Every day, more people give healthcare providers their personal data. And every day, more people try to steal that data. “The type of data that healthcare handles – it’s a lot of confidential information that is a gold mine to hackers,” said Grant Thornton Cyber Risk Principal Rahul Kohli.
Of the US industries targeted by cyberattacks, Statista
shows that healthcare is second only to finance.
That’s because a healthcare profile can have more black market value than a credit card account. While a stolen credit card account yields an average $2,000 on the black market, a healthcare profile can yield up to $20,000, reported Dark Reading
Chief Information Security Officer Allan Alford. Alford explained that “because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change.”
And the biggest security risk might be within your organization.
“Healthcare deals with a very dynamic workforce; the doctors, the nursing staff, the lab staff and others are continuously on the move. Internal actors are one of the biggest threats to cybersecurity in healthcare,” said Grant Thornton Cyber Risk Services Associate Director Akshay Singhal. In fact, Reuters
reported that the U.S. Department of Health and Human Services found most health information data breaches do not begin with external attacks – they begin with mistakes or security lapses inside healthcare organizations.
“More than half of breaches were triggered by internal negligence and thus are to some extent preventable,” said the study’s coauthor, Ge Bai of the Johns Hopkins Carey Business School.
The push of regulation
Regulations like HITECH, HIPAA, GDPR and CCPA push healthcare organizations to stay ahead of internal and external security risks. But many organizations struggle to implement and manage these required security measures. “In the healthcare industry, cybersecurity shortfalls are abundant,” said Kohli.
“Regulatory requirements are not a new concept for the healthcare industry. The challenge the majority of organizations face is achieving efficiencies in maintaining and proving their adherence to regulatory requirements,” said Grant Thornton Cyber Risk Services Manager Mark Ferry.
Regulations, disparate legal requirements and codes of conduct specify how healthcare organizations must assign and track identities, how they must limit physical and technical access and more. To meet these requirements, many security teams implemented manual processes and disconnected solutions for access management. It’s easy for these separate processes and solutions to become a tangle of restrictions.
To efficiently enforce the access restrictions that regulations require, organizations must coordinate their processes, policies and technologies into an identity and access management (IAM) framework.
The value of streamlined security
Traditionally, healthcare organizations have struggled to balance their IT budgets between creating value on one hand, or enhancing security on the other. Most IT investments were seen as a choice between the two. But today’s IAM solutions can actually streamline security, and that can uncover real business value.
“Unlike other cybersecurity areas, IAM is capable of providing a great return on investment – and we have had experiences where it reduced total costs for an organization,” Kohli said. Kohli and the Cyber Risk Services team have found that a unified IAM strategy can help organizations control access to their systems and streamline cumbersome access management processes.
Joiners, movers and leavers
An effective IAM framework enables faster access requests and certification fulfillments. “This sounds simple, but when we talk about a dynamic workforce, and things like name changes, it can become a big deal. And, dealing with multiple applications, the cost multiplies. It is not linear,” Kohli said.
“This is where I believe that identity and access management solutions can help, by efficiently managing the frequent changes in roles and responsibilities as the staff moves within departments or hospitals,” Singhal said.
Authentication and interaction
A unified IAM strategy can help save time whenever a user interacts with a system, by helping to provide and maintain effective single sign-on (SSO) capabilities. Password management can account for a large slice of your annual cost for support, plus the cost of related end-user downtime. SSO solutions help you recover some of that cost. And advanced provisioning solutions offer features that can expand your benefits, like one-click approval that saves time and frustration for the middle and senior managers who need to approve access requests.
Administration and help desk support
Today’s IAM solutions can also enable self-service password resets that greatly reduce the number of help desk calls – and cut the frustration and downtime that users experience when trying to regain access to their accounts. Ultimately, this can help reduce your overall help desk costs.
Audits for lower audit costs
With a comprehensive and unified IAM framework, an organization can more easily report on its regulatory compliance, even automatically generating the documents required for regular security audits. This not only saves time, but gives the organization better visibility into its own compliance and emerging issues.
Scalability for services and business processes
By streamlining IAM related processes, an organization is more ready to scale its staff and services. “For example, automating provisioning workflows – such automation really becomes a requirement for organizations as they continue to grow. Sustaining manual processes is proven ineffective, inaccurate and costly,” Ferry said.
User productivity and collaboration
With a workforce that includes multiple roles and dynamic changes, streamlined security also helps ensure that users retain the right level of access with the minimum interruption to their work. “With staff continuously on the move, a properly executed identity management and access certification program will help to keep assignments and access privileges in check,” Singhal said.
Take the first steps
As cyber risks are rapidly rising and healthcare turns more attention to cybersecurity, innovative organizations have started looking for ways to recover value from their security processes. “Because cybersecurity is an integral part of the business, there’s now a heightened expectation that the cybersecurity function provides an enhanced end-user experience, reduces costs and realizes operational efficiencies,” Ferry said.
But every organization is different, with different processes in place. So, how should you start to streamline your security?
Step 1: IAM assessment
“It is critical to understand where you stand today,” Kohli said. An initial IAM assessment needs to take an inventory of end systems and “crown jewels” – the applications that are most critical to your business. The assessment also needs to account for the applicable regulations and standards as well as your organization’s maturity against industry best practices. The result will be a clearer view of your priorities and the gaps you need to address. “Once you have the gaps in front of you, you know what needs to be done. That is a primary step in defining what ‘good’ looks like, what the future state should be and what the roadmap is to achieve that future state,” Kohli said.
Step 2: IAM roadmap
To define the future state of your organization’s IAM program, you’ll need to consider your IAM assessment along with your stakeholders’ views, your organization’s vision, current pain points and the latest compliance needs. “The most important factor when we talk about future state is having a strong goal in place as well as strong business alignment,” Kohli said. Based on the timelines for your goals, you can form a short-term tactical roadmap to meet immediate program needs, a mid-term strategic roadmap for program maturity and a strategic end-state roadmap. “A roadmap can be anything from six months to two or three years, because this is not a single project,” Kohli said. “This is a program, and it consists of different capabilities to be used by different user bases, all to be brought under IAM.”
Step 3: IAM foundation and extension
Once you have established business alignment and program sponsorship with a roadmap, you can look at establishing an IAM foundation. “We typically recommend clients taking a two-stage approach: First, a foundation with a pilot demonstrates quick wins, a few capabilities, a few key use cases, and brings in critical applications to demonstrate the value of the IAM domain,” Kohli said. “And that helps you keep the budget. Once you do that and the pilot is successful, you have an architecture which is extensible. Because it’s a journey, we all understand, and extension is the right way to do it. Once you get a solid foundation, organizational change can be relatively easy because now you have people embracing the IAM platform.” A business-aligned governance model plays a key role in ensuring that you can expand use cases, business functions and user communities into the future.
Trends for the future
With streamlined security and scalable processes, a comprehensive IAM program prepares you to address the security risks that will arise as new technologies accelerate the pace of change.
Biometric security authorization is already enabling systems to establish a user’s identity with greater accuracy, speed, accountability, cost efficiency and versatility of implementation. Standardized IAM processes will prepare an organization to more quickly adopt:
- risk-based authentication
- password-free authentication
- user identity proofing
- privilege access management
Leading organizations are using bots, or robotic process automation (RPA), to complete repetitive rule-based tasks, and effective IAM framework ensures that automation can be standardized to work throughout an organization for:
- identity management and last-mile provisioning
- identity governance and certification campaigns
- access management and application onboarding
Healthcare providers and patients increasingly want to access healthcare data with mobile phones, tablets and other devices. The extensible nature of IAM will help an organization develop:
- low-cost cloud-based availability from anywhere at any time
- federated sign-on for third-party apps
- consent-based attribute sharing
These technologies, along with blockchain and other emerging capabilities, are defining the security needs and risks of the future. And all of them can feed data into analytical insights that help organizations improve their security, staffing and planning.
“It comes down to identity and analytics,” said Singhal. “With the increasing number of identities and associated entitlements, it is getting difficult for organizations to get a holistic view of who’s doing what with the access parameters that have been claimed. This lack of insight is leading to security risks and personal inefficiencies – loss of data and a failure to comply with industry standards.”
With a streamlined and effective IAM framework, organizations can align their systems now, to be better prepared for tomorrow’s risks – and tomorrow’s opportunities.
Principal, Cyber Risk Services
+1 248 415 6021
Associate Director, Cyber Risk Services
+1 630 426 5272
Manager, Cyber Risk Services
+1 215 531 8648