The Covid-19 pandemic may have officially ended, but the remote and hybrid work models that were borne out of it are alive and well. And along with that comes greater challenges in safeguarding data, said our panelists during a recent discussion.
“The hybrid work component requires new ways of handling things, especially when it comes to the devices that are moving outside of the organization,” said Jason Mafera (Field CTO, North America, IGEL Technology), who presented along with Chris Paravate (CIO, Northeast Georgia Health System) and Zafar Chaudry, MD (SVP and Chief Digital & Information Officer, Seattle Children’s). “It’s more important than ever to look at how you protect the interface between users and what they access,” and find ways to “reduce the risk and deliver on these new hybrid scenarios.”
Doing so, however, requires a solid understanding of why taking data off prem carries so much added risk, and how taking the proper steps can mitigate it, according to the speakers.
Starting the “journey”
Like most organizations, Seattle Children’s wasn’t equipped to handle a high volume of remote workers prior to the start of the pandemic — particularly from a security standpoint. “It does change your security posture,” said Chaudry. It’s not as simple as connecting point to point.” With an influx of users gaining access to the network, his team quickly had to figure out how to authenticate users and verify identities.
Part of that was accomplished by shifting from a VPN to a zero-trust strategy when connecting users to the network. They also conduct checks in the background to make sure all devices, whether owned by them or the organization, are updated to the latest version and meet all cybersecurity requirements, including multifactor authentication, which can irritate busy clinicians. “Nobody likes to do that,” said Chaudry. “But the reality is, you have to authenticate. You have to click on a couple of things before you get to where you need to be.”
Mafera concurred, adding that validating the user and their identity is “the first point of the journey,” and must take place before access to a device is granted. “It’s a model where you trust nothing. Not ‘trust and verify,’ but ‘never trust and always verify,’” he said. “You have to not only secure the device, but also the user, so that we know who we’re interacting with and who’s accessing the data. That’s where the whole journey starts.”
The next step is in creating a framework for authentication, according to Chaudry. “For us, it starts with understanding the different users and use cases that we have,” for example, clinical, nonclinical, and those in between. “Based on that, we develop a framework to determine what those users require, whether they’re inside or outside of the organization. Once that’s defined, we look at how to authenticate them based on those factors.”
And it’s not just the processes that have changed, but the devices themselves as well, he noted. Whereas the traditional model entailed installing antivirus software and checking for updates, Seattle Children’s now utilizes tools that scan devices rather than looking for patterns, and systematically automating user access.
However, automation isn’t always applicable, particularly when it comes to role-based access, according to Chaudry, who often applies the 80-20 rule in this case. “Eighty percent can be automated, and that helps, but you’re not going to get away from subject matter experts,” he noted. “The final 20 percent where you have exceptions will require human intervention and overview.” It’s a massive improvement from the manual processes used in the past, which meant new hires had to wait days or even weeks to access applications.
Paravate agreed, adding that role-based security “can be very convenient, especially on the application side. Knowing what role people are in today is really important,” he said, noting that cardiologists, for example, might be in the lab one day and the ED the next. To that end, his team has built additional mobility layers to capture those roles, as well as their communication preferences, and create an ecosystem.
These actions, according to Mafera, are critical in enabling dynamic decisions at the point of access. “The authentication pieces need to intersect the device and be evaluated to determine the level of access,” he noted. “To get role-based access, you need to be granular in that approach.” And although it is a lot of moving parts, he admitted, “it’s going to get us to a place where we can confidently provide that access and reduce the risks associated with breaches.”
By leveraging systems such as the one offered by IGEL, organizations can move toward improving security and manageability without compromising usability, he added. But, as is often (if not always) the case, it’s not just about the tools.
“It starts with realizing that this really isn’t about technology. It’s about sitting down with stakeholders and saying, what problem are you really trying to solve?” said Chaudry.
Testing, testing, testing
Once a plan has been outlined, the next step is to examine workflows and use cases, and to test them — well before go-live. “In technology, we tend to come up with a workflow and say, ‘This is how it’s supposed to work,’” Chaudry said. The better bet is to validate and test it with end users and make adjustments as needed.
“We’ve fine-tuned the experience by constantly asking, ‘Is it seamless enough?’” he noted. And while he doesn’t expect to achieve perfection, he hopes to reduce the number of clicks and perhaps “get to a point where you won’t have to input anything to authenticate.”
Similarly, Paravate is a big proponent of testing to ensure solutions are working as consistently as possible. “The last mile is getting that validation,” he said. But “until you put it in the wild, frankly, you don’t know.”
And while some users might come forward requesting changes, some will resort to workarounds, said Mafera. The best way to avoid it? “Find the most transparent way to deliver that security so that it doesn’t impact the person using it,” he said. Another key component is adaptability. “There should be flexibility to move workloads around without changing the user experience. It should be completely transparent so that they don’t have to be retrained.”
And, more importantly, so that clinicians can focus on patient care, according to Paravate. Any distraction that detracts from the patient encounter or hinders clinical decision making is unacceptable. “We want it to be as intuitive and consistent as possible,” he said. “Being deliberate about your architecture is paramount.”
To view the archive of this webinar — Keys to Securing Tomorrow’s Workflows (Sponsored by IGEL Technology) — please click here.