Category Archives: Identity and Access Management

What to Look for in an Identity Governance and Administration Solution for Healthcare


Post by John Lammers


Vice President and General Manager of Identity and Access Management, Caradigm

In my previous post, I discussed the unique challenges that healthcare organizations face in the arena of identity governance and administration. In this follow-up post, we will review what to look for when choosing a solution for your healthcare organization.

First, let’s review what we mean by identity governance and administration. Gartner’s Magic Quadrant Report for Identity Governance and Administration[i] defines this as a set of identity management capabilities including: managing identity life-cycles, managing entitlements, and handling access requirements.

There are many supporting capabilities that are required to go from a set of point technologies to a fully-integrated solution for your organization, for instance: workflow orchestration, data validation, auditing, and reporting. In the healthcare IT environment, reach is quite important as well given that healthcare organizations utilize many disparate systems to provide the best possible patient care. Integrating those systems into a common process while automating as much of the identity management and identity governance activity as possible is essential, both to guard against breaches and to ensure that clinicians have secure and appropriate access to the applications they need from day one.

The following are identity governance challenges presented by the healthcare environment and what you can look for in a solution to address each of these.

Complex Staff and Identity Lifecycles

If you’re a typical hospital, change is your new normal. You have visiting specialty practitioners, students who come and go in waves and roles changing regularly. In recent years, we’ve seen a 70% increase in merger and acquisition (M&A) activity.[ii] All of this adds up to complex staff and identity life cycles. To mitigate the one-off and not-so-one-off changes, a strong solution is needed to support your organization’s control.

What to look for:

  • Workflow capabilities that help you orchestrate all of the activities within your processes
  • Unification of the human and automated parts of the process, so that you avoid identity management activity happening outside of and invisible to your process
  • Support for large inflow or outflow of staff in a short time
  • Support for staff members with changing roles or multiple roles

Flexible and Scalable Role Requirements

We see it over and over in our work with healthcare organizations. Different specializations, different sites, different systems and processes. It all adds up to a need for strong role management.

What to look for:

  • Ability to handle large numbers of roles
  • Ability to model your organizations roles and policies
  • Ability to detect outliers and inconsistency in roles
  • Ability to take action to resolve inconsistencies

Diverse and Continuously Evolving Technology Ecosystems

Healthcare IT organizations strive to deliver the highest quality, most capable systems to clinical staff. Taking advantage of innovative and best-of-breed tools leads to a diverse and continually evolving ecosystem of technologies. It’s critical that your identity management and identity governance solution encompass all your systems. One-off approaches to access control, auditing, and provisioning/de-provisioning accounts leads to situations where a clinical user has access to some of the applications they need; or when leaving the organization, have their access removed from some of those applications. This results in lost visibility, but also the potential for lost productivity and even security breaches. You need a solution that puts all your systems under a single identity governance process, and because that’s always easier said than done, the solution needs to give you a way to cover the basics right away, and then deepen integration (i.e., add automation) as time allows and based on ROI.

What to look for:

  • Ability to integrate with multiple HR systems
  • Ability to integrate with diverse IT support management ticketing systems
  • Flexible integration with of a diverse set of EHR (Electronic Health Record) systems, including systems that don’t provide easy remote access, such as systems without APIs, pre-accessibility era web applications, native apps, and even green screen systems
  • Facilities allowing you to handle operations manually and automate on your own timetable, while incorporating manual operations within a single, unified identity management process
  • Tools that put automation in the hands of your staff by making it easier to integrate applications
  • Services available to augment the capabilities of your staff

Scale and Criticality

Scale and high-availability matter to everyone, but every organization is unique in its specific needs. You need options that cover your scenarios today and will flex to accommodate changing needs.

What to look for:

  • Ability of the vendor to articulate their approach to high availability
  • Flexibility in the approach to disaster recovery and to services to guide you as you build your disaster recovery plan
  • Horizontal scaling (more capacity at a single location)
  • Geographical scaling (distributing capacity so that it’s near the users)
  • Throughput scaling (ability to handle bursts of high demand on the system)
  • A history of operating at scale in real production environments

Proactive Risk Mitigation and Breach Defense

No one wants to be in the news as the organization that just experienced a breach. No one wants to sideline valuable employees digging out information in response to an audit. Healthcare organizations must integrate risk mitigation into their day-to-day operations, and your identity governance solution can facilitate that.

What to look for:

  • Risks presented in a way compliance officers and managers can understand
  • Ability of take immediate action on a risk
  • Ability to leverage data to cross-check access that should be happening with access that’s truly occurring
  • Ability to integrate with complementary products, such as Fair Warning
  • Ability to create your own reports to surface risks unique to your organization
  • Audited workflow for all account actions
  • Support for scheduled, system-mediated and audited reviews of user privileges by managers and compliance staff

Conclusion

Over these last two posts, we’ve discussed the special challenges that identity management and identity governance present for healthcare organizations and what you should consider when evaluating solutions. Formulating your strategy for identity management and identity governance requires that you solve a multi-dimensional problem. At Caradigm, we address healthcare identity holistically. The importance of this approach is that we’re able to ensure that each aspect of the solution works with and complements the others. We have two decades of experience in healthcare identity and have assembled the industry’s only single-vendor identity and access management suite that covers the entire scope of identity management, secure access, and identity governance. To learn more about Caradigm’s solution to healthcare identity and access management, visit us at https://www.caradigm.com/en-us/solutions-for-population-health/identity-and-access-management/.

[i] https://www.gartner.com/doc/3615131/magic-quadrant-identity-governance-administration

[ii] http://www.beckershospitalreview.com/hospital-transactions-and-valuation/hospital-m-a-activity-jumps-70-in-5-years-8-findings.html

Evaluating an Identity Governance and Administration Solution for Healthcare


Post by John Lammers


Vice President and General Manager of Identity and Access Management, Caradigm

In this post, we’ll explore the unique challenges that healthcare organizations face in the arena of identity governance and administration and in a follow-up post we will review what to look for when choosing a solution for your healthcare organization.

Before we discuss challenges, let’s lay out what we mean by identity governance and administration. Gartner’s Magic Quadrant Report for Identity Governance and Administration[1] defines this as a set of identity management capabilities including: managing identity life-cycles, managing entitlements, and handling access requirements.

Accomplishing these objectives effectively requires more than just these goal-centric capabilities. There’s a set of supporting capabilities that you need to enable your organization to accomplish identity governance and administration effectively: for instance, workflow orchestration, mechanisms to certify the correctness or appropriateness of the data, and a rich set of auditing, reporting, and analytics capabilities. In the healthcare environment, where change is the norm, it is key to automate and unify as much of this as possible.

Gartner’s Magic Quadrant for Identity Governance and Administration and the Healthcare Providers Context

Many people rely on Gartner for guidance when searching for technology providers and the go-to report is Gartner’s Magic Quadrant, which ranks customers along two axes: ability to execute and completeness of vision. But did you know that the Magic Quadrant for Identity Governance and Administration only evaluates horizontal technology vendors? This means that, if you’re only looking at the Magic Quadrant, you’re missing companies that focus solely on a single vertical, such as healthcare.

Recognizing the unique needs of the healthcare vertical, Gartner has included a “Healthcare Providers Context” section in their Magic Quadrant Report for Identity Governance and Administration, and Caradigm is included as a “notable vendor”—the only one on the list that focuses exclusively on healthcare. This section of the report discusses the regulatory and integration challenges that set healthcare apart and provides guidance on what to look for when evaluating identity governance and administration solutions in a healthcare context. At Caradigm, we believe that our choice to focus solely on healthcare is our strength and one of the key differentiators of Caradigm Identity and Access Management.[2]

What Makes Healthcare Unique?

The nature of a healthcare organization’s workforce, processes, and information systems presents unique challenges. On top of this, healthcare organizations face an evolving regulatory environment, an ever-increasing threat from data breaches, and the cost of compliance and continual risk assessment.

Complex Staff and Identity Lifecycles

Change has become the new norm for healthcare organizations. In recent years, we’ve seen a 70% increase in merger and acquisition (M&A) activity.[3] Even outside of M&A activity, many healthcare organizations have staff members that come and go or change roles over time. For example, it’s common in teaching hospitals to have a large number of staff entering or leaving the organization or changing roles over a short span of time. Similar issues can be observed in the use of specialty practitioners. All of this adds up to complex identity life cycles in the healthcare space.

Flexible and Scalable Role Requirements

Healthcare isn’t an industry where you can cover your organization with a half-dozen roles. Organizations can have hundreds or even thousands of roles representing different specializations and different parts of the business. Just as M&A activity complicates identity lifecycles, it can result in an explosion of roles until the organizations involved reconciles them.

Diverse and Continuously Evolving Technology Ecosystem

Healthcare organizations are notorious for being late adopters of technology. But they’re also known for finding a way to react to emerging needs without disrupting reliable, critical systems. The result is a diverse technical landscape. A survey of accountable care organizations found that nearly 60% used multiple EHRs, and nearly 40% of medical practices have replaced or are considering replacing their existing EHR.[4] The mix of old and new systems means that your identity management solution must integrate with a wide breadth of technologies. Initiatives to standardize on large, increasingly-capable EHRs has reduced the number of applications in use, but most organizations continue to utilize many applications due to the value of specialty applications and best-of-breed approaches in areas strategic to the organization.

Proactive Risk Mitigation and Breach Defense

Healthcare continues to be hit hard by data breaches, and while incidents of hacking dominate the news, the most frequent cause of breaches is not hacking but inappropriate access by insiders.[5]

Against this backdrop, it’s critical that your organization have measures in place to guard against this. Rapid and complete de-provisioning of accounts is essential, as is conducting periodic reviews of the privileges assigned to roles or individuals and taking a proactive approach to detecting and remediating anomalies.

Selection of a Technology Partner is Key

A strong identity governance and administration strategy enables you to evolve your organization while maintaining compliance and preventing breaches. Selection of a technology partner is key, and looking to industry analyst reports and rankings can be great first step. For an industry as unique and complex as healthcare, it’s essential to read the fine print before shortlisting your vendor search. In a follow-up post, I will review some of the key features and functions of the capabilities needed to safeguard your organization and establish a quality identity governance and administration strategy for your teams.

[1] https://www.gartner.com/doc/3615131/magic-quadrant-identity-governance-administration

[2] https://www.caradigm.com/en-us/solutions-for-population-health/identity-and-access-management/

[3] http://www.beckershospitalreview.com/hospital-transactions-and-valuation/hospital-m-a-activity-jumps-70-in-5-years-8-findings.html

[4] https://www.healthcare-informatics.com/news-item/survey-acos-challenged-health-it-integration-few-use-single-ehr

[5] http://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/

 

Have You Adopted Electronic Prescriptions for Controlled Substances?


Post by Jaimin Patel


Vice President IAM Program Management, Caradigm

When regulations for Electronic Prescriptions for Controlled Substances (EPCS) were introduced in 2010, more than 12 million people reported using prescription painkillers non-medically, and the number of painkillers being prescribed could have medicated every American adult for a month straight. [1] In response to the volume of both the abuse and prescribing of controlled substances, the Drug Enforcement Agency (DEA) set several regulatory requirements for healthcare practitioners and organizations that want to prescribe controlled substances by electronic means.

Initially, many providers were concerned about the strict security mandates. To be able to prescribe controlled substances electronically, the DEA requires a secure, auditable chain of trust for the entire process. In addition, the financial and IT resources required to implement the appropriate solutions for EPCS can be challenging for smaller organizations.

With only 1% of e-prescribers being enabled for EPCS as of December 2013, adoption was a concern as prescription abuse remained a prominent societal issue. [2] In 2014, almost 50,000 people died of drug-induced causes in the United States. [3] In 2015, opioids alone killed more than 33,000 people. [4] The unavoidable reality of opioid abuse in society led to additional state laws and regulations following the DEA mandate in 2010, which resulted in broader EPCS adoption. As of September 2016, 20.2% of e-prescribing providers were enabled for EPCS. [5]

Caradigm offers an integrated and comprehensive solution for EPCS workflows that is a seamless extension of our industry-leading Identity and Access Management (IAM) portfolio. Caradigm’s Multi-Factor Authentication (MFA) solution for EPCS offers a variety of integrated authentication options ranging from biometric fingerprints, hard & soft token authentication, as well as mobile authentication. These options allow your organization to implement the best authentication solution to meet your prescribers’ needs.

The DEA requires identity proofing for prescribers that access EPCS controls within an electronic medical record (EMR). Caradigm Provisioning Identity Management ensures that appropriate checks and balances are applied for an organization before granting a prescriber EPCS rights within an EMR. Further, when the prescriber no longer needs EPCS privileges, Caradigm Provisioning Identity Management can seamlessly update these permissions in the EMR while notifying appropriate members in the organization. This integrated solution ensures that no unauthorized access is granted for prescribers.

Caradigm’s EPCS solution has been deployed at number of sites where users are benefiting from integrated Single Sign-On for fast and efficient access into their applications and MFA for EPCS workflows.

Overall, it’s hard to argue that EPCS is anything but a positive for the healthcare industry, and any organizations that have not adopted a solution for EPCS should act now. E-prescribing is a tool that increases efficiency, prevents the likelihood of fraud, and reduces the risk of controlled prescription errors. For additional information, please visit our EPCS page.

[1] http://www.cdc.gov/VitalSigns/PainkillerOverdoses/index.html

[2] http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies

[3] https://www.cdc.gov/nchs/data/nvsr/nvsr65/nvsr65_04.pdf

[4] https://www.drugabuse.gov/related-topics/trends-statistics/overdose-death-rates

[5] https://www.healthit.gov/opioids/epcs

 

Compliance Isn’t Enough: Improving Governance, Risk Management, Compliance


Post by Jaimin Patel


Vice President IAM Program Management, Caradigm

Change is the new normal in healthcare, which can come in many forms. Mergers and acquisitions, the formation of accountable care organizations and clinically integrated networks, having new groups of physicians arrive at a teaching hospital, or even the replacement of an EMR are just a few examples. From an IT perspective, the impact is that you constantly have new clinicians needing access as quickly as possible because it impacts patient care. IT and security professionals also understand that access has to be granted and managed in a manner compliant with the HIPAA Security Rule. However, with the increase in motivated and persistent security threats, healthcare as an industry has to move beyond the notion that our goal is only HIPAA compliance.

I recently heard Mac McMillan, CEO of CynergisTek, talk about this at the Caradigm Customer Summit where he stressed that compliance with HIPAA does not equal security. McMillan explained that HIPAA was designed to protect the privacy and security of certain health information. It was not intended to cover all forms of information or to be a complete standard for data protection.

A major part of the problem is that the HIPAA Security Rule, initially conceived in 2001, pre-dates many of today’s technology advancements. It did not envision cloud computing, mobile devices, networked medical devices, wearables, population health applications and many other advancements seen since that time. It also pre-dates many of today’s evolving threats such as cyber-extortion (e.g. ransomware), cyber-espionage, hacktivism, and specific threats such as phishing and zero day attacks. Consequently, if healthcare organizations are focused solely on compliance, then their security is inadequate.

McMillan called on healthcare organizations to think and act differently when it comes to data security and privacy. It’s about greater due diligence, day in and day out and aligning with your organization’s broader Governance, Risk Management and Compliance strategy. For identity and access management risk, greater security can involve improvements such as the following:

  • Employing a role-based security model to enable more precise granting of access
  • Automating provisioning and deprovisioning so that role changes are made efficiently and accurately
  • Using analytics to proactively search for potential risk such as orphaned accounts or mismatched entitlements
  • Streamlining workflows to evaluate and remediate threats faster across many applications
  • Performing audits more efficiently by empowering managers to review and attest to their direct reports’ entitlements

When I speak to healthcare organizations, I recommend that they consider getting the tools in place now so they can be prepared for when change hits their organization. It’s going to happen eventually. Having the right tools not only makes your organization more secure, it makes your staff far more efficient, and will deliver to your clinicians timely and accurate access. There’s not many IT projects that can claim this trifecta of wins for your organization. If you’d like to learn more about the value provisioning and identity management tools can bring to your organization, please download this whitepaper here.

Moving Towards Automated Provisioning and Identity Management


Post by Mark Pilarski


Vice President and General Manager, Caradigm

I recently read this interesting article by Robert C. Covington on the IT security talent shortage. He cites a telling statistic that virtually all companies (92 percent) that planned to hire information security professionals expected to have trouble doing so.[1] Relief may be coming in the future as Covington believes that there’s a wave of future security professionals entering college programs that will join the workforce in a few years. However, with the amount of daily due diligence needed to combat today’s security threats, organizations need a strategy to compensate for the talent shortage in the meantime.

Covington cautions against falling into the temptation of buying security tools that require multiple IT staff to manage. His point is that rather than improve security, they can actually compound the talent shortage problem. On the other hand, he does recommend investing in tools that can automate routine processes such as log monitoring. I think he makes an interesting point about what types of security tools to invest in, which I would like to explore further.

While the profile of security within healthcare is rapidly rising, the ability to secure budgetary funding is very competitive with other health system initiatives. This is why a compelling business case is typically needed to get approval to purchase new security applications. One of the strongest rationales for a new security tool is if it brings broader value to your IT organization on top of reducing your vulnerability profile. Security solutions that can increase the overall productivity of your team and free them up to take on other projects are worth a closer look. Automated log monitoring is one example of this, but there are others.

For example, some larger organizations are spending thousands of IT hours annually on manual provisioning and deprovisioning processes. Consolidations in the healthcare industry will continue to occur, and if your organization has gone through a merger or acquisition, you know what an enormous commitment of IT resources that provisioning related processes entail given the quantity of applications in your portfolio. Manual provisioning and deprovisioning processes should also be a red flag for your security team because there’s too many moving targets (i.e. shifting roles, new employees, non-employed clinicians) and too many applications to effectively manage through manual processes.

That’s just one example. Consider manual entitlement attestation processes. Do you think that inefficiencies in those processes could cause your organization some serious challenges in the event of an audit? It definitely can. Consider the investigation of potential threats related to improper access and the remediation of those threats. Do you think your organization would be better off being able to automate as much of those processes as possible to remediate threats faster? The answer is obviously yes. Did you know you could have those benefits while also freeing up chunks of IT and Security resource hours for other projects?

There’s a growing awareness that automating provisioning and identity management processes is a strong investment because it brings high value from both a security and IT efficiency point of view. It also supports broader security governance programs and has synergies with existing investments in single-sign on solutions, which integrate into provisioning and identity management solutions. To learn more about how you can automate provisioning and identity management processes, you can download our whitepaper on the topic here.

[1] 2015 Global Cybersecurity Status Report. ISACA. Published http://www.isaca.org/cyber/Documents/2015-Global-Cybersecurity-Status-Report-Data-Sheet_mkt_Eng_0115.pdf

Healthcare’s Cybersecurity Mandate


Post by Mike Willingham


Vice President of Quality Assurance and Regulatory Affairs, Caradigm

The mandate for healthcare information security is clear. Our industry has to raise the bar. We are reminded of this by the constant stream of breaches affecting healthcare providers such as the recent incidents impacting 21st Century Oncology and Hollywood Presbyterian Medical Center. Industry reports like this one from the Ponemon Institute state that healthcare organizations face cyberattacks every month and are still struggling to find effective strategies to keep systems secure.

One of the core vulnerabilities facing healthcare is identity and access risk as that most healthcare organizations have vulnerabilities, but don’t realize their security strategies are insufficient. With frequent industry consolidation and the emergence of population health, information security is becoming increasingly more challenging to manage. Data is now being shared from a multitude of applications with both employed and non-employed physicians. Managing this risk is further complicated because it has multiple layers. You have to consider elevated privileges, remote and mobile access, multi-factor authentication, and balance these concerns with providing efficient access. While single-sign on (SSO) tools are often looked upon as the first line of defense in controlling identity and access risk, providers need additional capabilities because the threat landscape has evolved. Providers need to assume that insiders and outsiders with malicious intent are attempting to gain unauthorized access.

In order to reduce this risk, providers need greater visibility so that they can be more diligent. This entails a major shift in philosophy to a more proactive strategy that is constantly managing credentials and access rather than just reacting. The key to succeeding with this approach is to leverage automation. With the exploding number of applications and clinicians that must be managed, security teams must use tools that can automate manual security related processes. Here are a few examples of how automation can help manage risk:

  • Provisioning and de-provisioning processes, which provides consistency in the process, saves IT many hours of work and prevents errors
  • User, entitlements and behavior data can be brought together in a single view so you have all the information you need to take action
  • A governance, risk and compliance (GRC) dashboard can be set up with analytics to monitor and proactively manage risk efficiently (e.g. an orphaned accounts report)
  • Real-time alerting can identify a potential incident as it happens to minimize damage
  • Remediation can be simplified so that access can be removed or suspended in just a couple of clicks

Given the increased threats we face, healthcare needs to change its approach to security and privacy. Ultimately, the key is greater due diligence, day in and day out. If we use tools that help us accomplish this, then we give ourselves the best chance to win this battle. For additional information security best practices, you can download FierceHealth IT’s special report: Data Security in the Information-Sharing Age. You can also reach out to us here if you would like more information about Caradigm’s solutions that can help.

 

The Rise in Electronic Prescription of Controlled Substances (EPCS)


Post by Mike Willingham


Vice President of Quality Assurance and Regulatory Affairs, Caradigm

Healthcare organizations are facing a serious societal problem that has become more pronounced in the last 15 years – the widespread abuse of prescription drugs. Controlled substances now account for approximately 10% to 11% of all prescriptions in the United States.[1] Deaths from prescription painkillers have quadrupled since 1999, killing more than 16,000 people in the United States in 2013.[2] Nearly two million Americans, aged 12 or older, either abused or were dependent on opioids in 2013.[3] More than 12 million people reported using prescription painkillers non-medically in 2010 (i.e. without a prescription or for the feeling they cause).[4] The misuse and abuse of prescription painkillers was responsible for more than 475,000 emergency department visits in 2009, a number that nearly doubled in just five years.[5] High profile news stories involving prescription drug abuse (e.g. Brett Favre, Heath Ledger) have also seemingly become more common.

In response to the rapid increase in both the prescribing and abuse of controlled substances in recent years, the Drug Enforcement Agency (DEA) has set a number of regulatory requirements for healthcare practitioners and organizations that want to prescribe those controlled substances by electronic means. In order to be able to prescribe controlled substances electronically, the DEA requires a secure, auditable chain of trust for the entire process. In addition, several states are mandating the use of EPCS, including Ohio, Florida and New York (with its I-STOP law).

Overall, it’s hard to argue that EPCS is anything but a positive for the healthcare industry. E-prescribing is a tool that increases efficiency and reduces risk of fraud and errors. A study has estimated that e-prescribing resulted in a decrease in the likelihood of prescription errors by 48%.[6]

So far though, healthcare providers have been slow to adopt EPCS thus far because most states have not had a mandate for it yet, and there are no penalties for non-compliance. However, it is inevitable that more mandates are coming, and I believe that EPCS will inevitably become the de facto standard of prescribing controlled substances. While overall adoption is currently low, it is growing fast as an average of 287 clinicians are adding this capability every month.[7]

Caradigm offers a comprehensive EPCS solution that is a seamless extension of our industry leading Identity and Access Management portfolio. We are actively working with our customer base to help them address EPCS, and are looking forward to partnering with more organizations to help them do their part in tackling this important societal issue. In a follow-up blog post, I will dive deeper into the technical solutions required for EPCS. For additional information, please visit our EPCS page.

[1] Meghan Hufstader Gabriel, PhD; Yi Yang, MD, PhD; Varun Vaidya, PhD; and Tricia Lee Wilkins, PharmD, PhD, Adoption of Electronic Prescribing for Controlled Substances Among Providers and Pharmacies. The American Journal of Managed Care. 11.17.14. http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies
[2] Centers for Disease Control and Prevention. National Vital Statistics System mortality data. (2015) Available from URL: http://www.cdc.gov/nchs/deaths.htm.
[3] Substance Abuse and Mental Health Services Administration, Results from the 2012 National Survey on Drug Use and Health: Summary of National Findings, NSDUH Series
[4] http://www.cdc.gov/VitalSigns/PainkillerOverdoses/index.html
[5] https://www.atrainceu.com/course-module/2270162-118_oregon-pain-module-11
[6] Radley DC, Wasserman MR, Olsho LE, Shoemaker SJ, Spranca MD, Bradshaw B. Reduction in medication errors in hospitals due to adoption of computerized provider order entry systems. J Am Med Inform Assoc. 2013; 20(3):470-476.
[7] Meghan Hufstader Gabriel, PhD; Yi Yang, MD, PhD; Varun Vaidya, PhD; and Tricia Lee Wilkins, PharmD, PhD, Adoption of Electronic Prescribing for Controlled Substances Among Providers and Pharmacies. The American Journal of Managed Care. 11.17.14. http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies

HIMSS15 Day 3 Recap


Post by Azam Husain


Senior Product Manager, Caradigm

After three jam packed days of activity inside and outside our booth, HIMSS15 came to a close. Our final panel presentation of the week focused on the important topic of healthcare data privacy and security. Marianne Kolbasuk McGee, Executive Editor of Information Security Media Group (ISMG) moderated and shared information from ISMG’s annual information security study. Also on the panel were Steve Shihadeh, Senior Vice President of North America Sales Caradigm, Mac McMillan, Chief Executive Officer CynergisTek, and Shane Whitlatch, Executive Vice President FairWarning. The survey results that Marianne shared were really interesting because they showed that despite the high profile breaches that have occurred over the past couple of years, there’s still plenty of room for healthcare organizations to give information security greater focus. Some of the statistics shared were:

  • Only about half of organizations indicated that preventing and detecting breaches is a top priority in 2015.
  • Just 31 percent of healthcare organizations have “high” or “somewhat high” confidence in the security controls of their business associates and subcontractors.
  • Nearly 80 percent of organizations rely on usernames and passwords as the dominant method of authentication used for on-site and remote access to clinical data with use of more advanced forms of authentication still rare.
  • 51 percent of organizations reported having no breaches of any size in 2014 compared to 37 percent in 2013.

The panelists advised that healthcare organizations need to guard against complacency in order to stay ahead of security risks. Everyone should be doing more because of the continuous presence of insider threats and increasing hacking threats that are targeting healthcare heavily because of the value of the data and intellectual property. The panel also stressed the importance of tools to help control identity and access management and ongoing workforce training that needs to be put into greater context for how employees do their jobs.

Another very cool event that took place today was that patient rights advocate and renowned artist, Regina Holliday was in the Caradigm booth painting a mural on population health to raise awareness for the Society for Participatory Medicine. The mural is inspired by the idea that healthcare needs powerful and disruptive change and was completed in a single day. To learn more about Regina’s patient advocacy, I recommend reading her blog and following her on Twitter.

 

Regina HIMSS

 

What The Anthem Breach Teaches Us About Access Control


Post by Azam Husain


Senior Product Manager, Caradigm

As more details continue to emerge from the Anthem breach, the incident has put all healthcare organizations on notice. The estimated cost of the breach could be in excess of $100 million with as many as 80 million people impacted.[1] A breach of this magnitude is an important learning opportunity to think about healthcare security best practices and in particular, how to control access to sensitive data in organizations.  Here are several key takeaways from the breach for healthcare organizations.

Data thieves are looking for soft targets

Healthcare organizations are prime targets for cyberattacks not only because healthcare data is valuable, but because healthcare organizations have a reputation for being susceptible to breaches. In this HealthcareIT News article discussing the breach, Lynne Dunbrack of IDC Health Insights said “Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers because historically, healthcare organizations have invested less in IT, including security technologies and services than other industries, thus making themselves more vulnerable to successful cyberattacks.” Until healthcare as an industry improves its adoption of security practices including data access control, cybercriminals will continue to view healthcare data as a vulnerable target.     

Improper access is a top security vulnerability

Investigators believe hackers accessed Anthem’s information by stealing system administrator credentials of five different employees. They also believe that the breach had been in progress for several years.  Benjamin Lawsky, Superintendent of New York State Department of Financial Services, said in this article that “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here.”

Some have pointed out that Anthem should have encrypted the information, however, the greater shortcoming was the lack of proper access controls. Encryption would not have stopped attackers who had gained authorized credentials. The vulnerability was not in the software, operating system or hardware, but in the process of managing proper access controls based on business and operational requirements. 

Three types of safeguards are needed to control access to sensitive data

Managing access control can be challenging, especially with respect to preventing insider data breaches or simple mistakes by users with high level access. Anthem is not alone as many organizations need to tighten system access.  When providers are considering what strategies to employ to improve access control, they should consider three broad types of safeguards.  

1)      Technical safeguards – Grant role-based access to data and applications on a need-to-know basis.

2)      Physical safeguards – Control of physical workstation access and access to clinical applications.

3)      Administrative safeguards – Create comprehensive policies and auditing tools that allow a compliance manager to report on who has access to which systems, applications and patient records as it applies to their role.

Caradigm is the leader in Identity and Access Management (IAM) solutions, and is focused exclusively on healthcare organizations. If you’d like to discuss your access control needs further or see a demo, contact us here.   



[1] Osborne, Charlie. “Cost of Anthem’s data breach likely to exceed $100 million.” Retrieved from http://www.cnet.com/news/cost-of-anthems-data-breach-likely-to-exceed-100-million/. 2.12.15

Insider Threats Are Top of Mind for Healthcare CISOs


Post by Azam Husain


Senior Product Manager, Caradigm

I had an interesting conversation with a healthcare CISO at a recent event about what worries him the most. Even more than external malicious threats, he was most worried about employees abusing privileges and violating the trust they had been given by his organization. One of the most challenging aspects of information security is that the security perimeter keeps expanding, and now includes insider threats as well as external ones.

Recent healthcare breaches caused by insiders show that the CISO is justified in his concern. Last month, a former employee of a hospital was caught inappropriately accessing patient medical and financial records for nearly three and a half years causing a breach impacting nearly 700 records.  Also last month, a different provider received a ransom demand made by an unknown party threatening to release protected health information unless payment was received. The ransom email contained evidence of PHI from the hospital. After an investigation by external forensic experts, an internal threat became suspected because it was determined that hospital servers had not been hacked and remain secure.  Also recently, the FBI and the U.S. Department of Homeland Security (DHS) issued a warning about the increase in insider threats from disgruntled current and former employees.

These are all timely reminders about the serious risk from insider threats. External threats are already being addressed and generally understood today by security professionals, however, it’s the risk from internal threats that healthcare organizations may need to apply more focus.

The question then becomes how do you manage the trusted access you’ve already given to employees? Healthcare organizations can take control of the risk through a strong identity and access management (IAM) program. IAM is a solution that allows providers to give precise, role-based access to clinical applications that contain protected health information (PHI). That access can be granted or revoked in seconds, monitored, reported on and is easily available for audits.  IAM is a fundamental component of a good security and HIPAA compliance program, which all healthcare organizations are required to have in place.

To learn more about how providers are effectively using IAM solutions, you can sign up to view the recording of a recent webinar we hosted with Duke University Health System who talked about how they evolved their use of IAM as their business needs evolved over time.