In terms of the traditional security structure, the cloud has changed everything— its pushed the perimeter boundaries outside the organization’s four walls. With the soft perimeter of a hybrid environment, comes the complexity of additional tools and analytics that are needed to achieve the same level of visibility as with traditional edge security devices. Software as a service (SaaS), multi-tenant technologies, and serverless infrastructures complicate things further.
Identity is a central mechanism, and in order to effectively secure your organization’s data and systems, identity and access management (IAM) capabilities must be at the core of your healthcare organization’s security program.
In the first part of this blog, we discussed the Identity Automation Healthcare Security Framework, which we created to address the complexities discussed above in the IAM space. The framework brings together the infrastructure, application, and identity responsibilities specific to the healthcare industry. Comprised of four key IAM tenets, identity lifecycle management, access management, authentication, and governance, the healthcare security framework is an ideal approach for implementing a comprehensive IAM solution.
Part one examined the first two levels of the healthcare security framework: identity lifecycle management and access management. Now, let’s explore the final two levels, authentication and governance, and how together, these key IAM tenets can strengthen the security posture of your healthcare organization.
Halfway There at Level 3: Authentication
After addressing identity lifecycle management and access management, our next recommendation on the healthcare security framework is to increase authentication capabilities. While closely related to access management, authentication refers to technologies that validate the user is who they claim to be, while access management is the process of managing authorization for all of your systems and services that your end users are accessing. Authentication leverages various technologies, including Federated login, Multi-Factor Authentication (MFA), and Single Sign-On (SSO), and is also the area in which healthcare is most invested today.
For healthcare, the primary use case is Tap-In, Tap-Out, and Tap-Over proximity badge access capabilities that simplify access to critical data for both physicians and nurses in clinical workflows. However, with federated authentication and SSO, you can extend access well-beyond electronic medical records (EMRs) and patient data into back office systems and SaaS platforms.
When various methods of authentication are implemented, it helps streamline your organization’s staff and identity needs to simplify the experience for all users— not just physicians and nurses. To reduce risk further, organizations can require additional factors of identity validation based on defined criteria, such as time of day or location of the request. Setting these additional factors helps eliminate bad actor activity in your organization’s network.
Nearing the Top at Level 4: Governance
Governance, the fourth tenet on our Healthcare Framework, ensures proper identity and access controls are maintained and updated as your business processes, data classifications, and personnel change. Governance refers to the technologies and processes that enable an organization to define, enforce, review, and audit IAM policies.
Governance is the fastest growing tenet in the IAM domain, primarily due to the growing number of compliance regulations with which companies must comply. Clearly, governance is a large and complex area, so we’ve broken this level into two buckets: entitlements management and audit and compliance reporting.
First, we will discuss governance as it speaks to entitlement management of administrative, clinical, and patient-facing systems. Next, we’ll dive into how your organization can utilize governance technologies to map your IAM functions to compliance requirements. In turn, this mapping allows you to audit user access to support your organization’s compliance reporting requirements.
Level 4A: Entitlement Management
So, what does entitlement management mean, and how does it apply to the healthcare security framework?
Entitlement management is the reporting and validation of who has access to what resources and data. There are two ways to approach entitlement management. The first is to complete a discovery and scanning effort to report on who has what access in the environment.
The second approach is to integrate access management as part of the identity lifecycle. As part of the integration, entitlements are granted or revoked depending on the action taking place at the stage of the identity lifecycle.
For example, during onboarding, creation of an identity can also transition into granting an entitlement to an EMR. In turn, this indicates to the access management system that applicable permissions for the identity need to be set in the EMR. Conversely, during the offboarding of an identity, the entitlement is revoked, indicating that access for that identity should be removed in the EMR.
Ultimately, both of these approaches lead to a certification of access for identities, or the process of evaluating the assigned access via an entitlement, which indicates whether or not the access or entitlement should continue. The frequency of certification reporting depends on regulatory requirements.
For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires an annual review. On the other hand, the Health Information Technology for Economic and Clinical Health Act (HITECH) is a quarterly, or sometimes even monthly, review.
Peak Level 4B: Audit and Compliance Reporting
Finally, Audit and Compliance are at the peak of our healthcare security framework. Reporting capabilities around privacy protection, substance abuse control, and fraud prevention are of particular importance to the healthcare industry. It’s important for an organization to be able to report on its compliance requirements, and this area is growing by leaps and bounds.
In addition, reporting on the layers of authentication and privileged access, including electronic prescriptions for controlled substances (EPCS) is necessary. EPCS has a major impact in the e-prescribing world, and requires an audit trail summarizing all activities. Regardless of compliance and required mandates, a security-focused healthcare organization would want to report on all layers of authentication and privileged access.
Watch Our On-Demand Webinar for the Healthcare Maturity Model
Clearly, authentication and governance, including entitlement management, as well as audit and compliance reporting, are complex subjects with of number of moving components. The most common questions we hear are, “Where do I start?” and “How do I measure our current state?”
If you have similar questions, we’ve created an on-demand webinar designed to help healthcare organizations answer these questions.
Ready to see where your healthcare organization stands? Watch our on-demand webinar, The New Perimeter: Redefining the Healthcare Security Framework with Identity and Access Management, where Identity Automation CEO and Co-Founder, James Litton, provides essential insights into how your organization can evaluate and improve its security posture across the four key areas of IAM discussed in this blog.