Category Archives: Identity and Access Management

Have You Adopted Electronic Prescriptions for Controlled Substances?


Post by Jaimin Patel


Vice President IAM Program Management, Caradigm

When regulations for Electronic Prescriptions for Controlled Substances (EPCS) were introduced in 2010, more than 12 million people reported using prescription painkillers non-medically, and the number of painkillers being prescribed could have medicated every American adult for a month straight. [1] In response to the volume of both the abuse and prescribing of controlled substances, the Drug Enforcement Agency (DEA) set several regulatory requirements for healthcare practitioners and organizations that want to prescribe controlled substances by electronic means.

Initially, many providers were concerned about the strict security mandates. To be able to prescribe controlled substances electronically, the DEA requires a secure, auditable chain of trust for the entire process. In addition, the financial and IT resources required to implement the appropriate solutions for EPCS can be challenging for smaller organizations.

With only 1% of e-prescribers being enabled for EPCS as of December 2013, adoption was a concern as prescription abuse remained a prominent societal issue. [2] In 2014, almost 50,000 people died of drug-induced causes in the United States. [3] In 2015, opioids alone killed more than 33,000 people. [4] The unavoidable reality of opioid abuse in society led to additional state laws and regulations following the DEA mandate in 2010, which resulted in broader EPCS adoption. As of September 2016, 20.2% of e-prescribing providers were enabled for EPCS. [5]

Caradigm offers an integrated and comprehensive solution for EPCS workflows that is a seamless extension of our industry-leading Identity and Access Management (IAM) portfolio. Caradigm’s Multi-Factor Authentication (MFA) solution for EPCS offers a variety of integrated authentication options ranging from biometric fingerprints, hard & soft token authentication, as well as mobile authentication. These options allow your organization to implement the best authentication solution to meet your prescribers’ needs.

The DEA requires identity proofing for prescribers that access EPCS controls within an electronic medical record (EMR). Caradigm Provisioning Identity Management ensures that appropriate checks and balances are applied for an organization before granting a prescriber EPCS rights within an EMR. Further, when the prescriber no longer needs EPCS privileges, Caradigm Provisioning Identity Management can seamlessly update these permissions in the EMR while notifying appropriate members in the organization. This integrated solution ensures that no unauthorized access is granted for prescribers.

Caradigm’s EPCS solution has been deployed at number of sites where users are benefiting from integrated Single Sign-On for fast and efficient access into their applications and MFA for EPCS workflows.

Overall, it’s hard to argue that EPCS is anything but a positive for the healthcare industry, and any organizations that have not adopted a solution for EPCS should act now. E-prescribing is a tool that increases efficiency, prevents the likelihood of fraud, and reduces the risk of controlled prescription errors. For additional information, please visit our EPCS page.

[1] http://www.cdc.gov/VitalSigns/PainkillerOverdoses/index.html

[2] http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies

[3] https://www.cdc.gov/nchs/data/nvsr/nvsr65/nvsr65_04.pdf

[4] https://www.drugabuse.gov/related-topics/trends-statistics/overdose-death-rates

[5] https://www.healthit.gov/opioids/epcs

 

Compliance Isn’t Enough: Improving Governance, Risk Management, Compliance


Post by Jaimin Patel


Vice President IAM Program Management, Caradigm

Change is the new normal in healthcare, which can come in many forms. Mergers and acquisitions, the formation of accountable care organizations and clinically integrated networks, having new groups of physicians arrive at a teaching hospital, or even the replacement of an EMR are just a few examples. From an IT perspective, the impact is that you constantly have new clinicians needing access as quickly as possible because it impacts patient care. IT and security professionals also understand that access has to be granted and managed in a manner compliant with the HIPAA Security Rule. However, with the increase in motivated and persistent security threats, healthcare as an industry has to move beyond the notion that our goal is only HIPAA compliance.

I recently heard Mac McMillan, CEO of CynergisTek, talk about this at the Caradigm Customer Summit where he stressed that compliance with HIPAA does not equal security. McMillan explained that HIPAA was designed to protect the privacy and security of certain health information. It was not intended to cover all forms of information or to be a complete standard for data protection.

A major part of the problem is that the HIPAA Security Rule, initially conceived in 2001, pre-dates many of today’s technology advancements. It did not envision cloud computing, mobile devices, networked medical devices, wearables, population health applications and many other advancements seen since that time. It also pre-dates many of today’s evolving threats such as cyber-extortion (e.g. ransomware), cyber-espionage, hacktivism, and specific threats such as phishing and zero day attacks. Consequently, if healthcare organizations are focused solely on compliance, then their security is inadequate.

McMillan called on healthcare organizations to think and act differently when it comes to data security and privacy. It’s about greater due diligence, day in and day out and aligning with your organization’s broader Governance, Risk Management and Compliance strategy. For identity and access management risk, greater security can involve improvements such as the following:

  • Employing a role-based security model to enable more precise granting of access
  • Automating provisioning and deprovisioning so that role changes are made efficiently and accurately
  • Using analytics to proactively search for potential risk such as orphaned accounts or mismatched entitlements
  • Streamlining workflows to evaluate and remediate threats faster across many applications
  • Performing audits more efficiently by empowering managers to review and attest to their direct reports’ entitlements

When I speak to healthcare organizations, I recommend that they consider getting the tools in place now so they can be prepared for when change hits their organization. It’s going to happen eventually. Having the right tools not only makes your organization more secure, it makes your staff far more efficient, and will deliver to your clinicians timely and accurate access. There’s not many IT projects that can claim this trifecta of wins for your organization. If you’d like to learn more about the value provisioning and identity management tools can bring to your organization, please download this whitepaper here.

Moving Towards Automated Provisioning and Identity Management


Post by Mark Pilarski


Vice President and General Manager, Caradigm

I recently read this interesting article by Robert C. Covington on the IT security talent shortage. He cites a telling statistic that virtually all companies (92 percent) that planned to hire information security professionals expected to have trouble doing so.[1] Relief may be coming in the future as Covington believes that there’s a wave of future security professionals entering college programs that will join the workforce in a few years. However, with the amount of daily due diligence needed to combat today’s security threats, organizations need a strategy to compensate for the talent shortage in the meantime.

Covington cautions against falling into the temptation of buying security tools that require multiple IT staff to manage. His point is that rather than improve security, they can actually compound the talent shortage problem. On the other hand, he does recommend investing in tools that can automate routine processes such as log monitoring. I think he makes an interesting point about what types of security tools to invest in, which I would like to explore further.

While the profile of security within healthcare is rapidly rising, the ability to secure budgetary funding is very competitive with other health system initiatives. This is why a compelling business case is typically needed to get approval to purchase new security applications. One of the strongest rationales for a new security tool is if it brings broader value to your IT organization on top of reducing your vulnerability profile. Security solutions that can increase the overall productivity of your team and free them up to take on other projects are worth a closer look. Automated log monitoring is one example of this, but there are others.

For example, some larger organizations are spending thousands of IT hours annually on manual provisioning and deprovisioning processes. Consolidations in the healthcare industry will continue to occur, and if your organization has gone through a merger or acquisition, you know what an enormous commitment of IT resources that provisioning related processes entail given the quantity of applications in your portfolio. Manual provisioning and deprovisioning processes should also be a red flag for your security team because there’s too many moving targets (i.e. shifting roles, new employees, non-employed clinicians) and too many applications to effectively manage through manual processes.

That’s just one example. Consider manual entitlement attestation processes. Do you think that inefficiencies in those processes could cause your organization some serious challenges in the event of an audit? It definitely can. Consider the investigation of potential threats related to improper access and the remediation of those threats. Do you think your organization would be better off being able to automate as much of those processes as possible to remediate threats faster? The answer is obviously yes. Did you know you could have those benefits while also freeing up chunks of IT and Security resource hours for other projects?

There’s a growing awareness that automating provisioning and identity management processes is a strong investment because it brings high value from both a security and IT efficiency point of view. It also supports broader security governance programs and has synergies with existing investments in single-sign on solutions, which integrate into provisioning and identity management solutions. To learn more about how you can automate provisioning and identity management processes, you can download our whitepaper on the topic here.

[1] 2015 Global Cybersecurity Status Report. ISACA. Published http://www.isaca.org/cyber/Documents/2015-Global-Cybersecurity-Status-Report-Data-Sheet_mkt_Eng_0115.pdf

Healthcare’s Cybersecurity Mandate


Post by Mike Willingham


Vice President of Quality Assurance and Regulatory Affairs, Caradigm

The mandate for healthcare information security is clear. Our industry has to raise the bar. We are reminded of this by the constant stream of breaches affecting healthcare providers such as the recent incidents impacting 21st Century Oncology and Hollywood Presbyterian Medical Center. Industry reports like this one from the Ponemon Institute state that healthcare organizations face cyberattacks every month and are still struggling to find effective strategies to keep systems secure.

One of the core vulnerabilities facing healthcare is identity and access risk as that most healthcare organizations have vulnerabilities, but don’t realize their security strategies are insufficient. With frequent industry consolidation and the emergence of population health, information security is becoming increasingly more challenging to manage. Data is now being shared from a multitude of applications with both employed and non-employed physicians. Managing this risk is further complicated because it has multiple layers. You have to consider elevated privileges, remote and mobile access, multi-factor authentication, and balance these concerns with providing efficient access. While single-sign on (SSO) tools are often looked upon as the first line of defense in controlling identity and access risk, providers need additional capabilities because the threat landscape has evolved. Providers need to assume that insiders and outsiders with malicious intent are attempting to gain unauthorized access.

In order to reduce this risk, providers need greater visibility so that they can be more diligent. This entails a major shift in philosophy to a more proactive strategy that is constantly managing credentials and access rather than just reacting. The key to succeeding with this approach is to leverage automation. With the exploding number of applications and clinicians that must be managed, security teams must use tools that can automate manual security related processes. Here are a few examples of how automation can help manage risk:

  • Provisioning and de-provisioning processes, which provides consistency in the process, saves IT many hours of work and prevents errors
  • User, entitlements and behavior data can be brought together in a single view so you have all the information you need to take action
  • A governance, risk and compliance (GRC) dashboard can be set up with analytics to monitor and proactively manage risk efficiently (e.g. an orphaned accounts report)
  • Real-time alerting can identify a potential incident as it happens to minimize damage
  • Remediation can be simplified so that access can be removed or suspended in just a couple of clicks

Given the increased threats we face, healthcare needs to change its approach to security and privacy. Ultimately, the key is greater due diligence, day in and day out. If we use tools that help us accomplish this, then we give ourselves the best chance to win this battle. For additional information security best practices, you can download FierceHealth IT’s special report: Data Security in the Information-Sharing Age. You can also reach out to us here if you would like more information about Caradigm’s solutions that can help.

 

The Rise in Electronic Prescription of Controlled Substances (EPCS)


Post by Mike Willingham


Vice President of Quality Assurance and Regulatory Affairs, Caradigm

Healthcare organizations are facing a serious societal problem that has become more pronounced in the last 15 years – the widespread abuse of prescription drugs. Controlled substances now account for approximately 10% to 11% of all prescriptions in the United States.[1] Deaths from prescription painkillers have quadrupled since 1999, killing more than 16,000 people in the United States in 2013.[2] Nearly two million Americans, aged 12 or older, either abused or were dependent on opioids in 2013.[3] More than 12 million people reported using prescription painkillers non-medically in 2010 (i.e. without a prescription or for the feeling they cause).[4] The misuse and abuse of prescription painkillers was responsible for more than 475,000 emergency department visits in 2009, a number that nearly doubled in just five years.[5] High profile news stories involving prescription drug abuse (e.g. Brett Favre, Heath Ledger) have also seemingly become more common.

In response to the rapid increase in both the prescribing and abuse of controlled substances in recent years, the Drug Enforcement Agency (DEA) has set a number of regulatory requirements for healthcare practitioners and organizations that want to prescribe those controlled substances by electronic means. In order to be able to prescribe controlled substances electronically, the DEA requires a secure, auditable chain of trust for the entire process. In addition, several states are mandating the use of EPCS, including Ohio, Florida and New York (with its I-STOP law).

Overall, it’s hard to argue that EPCS is anything but a positive for the healthcare industry. E-prescribing is a tool that increases efficiency and reduces risk of fraud and errors. A study has estimated that e-prescribing resulted in a decrease in the likelihood of prescription errors by 48%.[6]

So far though, healthcare providers have been slow to adopt EPCS thus far because most states have not had a mandate for it yet, and there are no penalties for non-compliance. However, it is inevitable that more mandates are coming, and I believe that EPCS will inevitably become the de facto standard of prescribing controlled substances. While overall adoption is currently low, it is growing fast as an average of 287 clinicians are adding this capability every month.[7]

Caradigm offers a comprehensive EPCS solution that is a seamless extension of our industry leading Identity and Access Management portfolio. We are actively working with our customer base to help them address EPCS, and are looking forward to partnering with more organizations to help them do their part in tackling this important societal issue. In a follow-up blog post, I will dive deeper into the technical solutions required for EPCS. For additional information, please visit our EPCS page.

[1] Meghan Hufstader Gabriel, PhD; Yi Yang, MD, PhD; Varun Vaidya, PhD; and Tricia Lee Wilkins, PharmD, PhD, Adoption of Electronic Prescribing for Controlled Substances Among Providers and Pharmacies. The American Journal of Managed Care. 11.17.14. http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies
[2] Centers for Disease Control and Prevention. National Vital Statistics System mortality data. (2015) Available from URL: http://www.cdc.gov/nchs/deaths.htm.
[3] Substance Abuse and Mental Health Services Administration, Results from the 2012 National Survey on Drug Use and Health: Summary of National Findings, NSDUH Series
[4] http://www.cdc.gov/VitalSigns/PainkillerOverdoses/index.html
[5] https://www.atrainceu.com/course-module/2270162-118_oregon-pain-module-11
[6] Radley DC, Wasserman MR, Olsho LE, Shoemaker SJ, Spranca MD, Bradshaw B. Reduction in medication errors in hospitals due to adoption of computerized provider order entry systems. J Am Med Inform Assoc. 2013; 20(3):470-476.
[7] Meghan Hufstader Gabriel, PhD; Yi Yang, MD, PhD; Varun Vaidya, PhD; and Tricia Lee Wilkins, PharmD, PhD, Adoption of Electronic Prescribing for Controlled Substances Among Providers and Pharmacies. The American Journal of Managed Care. 11.17.14. http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies

HIMSS15 Day 3 Recap


Post by Azam Husain


Senior Product Manager, Caradigm

After three jam packed days of activity inside and outside our booth, HIMSS15 came to a close. Our final panel presentation of the week focused on the important topic of healthcare data privacy and security. Marianne Kolbasuk McGee, Executive Editor of Information Security Media Group (ISMG) moderated and shared information from ISMG’s annual information security study. Also on the panel were Steve Shihadeh, Senior Vice President of North America Sales Caradigm, Mac McMillan, Chief Executive Officer CynergisTek, and Shane Whitlatch, Executive Vice President FairWarning. The survey results that Marianne shared were really interesting because they showed that despite the high profile breaches that have occurred over the past couple of years, there’s still plenty of room for healthcare organizations to give information security greater focus. Some of the statistics shared were:

  • Only about half of organizations indicated that preventing and detecting breaches is a top priority in 2015.
  • Just 31 percent of healthcare organizations have “high” or “somewhat high” confidence in the security controls of their business associates and subcontractors.
  • Nearly 80 percent of organizations rely on usernames and passwords as the dominant method of authentication used for on-site and remote access to clinical data with use of more advanced forms of authentication still rare.
  • 51 percent of organizations reported having no breaches of any size in 2014 compared to 37 percent in 2013.

The panelists advised that healthcare organizations need to guard against complacency in order to stay ahead of security risks. Everyone should be doing more because of the continuous presence of insider threats and increasing hacking threats that are targeting healthcare heavily because of the value of the data and intellectual property. The panel also stressed the importance of tools to help control identity and access management and ongoing workforce training that needs to be put into greater context for how employees do their jobs.

Another very cool event that took place today was that patient rights advocate and renowned artist, Regina Holliday was in the Caradigm booth painting a mural on population health to raise awareness for the Society for Participatory Medicine. The mural is inspired by the idea that healthcare needs powerful and disruptive change and was completed in a single day. To learn more about Regina’s patient advocacy, I recommend reading her blog and following her on Twitter.

 

Regina HIMSS

 

What The Anthem Breach Teaches Us About Access Control


Post by Azam Husain


Senior Product Manager, Caradigm

As more details continue to emerge from the Anthem breach, the incident has put all healthcare organizations on notice. The estimated cost of the breach could be in excess of $100 million with as many as 80 million people impacted.[1] A breach of this magnitude is an important learning opportunity to think about healthcare security best practices and in particular, how to control access to sensitive data in organizations.  Here are several key takeaways from the breach for healthcare organizations.

Data thieves are looking for soft targets

Healthcare organizations are prime targets for cyberattacks not only because healthcare data is valuable, but because healthcare organizations have a reputation for being susceptible to breaches. In this HealthcareIT News article discussing the breach, Lynne Dunbrack of IDC Health Insights said “Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers because historically, healthcare organizations have invested less in IT, including security technologies and services than other industries, thus making themselves more vulnerable to successful cyberattacks.” Until healthcare as an industry improves its adoption of security practices including data access control, cybercriminals will continue to view healthcare data as a vulnerable target.     

Improper access is a top security vulnerability

Investigators believe hackers accessed Anthem’s information by stealing system administrator credentials of five different employees. They also believe that the breach had been in progress for several years.  Benjamin Lawsky, Superintendent of New York State Department of Financial Services, said in this article that “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here.”

Some have pointed out that Anthem should have encrypted the information, however, the greater shortcoming was the lack of proper access controls. Encryption would not have stopped attackers who had gained authorized credentials. The vulnerability was not in the software, operating system or hardware, but in the process of managing proper access controls based on business and operational requirements. 

Three types of safeguards are needed to control access to sensitive data

Managing access control can be challenging, especially with respect to preventing insider data breaches or simple mistakes by users with high level access. Anthem is not alone as many organizations need to tighten system access.  When providers are considering what strategies to employ to improve access control, they should consider three broad types of safeguards.  

1)      Technical safeguards – Grant role-based access to data and applications on a need-to-know basis.

2)      Physical safeguards – Control of physical workstation access and access to clinical applications.

3)      Administrative safeguards – Create comprehensive policies and auditing tools that allow a compliance manager to report on who has access to which systems, applications and patient records as it applies to their role.

Caradigm is the leader in Identity and Access Management (IAM) solutions, and is focused exclusively on healthcare organizations. If you’d like to discuss your access control needs further or see a demo, contact us here.   



[1] Osborne, Charlie. “Cost of Anthem’s data breach likely to exceed $100 million.” Retrieved from http://www.cnet.com/news/cost-of-anthems-data-breach-likely-to-exceed-100-million/. 2.12.15

Insider Threats Are Top of Mind for Healthcare CISOs


Post by Azam Husain


Senior Product Manager, Caradigm

I had an interesting conversation with a healthcare CISO at a recent event about what worries him the most. Even more than external malicious threats, he was most worried about employees abusing privileges and violating the trust they had been given by his organization. One of the most challenging aspects of information security is that the security perimeter keeps expanding, and now includes insider threats as well as external ones.

Recent healthcare breaches caused by insiders show that the CISO is justified in his concern. Last month, a former employee of a hospital was caught inappropriately accessing patient medical and financial records for nearly three and a half years causing a breach impacting nearly 700 records.  Also last month, a different provider received a ransom demand made by an unknown party threatening to release protected health information unless payment was received. The ransom email contained evidence of PHI from the hospital. After an investigation by external forensic experts, an internal threat became suspected because it was determined that hospital servers had not been hacked and remain secure.  Also recently, the FBI and the U.S. Department of Homeland Security (DHS) issued a warning about the increase in insider threats from disgruntled current and former employees.

These are all timely reminders about the serious risk from insider threats. External threats are already being addressed and generally understood today by security professionals, however, it’s the risk from internal threats that healthcare organizations may need to apply more focus.

The question then becomes how do you manage the trusted access you’ve already given to employees? Healthcare organizations can take control of the risk through a strong identity and access management (IAM) program. IAM is a solution that allows providers to give precise, role-based access to clinical applications that contain protected health information (PHI). That access can be granted or revoked in seconds, monitored, reported on and is easily available for audits.  IAM is a fundamental component of a good security and HIPAA compliance program, which all healthcare organizations are required to have in place.

To learn more about how providers are effectively using IAM solutions, you can sign up to view the recording of a recent webinar we hosted with Duke University Health System who talked about how they evolved their use of IAM as their business needs evolved over time.

The Growing Complexity of Identity and Access Management


Post by Azam Husain


Senior Product Manager, Caradigm

Identity and access management (IAM) is getting harder. It used to be a single physician would view one record for one patient during one visit at one location, but now everything is multiplied. Healthcare providers are rapidly expanding their scope of influence by adding independent physicians, hospitals and other providers to their network. IAM is now a broader business challenge that not only affects security and compliance, but also patient safety, clinician satisfaction as well as IT resource utilization.

If anyone knows about the challenge of IAM, it’s Bobby Stokes, AVP Identity Management and Development Services of Hospital Corporation of America (HCA). HCA, recognized for security excellence, must share patient information securely and efficiently across 160+ hospitals, 1000 hospital affiliates, and 100,000+ users. Five percent of all U.S. inpatient admissions take place in a HCA facility. As Stokes said on last week’s webinar, “That’s an interesting mix of concerns.”   

Today, IAM is a balancing act. First, healthcare organizations have a responsibility to ensure the privacy of protected health information from internal and external threats. Inappropriate access to data has resulted in multiple data privacy violations recently (see here and here), and is an area that providers need to take greater control of. Second, data has to be easily available for clinicians to consume and comprehend. Clinician workflows can be streamlined by reducing the number of system log-ins and by providing patient context across those systems. Lastly, from a provisioning perspective, IT needs tools to manage the sheer volume of requests they are faced with. Without solutions that can automate provisioning processes, IT is forced to spend excessive amounts of time on user provisioning, which can also cause delays in clinician access.

If you missed last week’s webinar where Bobby Stokes talked about how HCA approaches identity and access management, then you can catch the recording here.

Webinar Tuesday: Identity and Access Management at HCA – Taking Control in the Era of Population Health


Post by Christine Boyle


Chief Marketing Officer and Senior Vice President, Caradigm

When you have the operational scale of Healthcare Corporation of America (HCA), identity and access management (IAM) is a massive undertaking. Recognized as a security innovator by CSO Magazine, HCA is continuing to set the bar high by improving security and access to protected health information across 160+ hospitals, 1000 hospital affiliates, and 100,000+ users. While the primary goals of IAM are security and compliance, it is an area with broader business value. IAM enables security leaders to partner with clinical leaders to drive efficiencies in how clinicians consume patient data, which impacts patient safety and the overall quality of care.

If you’d like to hear how HCA approaches IAM, it’s not too late to register for our webinar today at 1 PM ET. The always entertaining Bobby Stokes, AVP Enterprise Systems at HCA, will be discussing how HCA is taking control of its data to manage security and compliance risk while improving clinician access. You can register here.