Often times, healthcare organizations have point solutions to address critical areas, but are still concerned about their broader security needs. For example, many organizations implement Single Sign-On (SSO), but come to realize the convenience factor is the main benefit, rather than enhanced security.
Recently, we discussed why Identity and Access Management (IAM) is a necessary central discipline as part of an in-depth cybersecurity defense strategy. Not only does IAM improve an organization's security posture and increase resilience against cybersecurity attacks, which limits the risk of malware and stolen data, it also improves operational efficiency.
In order to remove complexities in the identity management space, we constructed the Identity Automation Healthcare Security Framework. This framework brings together the infrastructure, application, and identity responsibilities specific to healthcare. Comprised of four key IAM tenets, Identity Lifecycle Management, Access Management, Authentication, and Governance, the healthcare security framework is an ideal approach for implementing IAM.
Of course, many healthcare organizations already have one or more technologies to fill needs in each of these disciplines. While we strongly recommend adopting these four key tenets in the order presented, there’s no right or wrong approach.
In part one of this two-part series, we will begin by delving into the first two levels of the healthcare security framework: identity lifecycle management and access management. Let’s check it out!
Base Level: Identity Lifecycle Management
First and foremost, at the base of the healthcare security framework is Identity Lifecycle Management (ILM). As a foundational layer, ILM enables organizations to set themselves up for success when implementing the next major tenets of IAM. It’s important to note that lifecycle management was traditionally the term used in place of IAM; however, as the space has evolved, so has the terminology.
When we say ILM, we’re referring specifically to the collection of technologies and business processes that govern the creation, management, and removal of user identities across the systems that an enterprise uses to run its business— whether those systems are on-premise or in the cloud.
ILM encompasses the complete account management of nearly anyone who has a relationship with your organization, including external users. For example, ILM helps to automate often lengthy manual processes for account provisioning and deprovisioning of new hires, transfers, retirees, interns, volunteers, temps, patients, physicians, and specialists.
As a leading IAM provider, we often hear questions like, “How does lifecycle management apply to my healthcare organization?” and “How can ILM make a substantial difference in our environment?”. Many jump right to the conclusion that lifecycle management only helps with employee onboarding and ask, “How do I get employees access to what they need in a timely fashion?”. However, there are a lot of activities that happen in-between onboarding and ultimately, offboarding that can introduce risk.
In fact, healthcare’s transitory workforce presents a fairly unique identity challenge. For example, visiting physicians and nurses need access to data when they are working, but what happens to their identities when they are absent for long periods?
Additionally, there’s the challenge of frequent staff position changes: students become residents, residents transition to full-time employees, employees are assigned and re-assigned to departments, and promotions and demotions happen throughout.
If you’re not closely monitoring, not only who has access, but what data users have access to, especially as users move through role promotions and demotions, your organization could be at high risk for cyberattacks. This is of particular concern in the healthcare industry considering hospitals are already more vulnerable to cybersecurity attacks than any other type of organization.
Moving Up to Level 2: Access Management
The second level of the healthcare security framework is Access Management, a robust and essential tenet of IAM. Access Management refers to a collection of technologies and techniques that control what each user has access to and when they can access various resources across the enterprise.
Access Management speaks to policy and role management, including managing multiple affiliations (roles) within a user’s account, temporary shift changes, and workforce transience. It is essentially a strategy for how you apply identities to the data and resources in your environment, ensuring users have the correct access to the correct systems, resources, and applications. By enforcing the principle of least privilege, access rights are limited to only what’s necessary for a given role.
There are two primary forms of access control that can ultimately be mapped back to the classic models: Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC). Many organizations implement RBAC, which controls access based on the roles that users have within the system and on rules stating what access is allowed for users in given roles.
A user is assigned to a group, and that group is assigned to specific resources. While RBAC has traditionally been a great strategy, the strategy alone doesn't safeguard all access needs for today’s modern healthcare organizations.
On the other hand, ABAC can control access based on three different attribute types: user attributes, attributes associated with the application or system to be accessed, and current environmental conditions. While ABAC is the most complex access control model, it is also the most flexible and powerful.
At its core, ABAC enables fine-grained access control, whereas RBAC is for coarse-grain access control. When you can make access control decisions with broad strokes, use RBAC, but when you need more granularity or need to make a decision under certain conditions, use ABAC. Our recommendation is to first try to use RBAC before ABAC because the controls are just searches or filters, and the bigger and more complex the search, the more processing power and time it takes.
However, when you start integrating Cloud and SaaS-based applications, we recommend a combined approach of RBAC and ABAC. As an example, RBAC can be used to control who can see what modules, and then ABAC can be used to control access to what they see (or what actions they can perform) once inside a module.
Watch Our On-Demand Webinar At Your Convenience
Now that we’ve explored the first two levels of the healthcare security framework, identity lifecycle management and access management, we have a better understanding of initial steps healthcare organizations can take towards a fully comprehensive security strategy.
As ILM is the baseline of all proceeding IAM capabilities, it’s crucial that this tenet is fully streamlined first. And out of all IAM tenets, Access Management is the single biggest tool for organizations to improve their security posture. However, it’s important to keep in mind this feature can’t enhance security alone, it needs to be coupled with other capabilities, such as ILM and authentication.
Part two of this blog post will focus on the final two levels of the healthcare security framework and how together, these key tenets can strengthen the security posture of your healthcare organization.
In the meantime, check out our on-demand webinar, The New Perimeter: Redefining the Healthcare Security Framework with Identity and Access Management, for more details on how to execute a comprehensive IAM project.
In this webinar, Identity Automation’s CEO and Co-Founder, James Litton, delves into, not only the healthcare security framework, but also how to evaluate the maturity of your current IAM capabilities and determine a prioritization.