By: Wes Wright, Chief Technology Officer at Imprivata
Debilitating cyber attacks on healthcare delivery organizations (HDOs) continue to pose a major threat to public health. Over half of the healthcare data breaches in January 2023 were caused by a hacking or IT related incident, and nearly 700,000 personal health records were exposed or stolen, according to the HIPAA Journal.
Clearly, security practices are not working well enough, and current regulations are often general and broad. Knowing where and how to start is often daunting for HDOs struggling to overcome staffing shortages, increased patient demand, and financial woes. To future-proof healthcare, a digital identity-focused approach to assessing and managing security is paramount. But building out the blueprint for that strategy can be daunting, particularly due to the swirl of regulations clouding a CISO’s priorities.
Healthcare’s Regulation Frustration
Security and compliance regulations like HIPAA have been around for decades. But recently, healthcare has been forced to navigate an especially turbulent environment. In response to rising threats, federal entities like NIST, CISA and the NSA issued updated guidance around cybersecurity and identity and access management practices.
Although these best practices are important, they don’t provide actionable guidance for HDOs to get from point A to point B. They’re just words on a web page, written for a variety of industries with their own unique complexities. In an attempt to adopt best practices while balancing resource and budget constraints, many IT leaders took a fragmented approach to cybersecurity.
But as CISOs learned the hard way, fragmentation leads to a lack of integrations, poor interoperability, and gaps that create security risks. Regulations are helpful, but they become noise to an overwhelmed CISO. Ultimately, cybersecurity needs to be well-integrated to the workflow. To strike the ideal balance of security and usability organizations need a comprehensive strategy for digital identity.
Why Digital Identity?
The COVID-19 pandemic and introduction of remote work ushered in a new era of digital identity. Without a traditional security perimeter, HDOs need to focus on securing the user and their credentials rather than the network. This is the goal of Zero Trust Architecture (ZTA). Like many best practices, the principles of ZTA call for multi-factor authentication (MFA) at critical access points. But with added verification, it’s essential for logins to be frictionless, especially in healthcare.
Complex password requirements can also become a barrier to accessing information, wasting precious time and negatively impacting both patient care and security practices. By replacing physical logins with password-less single sign-on technology, organizations can reduce the time spent logging in and direct more to patient care. Considering that 81% of hacking related breaches use stolen or weak passwords, utilizing this technology to streamline logins can significantly alleviate risk and improve clinician quality of life.
This identity-centric stance allows HDOs to lay the groundwork and evolve their strategy to achieve a mature, future-proof digital identity posture. Forging this path to maturity calls for assessing current-state processes and solutions. While there are tools to conduct that assessment, CISOs and health IT leaders should consider using resources that are custom-built for healthcare, like Imprivata’s new, free digital identity maturity assessment.
Assessing Your Digital Identity Maturity
Recognizing the complex and elaborate IT environment, Imprivata specifically designed this tool for healthcare IT leaders and their clinical counterparts to assess the digital identity maturity. Determining where you’re at in your digital identity journey can be a challenge without the right tools - which is why it’s critical for healthcare to consider resources tailored to their unique architecture. By assessing the following functions, this tool provides actionable guidance to help HDOs achieve an optimal balance of user access, security, and compliance:
- Governance and Administration: Monitoring and maintaining user access is critical, especially given regulatory standards. With digital identity-based solutions like automated role-based provisioning, user activity monitoring, MFA, and vendor access management, HDOs can improve compliance while streamlining workflows.
- Identity Management: A single source of truth for managing digital identities and access privileges is essential. Tools like automated identity governance and single sign-on can make this process more secure and less of an IT burden.
- Authorization: Role-based access policies govern user activity. Hospitals are fluid environments where care providers may take on different roles each day. Automated access governance establishes just-right privileges while preventing unauthorized access for both internal and external users.
- Access and Authentication: Password-less options for single sign-on and MFA can increase productivity, streamline password resets, and bolster security. Ensuring that access controls and authentication functions sync with clinical operations will improve patient care.
The modern CISO is pioneering this era of digital identity. While the future is full of evolving threats, one thing is certain - those who will be successful are those who can adapt. Assessing your digital identity maturity is the key to taking that first step.
Author Bio: Wes Wright is the Chief Technology Officer at Imprivata. Wes brings more than 20 years of experience with healthcare providers, IT leadership, and security. Prior to joining Imprivata, Wes was the CTO at Sutter Health, where he was responsible for technical services strategies and operational activities for the 26-hospital system. Wes has been the CIO at Seattle Children’s Hospital and has served as the Chief of Staff for a three-star general in the US Air Force.