Tag Archives: Identity and Access

Compliance Isn’t Enough: Improving Governance, Risk Management, Compliance


Post by Jaimin Patel


Vice President IAM Program Management, Caradigm

Change is the new normal in healthcare, which can come in many forms. Mergers and acquisitions, the formation of accountable care organizations and clinically integrated networks, having new groups of physicians arrive at a teaching hospital, or even the replacement of an EMR are just a few examples. From an IT perspective, the impact is that you constantly have new clinicians needing access as quickly as possible because it impacts patient care. IT and security professionals also understand that access has to be granted and managed in a manner compliant with the HIPAA Security Rule. However, with the increase in motivated and persistent security threats, healthcare as an industry has to move beyond the notion that our goal is only HIPAA compliance.

I recently heard Mac McMillan, CEO of CynergisTek, talk about this at the Caradigm Customer Summit where he stressed that compliance with HIPAA does not equal security. McMillan explained that HIPAA was designed to protect the privacy and security of certain health information. It was not intended to cover all forms of information or to be a complete standard for data protection.

A major part of the problem is that the HIPAA Security Rule, initially conceived in 2001, pre-dates many of today’s technology advancements. It did not envision cloud computing, mobile devices, networked medical devices, wearables, population health applications and many other advancements seen since that time. It also pre-dates many of today’s evolving threats such as cyber-extortion (e.g. ransomware), cyber-espionage, hacktivism, and specific threats such as phishing and zero day attacks. Consequently, if healthcare organizations are focused solely on compliance, then their security is inadequate.

McMillan called on healthcare organizations to think and act differently when it comes to data security and privacy. It’s about greater due diligence, day in and day out and aligning with your organization’s broader Governance, Risk Management and Compliance strategy. For identity and access management risk, greater security can involve improvements such as the following:

  • Employing a role-based security model to enable more precise granting of access
  • Automating provisioning and deprovisioning so that role changes are made efficiently and accurately
  • Using analytics to proactively search for potential risk such as orphaned accounts or mismatched entitlements
  • Streamlining workflows to evaluate and remediate threats faster across many applications
  • Performing audits more efficiently by empowering managers to review and attest to their direct reports’ entitlements

When I speak to healthcare organizations, I recommend that they consider getting the tools in place now so they can be prepared for when change hits their organization. It’s going to happen eventually. Having the right tools not only makes your organization more secure, it makes your staff far more efficient, and will deliver to your clinicians timely and accurate access. There’s not many IT projects that can claim this trifecta of wins for your organization. If you’d like to learn more about the value provisioning and identity management tools can bring to your organization, please download this whitepaper here.

Moving Towards Automated Provisioning and Identity Management


Post by Mark Pilarski


Vice President and General Manager, Caradigm

I recently read this interesting article by Robert C. Covington on the IT security talent shortage. He cites a telling statistic that virtually all companies (92 percent) that planned to hire information security professionals expected to have trouble doing so.[1] Relief may be coming in the future as Covington believes that there’s a wave of future security professionals entering college programs that will join the workforce in a few years. However, with the amount of daily due diligence needed to combat today’s security threats, organizations need a strategy to compensate for the talent shortage in the meantime.

Covington cautions against falling into the temptation of buying security tools that require multiple IT staff to manage. His point is that rather than improve security, they can actually compound the talent shortage problem. On the other hand, he does recommend investing in tools that can automate routine processes such as log monitoring. I think he makes an interesting point about what types of security tools to invest in, which I would like to explore further.

While the profile of security within healthcare is rapidly rising, the ability to secure budgetary funding is very competitive with other health system initiatives. This is why a compelling business case is typically needed to get approval to purchase new security applications. One of the strongest rationales for a new security tool is if it brings broader value to your IT organization on top of reducing your vulnerability profile. Security solutions that can increase the overall productivity of your team and free them up to take on other projects are worth a closer look. Automated log monitoring is one example of this, but there are others.

For example, some larger organizations are spending thousands of IT hours annually on manual provisioning and deprovisioning processes. Consolidations in the healthcare industry will continue to occur, and if your organization has gone through a merger or acquisition, you know what an enormous commitment of IT resources that provisioning related processes entail given the quantity of applications in your portfolio. Manual provisioning and deprovisioning processes should also be a red flag for your security team because there’s too many moving targets (i.e. shifting roles, new employees, non-employed clinicians) and too many applications to effectively manage through manual processes.

That’s just one example. Consider manual entitlement attestation processes. Do you think that inefficiencies in those processes could cause your organization some serious challenges in the event of an audit? It definitely can. Consider the investigation of potential threats related to improper access and the remediation of those threats. Do you think your organization would be better off being able to automate as much of those processes as possible to remediate threats faster? The answer is obviously yes. Did you know you could have those benefits while also freeing up chunks of IT and Security resource hours for other projects?

There’s a growing awareness that automating provisioning and identity management processes is a strong investment because it brings high value from both a security and IT efficiency point of view. It also supports broader security governance programs and has synergies with existing investments in single-sign on solutions, which integrate into provisioning and identity management solutions. To learn more about how you can automate provisioning and identity management processes, you can download our whitepaper on the topic here.

[1] 2015 Global Cybersecurity Status Report. ISACA. Published http://www.isaca.org/cyber/Documents/2015-Global-Cybersecurity-Status-Report-Data-Sheet_mkt_Eng_0115.pdf

Healthcare’s Cybersecurity Mandate


Post by Mike Willingham


Vice President of Quality Assurance and Regulatory Affairs, Caradigm

The mandate for healthcare information security is clear. Our industry has to raise the bar. We are reminded of this by the constant stream of breaches affecting healthcare providers such as the recent incidents impacting 21st Century Oncology and Hollywood Presbyterian Medical Center. Industry reports like this one from the Ponemon Institute state that healthcare organizations face cyberattacks every month and are still struggling to find effective strategies to keep systems secure.

One of the core vulnerabilities facing healthcare is identity and access risk as that most healthcare organizations have vulnerabilities, but don’t realize their security strategies are insufficient. With frequent industry consolidation and the emergence of population health, information security is becoming increasingly more challenging to manage. Data is now being shared from a multitude of applications with both employed and non-employed physicians. Managing this risk is further complicated because it has multiple layers. You have to consider elevated privileges, remote and mobile access, multi-factor authentication, and balance these concerns with providing efficient access. While single-sign on (SSO) tools are often looked upon as the first line of defense in controlling identity and access risk, providers need additional capabilities because the threat landscape has evolved. Providers need to assume that insiders and outsiders with malicious intent are attempting to gain unauthorized access.

In order to reduce this risk, providers need greater visibility so that they can be more diligent. This entails a major shift in philosophy to a more proactive strategy that is constantly managing credentials and access rather than just reacting. The key to succeeding with this approach is to leverage automation. With the exploding number of applications and clinicians that must be managed, security teams must use tools that can automate manual security related processes. Here are a few examples of how automation can help manage risk:

  • Provisioning and de-provisioning processes, which provides consistency in the process, saves IT many hours of work and prevents errors
  • User, entitlements and behavior data can be brought together in a single view so you have all the information you need to take action
  • A governance, risk and compliance (GRC) dashboard can be set up with analytics to monitor and proactively manage risk efficiently (e.g. an orphaned accounts report)
  • Real-time alerting can identify a potential incident as it happens to minimize damage
  • Remediation can be simplified so that access can be removed or suspended in just a couple of clicks

Given the increased threats we face, healthcare needs to change its approach to security and privacy. Ultimately, the key is greater due diligence, day in and day out. If we use tools that help us accomplish this, then we give ourselves the best chance to win this battle. For additional information security best practices, you can download FierceHealth IT’s special report: Data Security in the Information-Sharing Age. You can also reach out to us here if you would like more information about Caradigm’s solutions that can help.

 

HIMSS15 Day 3 Recap


Post by Azam Husain


Senior Product Manager, Caradigm

After three jam packed days of activity inside and outside our booth, HIMSS15 came to a close. Our final panel presentation of the week focused on the important topic of healthcare data privacy and security. Marianne Kolbasuk McGee, Executive Editor of Information Security Media Group (ISMG) moderated and shared information from ISMG’s annual information security study. Also on the panel were Steve Shihadeh, Senior Vice President of North America Sales Caradigm, Mac McMillan, Chief Executive Officer CynergisTek, and Shane Whitlatch, Executive Vice President FairWarning. The survey results that Marianne shared were really interesting because they showed that despite the high profile breaches that have occurred over the past couple of years, there’s still plenty of room for healthcare organizations to give information security greater focus. Some of the statistics shared were:

  • Only about half of organizations indicated that preventing and detecting breaches is a top priority in 2015.
  • Just 31 percent of healthcare organizations have “high” or “somewhat high” confidence in the security controls of their business associates and subcontractors.
  • Nearly 80 percent of organizations rely on usernames and passwords as the dominant method of authentication used for on-site and remote access to clinical data with use of more advanced forms of authentication still rare.
  • 51 percent of organizations reported having no breaches of any size in 2014 compared to 37 percent in 2013.

The panelists advised that healthcare organizations need to guard against complacency in order to stay ahead of security risks. Everyone should be doing more because of the continuous presence of insider threats and increasing hacking threats that are targeting healthcare heavily because of the value of the data and intellectual property. The panel also stressed the importance of tools to help control identity and access management and ongoing workforce training that needs to be put into greater context for how employees do their jobs.

Another very cool event that took place today was that patient rights advocate and renowned artist, Regina Holliday was in the Caradigm booth painting a mural on population health to raise awareness for the Society for Participatory Medicine. The mural is inspired by the idea that healthcare needs powerful and disruptive change and was completed in a single day. To learn more about Regina’s patient advocacy, I recommend reading her blog and following her on Twitter.

 

Regina HIMSS

 

The Growing Complexity of Identity and Access Management


Post by Azam Husain


Senior Product Manager, Caradigm

Identity and access management (IAM) is getting harder. It used to be a single physician would view one record for one patient during one visit at one location, but now everything is multiplied. Healthcare providers are rapidly expanding their scope of influence by adding independent physicians, hospitals and other providers to their network. IAM is now a broader business challenge that not only affects security and compliance, but also patient safety, clinician satisfaction as well as IT resource utilization.

If anyone knows about the challenge of IAM, it’s Bobby Stokes, AVP Identity Management and Development Services of Hospital Corporation of America (HCA). HCA, recognized for security excellence, must share patient information securely and efficiently across 160+ hospitals, 1000 hospital affiliates, and 100,000+ users. Five percent of all U.S. inpatient admissions take place in a HCA facility. As Stokes said on last week’s webinar, “That’s an interesting mix of concerns.”   

Today, IAM is a balancing act. First, healthcare organizations have a responsibility to ensure the privacy of protected health information from internal and external threats. Inappropriate access to data has resulted in multiple data privacy violations recently (see here and here), and is an area that providers need to take greater control of. Second, data has to be easily available for clinicians to consume and comprehend. Clinician workflows can be streamlined by reducing the number of system log-ins and by providing patient context across those systems. Lastly, from a provisioning perspective, IT needs tools to manage the sheer volume of requests they are faced with. Without solutions that can automate provisioning processes, IT is forced to spend excessive amounts of time on user provisioning, which can also cause delays in clinician access.

If you missed last week’s webinar where Bobby Stokes talked about how HCA approaches identity and access management, then you can catch the recording here.

Webinar Tuesday: Identity and Access Management at HCA – Taking Control in the Era of Population Health


Post by Christine Boyle


Chief Marketing Officer and Senior Vice President, Caradigm

When you have the operational scale of Healthcare Corporation of America (HCA), identity and access management (IAM) is a massive undertaking. Recognized as a security innovator by CSO Magazine, HCA is continuing to set the bar high by improving security and access to protected health information across 160+ hospitals, 1000 hospital affiliates, and 100,000+ users. While the primary goals of IAM are security and compliance, it is an area with broader business value. IAM enables security leaders to partner with clinical leaders to drive efficiencies in how clinicians consume patient data, which impacts patient safety and the overall quality of care.

If you’d like to hear how HCA approaches IAM, it’s not too late to register for our webinar today at 1 PM ET. The always entertaining Bobby Stokes, AVP Enterprise Systems at HCA, will be discussing how HCA is taking control of its data to manage security and compliance risk while improving clinician access. You can register here.