Identity management the new 'perimeter' for hospital cybersecurity
Protecting a hospital network’s perimeter used to be the guiding principle for security professionals, but today they must focus more on managing the identities of every user, said John Houston, vice president of information security and privacy at the University of Pittsburgh Medical Center.
“The concept of perimeter is changing due to the internet and cloud computing – we no longer have a perimeter the way we had in the past,” Houston said. “Identity is the new perimeter.”
The most important thing security professionals can do, in fact, is maintain control over who has access to the hospital’s systems, Houston said. And that control is where a strong defense strategy begins.
Organizations like the University of Pittsburgh Medical Center, which uses identity analysis technology from cybersecurity vendor FairWarning as part of its security arsenal, first must know who its people are and what each of these people have access to, Houston said. Then organizations need to make certain that the information each of these people has access to is appropriate for that person, he added.
Today, it’s quite likely that more than a few users do not work within the four walls of an institution. These individuals often require additional scrutiny.
“Our system knows when you are not an employee. Someone has to sponsor these individuals to get an account. They put down how long that person will be here, like a contractor for three months,” he said. “At least annually these accounts have to be reviewed. We have put a lot of controls in place to make sure that we have good information about people.”
Because there were no bulletproof identity management platforms available, UPMC built its own.
“Ten or 12 years ago, we looked at what it would have taken to buy an identity platform, and it would have taken six or seven different commercial software packages to cobble together a sufficient platform,” Houston said. “Had we done that, we would have replaced all of them by today, either because they no longer would be on the market or because they would be out of date.”
Houston added that the most important capabilities of an identity management platform, whether proprietary like UPMC’s or purchased from a vendor, include the ability to understand who your users are and ultimately run analytics on their activities.
“We link into our human resources system, our physician credentialing system, we know when people come into our employment, when they change positions, when they leave,” Houston said. “Who they are, where they report to, where they are in the organization, we have a lot of understanding of who these people are. When we are doing analytics we have a firm foundation of who has access to our systems. And from there we can more easily do identity analytics of the activity of people and who should be in our systems.”