How healthcare CIOs and CISOs can handle identity and access management
Many patients have been through the registration process multiple times, as a guest, shopping for a specialist, or as a registered patient booking an appointment or getting information on their own EHR. Getting a single view of an identity while securing each identity is important to a quality patient experience.
Many healthcare organizations are managing multiple siloed identities for the same providers and patients, with identity support provided only on an application-by-application basis. As a result, multiple log-ins are often required to get common tasks done.
For example, a patient who wants to look up test results and then respond to a message from her clinician may have to access two different systems, with two different sets of login credentials.
Weaker authentication methods in use
“In the absence of a comprehensive identity and access management approach, we also see weaker authentication methods in use because it’s difficult to integrate state-of-the-art, strong and adaptive authentication methods into each system,” said Eve Maler, vice president of innovation and emerging technology at ForgeRock, a vendor of access management and identity management technology.
“A healthcare system might not flag suspicious activity based on a user’s behavior – such as asking for multiple re-orders of a prescription medication or changing the address for delivery of that medication while logged into an unfamiliar device,” she said.
With fraud rampant, a provider could miss these critical signs that an account takeover is in process, Maler explained.
"The push for interoperability in health data exchange requires a method of identifying and securely authenticating patients across not just single-provider application landscapes, but also far-flung third-party data ecosystems."
Eve Maler, ForgeRock
Healthcare challenges rooted in identity and access management are on the rise. Consumers’ personally identifiable information remains the Holy Grail for cybercriminals, and given that enterprises across a wide range of industries – including healthcare, government and financial services – store and manage billions of consumer data records, these organizations are constantly under siege from cyberattacks.
The ForgeRock U.S. Consumer Data Breach Report found cybercriminals exposed 2.8 billion consumer data records in 2018, costing more than $654 billion to U.S. organizations. Almost half (48%) of all consumer data breaches happened in the healthcare sector, four times as many than in any other sector.
Interoperability requires a comprehensive security approach
“The push for interoperability in health data exchange requires a method of identifying and securely authenticating patients across not just single-provider application landscapes, but also far-flung third-party data ecosystems,” Maler stated. “The data breach report revealed healthcare-related personal data breaches in Q1 2019 saw an increase of 400% over Q1 2018, impacting the challenge of patient matching in such environments.”
And new government rules and market realities are forcing real solutions for consumer-directed consent and delegated access to health data, she added.
The healthcare industry traditionally lags in modernizing IT due to its strict regulatory environment, she said. Further, focus on usability improvements to drive adoption for non-technical audiences have at times outpaced security measures, she said.
“With new mandates for electronic health records and increased awareness by consumers around data breaches, this trend is slowly shifting to re-focus on security,” she added.
How to fight identity and access management challenges
So how can CIOs and CISOs at healthcare provider organizations successfully combat identity and access management challenges? Maler has some answers.
“CIOs and CISOs at healthcare organizations can protect consumer data by implementing a strong customer identity management program,” she advised. “Every industry has incentives to avoid brand damage and costly breaches, and so healthcare organizations must use modern techniques of identity and access management to secure their infrastructure, from servers in the data center to patient PII and smart devices at the edge.”
Some good news is that there are identity-related standards that can assist with these challenges, and work is ongoing to profile and pilot common industry use-cases using them.
“The FHIR API is being combined with a stack of standards, including OAuth, OpenID Connect and User-Managed Access, designed to protect APIs, carry identity information over them, and enable people to control how and with whom their information is shared,” Maler explained. “Another recently ratified standard, FIDO2/WebAuthn, enables strong and biometric authentication and is being supported by browser makers.”
A conversation between healthcare and financial services
Further, a conversation is beginning to take place among those in the healthcare and financial services industries to see what identity and access management lessons from the latter might be applicable to the former, Maler added. For example, banks make use of an industry-wide shared fraud intelligence network to assist with “Know Your Customer” checks, similar to the patient-matching process, she explained.
In the identity and access management field, there are some emerging technologies that could potentially help healthcare provider organization CIOs and CISOs better protect themselves.
“Today, patients struggle with an inability to share meaningful data generated by consumer IoT devices with providers,” Maler said. “They also struggle to control the sharing of highly sensitive medical data in a fine-grained fashion, manage care transitions due to relocation or travel, and delegate decision making and data access to trusted others.”
As digital transformation drives advancements in healthcare, organizations can start to use next-generation authorization, consent and identity relationship management technologies to improve health outcomes, patient satisfaction and data sharing control, she explained.
“Providers can apply solutions such as ‘user-managed access’ to enable patients to manage data sharing in a way that matches their real-world relationships, thereby delivering connected care in a way that builds trust,” she concluded.
Focus on Securing Healthcare
In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.