No matter how much healthcare has changed — particularly in the past year or so — the number one priority has remained the same: to facilitate the delivery of care. Part of that includes provisioning and granting access to the applications and tools caregivers need to do their jobs.
“We’ve done that,” said Wes Wright, CTO with Imprivata, during a recent webinar. But in doing so, “we’ve squeezed the toothpaste out of the tube.”
When the Covid-19 pandemic hit, “a lot of people were shuffled around” to different areas to help relieve their exhausted colleagues. “We gave them access because they needed to see patients,” he noted. “But now that we’re back to the status quo, I’d bet about 97 percent of those people didn’t give back those privileges.”
It’s a big knot that has to be untangled. One way organizations are working toward that is by beefing up their identity governance (IG) strategies, according to Wright. “We’re starting to see a lot of folks really considering it. Things got screwed up with Covid and they don’t want to be in that position again.”
During the webinar, Wright and co-panelists Ben Smith (CISO, Nuvance Health) and Slayton Austria (CTO, UW Medicine) discussed the need for better identity governance — even in the absence of a pandemic, and shared best practices for implementation.
It’s important to point out, according to Smith, that although Covid may have exacerbated the problem, identity governance has always been “a mess at best, especially when you’re trying to manage it using native Microsoft toolsets, or, heaven forbid, spreadsheets.” While the latter method may be effective in listing which provisions were assigned to which individuals, it rarely goes beyond that, noted Wright, adding that they often fail to identify who authorized that access, which could prove problematic down the road. “When you’re trying to do this, particularly when you’re trying to do it manually, there are just so many places where the ball can get dropped,” he said.
And that’s just from a compliance perspective.
The other piece, according to Smith, is security. “The vulnerabilities come from the things that you missed or can’t keep track of, such as the bifurcation of access, deployment, and delivery to users across your entity.” When remote work skyrocketed, it became common for general users — most of whom didn’t have two-factor authentication — to obtain admin rights, and to reuse those passwords. “All of a sudden you end up with an attack that is significantly easier to execute against your organization,” he noted. “Without automation and tools around identity access and management, it’s easy to fall behind and not be able to properly service your organization. We certainly saw that here.”
“Getting your arms around it”
It’s also easy to make exceptions, which most organizations had to do when nurses and other workers floated among different locations. “Trying to manage that is extremely difficult,” said Austria, “which is what led to so many of us trying to make all of these exceptions.” And, as part of that, trying to validate whether individuals still need certain credentials. “It’s getting your arms around it and understanding what you have,” he noted. “Having automated tools gives you that visibility.”
With Imprivata’s IG solution, IT leaders run reports to see which “shares” or privileges an ICU nurse, for example, should have. They can also utilized the governance risk and compliance model to identify individuals who have more shares than their role dictates, and enforce role-based access controls.
With the ‘why’ established, the panelists addressed the ‘how,’ which can be challenging with any initiative, especially identity governance.
- Get the right people involved. A critical first step, according to Smith, is making sure “you have the right people doing the right things and having the right access,” he said. That includes a dedicated program manager who will ensure the initiative progresses at a manageable pace.
- Make friends with HRIS. Human resource information systems (HRIS) “is going to be your best friend and worst enemy,” Smith noted. “You need to convince them that their solution is the system of record, and they need to provide you that data in a timely fashion so that you can draw that into your solution to begin to build your baseline account structures.”
- Know the source of truth. When building out the IDG platform, it’s important to know the source of truth for all the data being pulled in, whether it’s the EMR or a cloud solution. As organizations start to build out role-based access, it’s important to identify the areas with the highest turnaround rates, and run reports on who has access to the data, and whether it’s necessary.
- Don’t be generic. A common trap organizations fall into is providing generic descriptions when it comes to role-based access. “It makes it very difficult,” said Austria. During UW Medicine’s rollout, his team approached HR asking for more detailed descriptions of security roles. “Our biggest challenge has been figuring out how we get the right information from our HRIS to get the roles drilled down to the level we need.”
- Approach IG in chunks. This is one instance where leaders don’t want to do it all — or request all of the funds — in one shot, noted Smith. “If you break it into chucks over two or three years, you’re going to be much more successful in getting buy-in from the organization, because you’re not going to bury them.” It’s also going to be “more palatable from a cost perspective.”
- Start with the end in mind. It may seem counterintuitive, but in this case, it’s wise to start with the end in mind, said Austria. By doing so, “it makes you start thinking about what you want to tackle as you go through this, because it’s going to be a journey.” Wright echoed this sentiment, adding that, despite what many believe, “identity governance isn’t a project; it’s a program that’s continuous.”
The final area the panelists covered was how to successfully sell IG to senior leadership. A key piece, according to Austria, is ensuring alignment with operations, and “making sure they know this is a program, not an IT system being shoved at them.”
Smith suggested taking a “risk reduction direction” that focuses on how automation can help reduce audit findings of inappropriate access, while helping the organization move toward its goals. It’s imperative, he added, to be transparent about the long-term costs, and to explain your strategy, especially when it comes to change management. “Your executive team needs to understand that you’ve thought this through.”
The good news, according to Wright, is that awareness around security vulnerabilities is at an all-time high, especially on the heels of recent data breaches at large health systems, as well as the SolarWinds attack.
“We’ve come to find out identity is everything,” he said. Therefore, the sooner organizations can get a plan in place, the better off they’ll be. “The problem’s not going away. We’ve lifted up the rock and there are some dirty critters under there. You need to do something about it.”
To view the archive of this webinar — Building Identity Governance into Your Post-Covid Security Strategy — please click here.