In a recent blog article, we discussed the top 5 Identity and Access Management challenges the healthcare industry is facing. Evolving compliance regulations, growing M&A activity, digital transformation, ongoing financial and organizational issues, and mounting security threats are all driving the need for more comprehensive Identity and Access Management (IAM) capabilities that go well-beyond pure single sign-on (SSO) alone.
IAM, specifically a comprehensive and integrated IAM solution that can support all types of users and devices, while also providing secure access to applications and data is essential to addressing these challenges. Healthcare organizations hold a repository of sensitive data and assets, so IAM is no longer simply “good to have,” but rather a “must do.” Leveraging IAM to restrict and control access allows for focused protection down to the granular level of patient records.
Simply speaking, although many healthcare organizations have basic identity management and SSO in place, few organizations have reached the next level of IAM. It is estimated that more than 80 percent of healthcare organizations do not have an effective and modern IAM implementation in place.
While SSO solutions are necessary, they often lack the granularity needed to provide a secure work environment that protects the privacy of patient records. Advanced IAM functions, such as granular control over the access of users to systems, data, and even specific data sets. These and other security and productivity benefits offered by comprehensive, integrated IAM solutions are essential to today’s healthcare organization and go well-beyond what SSO alone can offer.
Why Healthcare is Behind the Curve When It Comes to Identity and Access Management
For many healthcare organizations, IAM still boils down to a set of technical, administrator-driven capabilities, managed by disparate tools. However, legacy approaches, such as using scripts to provision new users to the Active Directory (AD), are not only difficult to maintain, but can also lead to delays and errors in onboarding and offboarding.
Security is another area where healthcare lags behind when it comes to technology. The common approach, one based on policy books, manual processes, and simple manual reports, is error-prone and cumbersome.
Today’s healthcare organizations manage highly variable workforces. Providing the appropriate individuals with granular access to the right systems and data, at the right time, and for the right duration, requires a high degree of automation in all identity and access related processes. Furthermore, stringent compliance regulations are driving the need for efficient audit and reporting capabilities.
Even with all of these challenges, healthcare organizations struggle with how to best allocate their cybersecurity budgets. Frequently, IAM investments appear to be in conflict with cybersecurity expenditures. However, IAM supports both the mitigation of cyber risks, as well as business enablement.
Healthcare organizations need to shift their focus to comprehensive, integrated IAM solutions that support major healthcare applications and address healthcare’s unique SSO challenges, such as the need fast user switching on shared workstations.
How Integrated IAM Solutions Address Healthcare’s Challenges
IAM consists of a broad range of capabilities, rather than a single technology or tool. These capabilities can be mapped into four areas that we refer to as the “Four A’s of IAM”:
- Administration: The management of users and their accounts.
- Audit: Collecting and analyzing logs, applying Segregation of Duties (SoD) controls, etc.
- Authentication: Includes capabilities, such as Multi-Factor Authentication (MFA) and SSO
- Authorization: Control over which users are allowed to do what in systems and with data
Each of these areas include a wide variety of products, services, and capabilities. While this can seem overwhelming, there are certain capabilities that are particularly important for healthcare organizations.
For starters, IAM in healthcare should focus on managing all types of identities, including users, privileged users, patients, devices, and applications and provisioning access to target systems and resources governed by fine-grained access controls for sensitive data, such as EMRs.
While delivering an SSO experience to users is critical, equally important is enhancing security with MFA that supports a broad variety of authentication factors to meet the needs of different user groups. Authentication capabilities also need to comply with healthcare-specific requirements, such as EPCS. Furthermore, healthcare IAM solutions should have audit and governance capabilities that help identify threats, manage risk, and comply with regulations.
Finally, IAM in a healthcare setting requires focus on integrated solutions that deliver specialized support for healthcare applications. When properly integrated, the capabilities discussed above help meet healthcare’s specific requirements, while avoiding a level of technical complexity that can stall a project. Integrated and healthcare-focused IAM helps organizations balance the usability and convenience users need to do their jobs with today’s security and compliance requirements.
Is Your Organization Still Prioritizing Convenience Over Security?
Many healthcare organizations are still focused on SSO with only basic AD management and point security solutions in place. While SSO offers clear productivity and user benefits, it alone is not enough to mitigate the complex compliance, security, and business challenges today’s healthcare organizations face.
IAM is no longer just an IT tool, but an essential business enabler. Implementing a comprehensive, integrated IAM solution that delivers specialized support for healthcare applications can balance users’ need for convenience and ease of use, with the organization’s security, compliance, and risk mitigation requirements.
For more information on the need for complete IAM in healthcare and how it can benefit your organization, download the Kuppinger Cole report, IAM in Healthcare: It’s Time to Act.