passwordless MFA, it could be YubiKey in some cases but more often you’ll see push notifications through their own mobile app with an embedded third-party authentication SDK.”
Identity proofing is the new IAM challenge
The first step on a user journey, either as an employee (workforce/B2E) or a customer (CIAM) is to proof the user’s identity. It may be straightforward if users are on site, but it becomes much harder if there’s very little physical contact like in the Covid-19 pandemic. Identity proofing is key to the success of digital health.
“What is becoming increasingly important is identity proofing. Do you trust the identity of the person if they are requesting MFA enrollment or an MFA token,” comments Bil Harmer. “If a hacker can exploit that proofing exercise, it’s catastrophic. So, you need to be diligent as you register people for MFA. Once they have the MFA device and you trust the entire exchange, then this whole problem is much easier. At that point you have a path to passwordless.”
Login context will play even greater role in IAM
Passwordless authentication is an important concept and to make it work, IT pros in healthcare need to integrate the right components to build a comprehensive system that meets the security requirements of the organization without creating a huge inconvenience for users.
One of those components is user telemetry consisting of information from the user, the users’ device, or the behavior exhibited by the user. Once the IAM system starts consuming additional contextual information such as — is the nurse supposed to be on shift, should this person be logging in into a restricted drug cabinet — it’s easy to automatically examine those behaviors and identify if they violate expected behavior.
“A common misconception of Zero Trust is that people feel they must authenticate and be challenged every time they touch the computer,” explains Bil. “That’s not really true. With good behavior analytics, adaptive multi-factor authentication and so on that’s no longer necessary. Part of the architecture that everyone including healthcare organizations should be driving toward is funneling all authentication events into a centralized identity provider.”
The more contextual information a centralized IAM system can collect about different ways users log in to cloud apps and legacy systems, the better the telemetry is going to be. Advanced IAM deployments can take advantage of machine learning and behavior analytics technologies.
Having a login context-driven access management system becomes critical for large healthcare IAM deployments. Such context-driven system allows you to identify profile misuse because it can alert you to unexpected logins to a specific on-premises application or cloud app. At that point you gain end-to-end vision of your identity security. That’s why this approach is part of the architecture many healthcare providers have chosen to go with. As identity and context becomes the firewall, any healthcare CISO will want all that context and behavioral data funneled in into one central place if possible.
Resources
If you would you like to hear the entire healthcare achieving zero trust webinar, visit: https://www.secureauth.com/resource/achieving-zero-trust-securing-workforce-and-customer-identities-in-a-new-business-paradigm/
