As technology becomes more prevalent across all facets of life, cybersecurity is becoming more of a priority. This is particularly true in healthcare; not just because of the critical nature of patient care, but because the digitization of records has added a complexity that makes it increasingly difficult to verify that the right person is accessing information.
Not only are there more individuals involved in the care process, but there are more types of devices being used, and more locations from which data is being accessed. And, as healthcare IT and security leaders can attest, the more crowded an environment becomes, the more challenging it is to safely maintain.
“It’s critical that we’re able to uniquely and positively identify all the actors in the digitization process,” said Randy Nale, Technical Solution Manager with Microsoft’s Modern Healthcare Workplace, in a recent webinar. “We can’t get that wrong. We need a way to break through that wall.”
For that to happen, leaders must have a keen understanding of what digital identity actually entails. The best way to describe it, according to Nale, is “the digital representation of people and things to applications so we can ensure people are contributing in the right way to the process and workflows.”
During the discussion, Nale — along with co-presenters Julia Staas, IS Director at Virtua Health, and Sean Kelly, MD, CMO, of Imprivata — shared thoughts on why identity and access management is so complex in healthcare, how leaders can manage the new perimeters, and why zero trust should be the new norm.
The scope of the problem
The fact is, healthcare has changed — dramatically. Gone are the days when patient care was only performed within the four walls of the hospital, and was documented using localized systems. Also gone? The days of a “clear firewall,” said Kelly. Today’s world is far more complex from a security and usage standpoint, largely because of the following factors:
- Diverse user community. It’s not just physicians and nurses who need to access patient information, but an entire care team consisting of administrators, case managers, home health staff, students, therapists, and more.
- Shared clinical workstations. “We’re created a complex environment where we have users hoping on and off of machines, and each one has to get to different things in different ways,” noted Kelly. “That’s really hard to deliver from a technical standpoint. It’s hard to monitor all the digital identities at the same time, both in terms of safety and efficiency.
- Multiple locations. What’s also been created, according to Kelly, is a “borderless environment” where individuals can work from a number of different locations, such as, the office, the home, or the patient beside, using a tablet, phone, or other device, to access the EMR.
- More apps going to the cloud. “If you think about Office 365 and all the web-based and cloud-based apps, managing to link that identity from on-premise into the cloud infrastructure is incredibly important,” said Kelly. That’s the world we’re living in and working in.”
- Changing perimeters. Whereas in the past, everything stayed within the walls of the hospital or clinic, these days, most organizations send data externally to a number of different entities, including HIEs, said Staas. Thus, it has become critical to “vet each and every one of these external touchpoints and communication points before we allow it.”
Given these factors, it can be extremely difficult for organizations to dedicate the necessary resources toward identity and access management strategy (IAM). The alternative, however, is far worse, according to Staas. “It’s a big undertaking, but I don’t know how an organization can live without it.”
Virtua has partnered with Imprivata to manage data from 12 different core applications through tools like single sign-on, which is being used throughout the system. “We have placed a lot of focus and significance on this,” she added. “We consider it a key platform that we have to use to manage all of our end users and make sure the right people are getting into the right systems, under the right roles, and are not able to do any harm.”
Different roles, different needs
It may seem cut and dry to assign the right people to the right roles. But in reality, many individuals have multiple job functions, and as a result, may have different needs when it comes to data access. For example, Kelly, who is also a practicing ER physician at Lahey Health, must have the ability view patient records at any time, and to perform tasks like bypassing certain warnings to prescribe medication in an emergency scenario. However, if he (or any provider) is operating in an administrative or research capacity, the same level of authority is no longer warranted. “The ability to weave the trust fabric of that identity throughout the system — not just for the person, but for the different roles they play — can be really extremely challenging,” said Kelly.
With individuals toggling between roles and accessing data from various locations, security and compliance teams must have to way to track all of this activity and provision users into the system. More importantly, it means finding a way to deprovision them when access is no longer required. “A lot of these systems are mission-critical or potentially life-saving, and so you need a good audit trail of who’s doing what and when and where,” noted Kelly. At the same time, “from an operations and business standpoint, you can’t block someone from getting in or slow them down when they’re trying to perform a function.”
To a physician, any type of slow down, no matter how minimal, can lead to apathy and irritation, which is the last thing an IT or security leader wants, according to Nale. “That’s why Imprivata is trying to make an impact by simplifying that for customers and helping them to present a unified view of that professional ID.”
Best practices for IAM
As the environment continues to change for users, whether it’s because of consolidation, collaboration, or other numerous factors, having a reliable digital identity will become increasingly critical. For organizations that are looking to develop or improve on their IAM strategy, Nale offered the following pieces of advice:
- Go to the cloud. If they haven’t already, healthcare organizations “need to begin the journey of migrating their identity authority from on-premises toolsets to the cloud,” he noted. “It has to happen. There’s enough to do without having to manage the actual infrastructure and application of an identification system (including managing servers, keeping it up to date, and adding new threat protections). There’s enough to do without having to have every single healthcare organization on the planet also worry about the plumbing and protecting it from threats and scaling it.” By finding a reliable IAM partner, health systems can more time on the business value of their digital identity and security value of digital identity.
- Make it simple for the end user to do the right thing. Protections and controls are important, but if you make it too hard for people to do the right thing, they’re going to find something else to do,” Nale said. Or, they’re going to do the wrong thing.
- Adopt a zero trust policy. As customers modernize, it’s essential to embrace the idea of no implicit trust. Just because someone practices between the four walls, it doesn’t mean he or she should immediately be granted access, he noted. And just because someone has access to one application, it doesn’t immediately grant them access to every application. “We need to embrace that model as the world becomes more connected.”
It may not be the easiest concept to sell, but as more information becomes available digitally, and more users, apps, and devices enter the mix, trust can no longer be a given, and the industry as a whole must become more vigilant.
“It’s so easy for the lines to get blurred,” added Staas. “We have to be on the lookout, because we’re all targets. All of us are targets for compromised networks if we’re not constantly trying to stay ahead of it and using best practices and assessments from a security perspective.”
Originally scheduled as a Live Panel Discussion at HIMSS20, this event — Digital Identity in the Modern Healthcare Workplace: Delivering Care Securely — was offered online during Imprivata’s Virtual HIMSS program. To access the presentation, click here.