Cybersecurity is a topic that can make any enterprise nervous—and the healthcare industry is no exception. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), there were 466 incidents in healthcare, 304 in which data disclosure has been confirmed.
The need to comply with regulatory measures for protected health information (PHI) should keep healthcare-providing organizations awake at night. Indulging in wishful thinking that you have all the security you need, ignoring the threat in the hope that you have some kind of immunity or patching the systems you already have are inadequate approaches for any organization that handles large amounts of sensitive information.
The potential for lawsuits and steep fines for HIPAA non-compliance is considerable — and real. The Health Information Technology for Economic and Clinical Health (HITECH) Act enforces and strengthens HIPAA regulations. It raises fines for HIPAA non-compliance, enables a wide pool of required HIPAA standards and establishes incentive payment programs for the certified use of electronic health records (EHRs).
In 2018, after determining that cybersecurity in the health industry needed to align with industry standards, another layer of data oversight was added with the Health Industry Cybersecurity Practices (HICP) Act. HICP provides guidance on maintaining consistency in mitigating cybersecurity risks to patient health, business continuity and IT systems.
The Ponemon Institute reported in its 2018 Cost of a Data Breach Study that the global average cost of a data breach is $3.86 million, with the average cost in the US being $7.91 million.
And the cost of a breach can be even higher.
It was reported on July 12, 2019, that a major healthcare provider agreed to a $10 million settlement on a multi-state data breach lawsuit that occurred in 2014 and went undetected until nearly a year later. The hacker gained access to 10.4 million records with highly sensitive member information, including personal contact information, member identification numbers and Social Security numbers. The court’s decision determined that the organization failed to meet minimum HIPAA security standards for PHI. That’s a big price to pay.
This story is the tip of the iceberg: The provider was warned repeatedly by its auditors that there were inadequacies in their security program, but system vulnerabilities and risk of a breach went uncorrected.
These cybersecurity problems are compounded by the lack of a AAA – authentication, authorization and accounting – framework to intelligently controlling access to network resources, enforcing policy enforcement and auditing processes essential for network management and security.
Briefly, authentication provides the validation of user credentials on login to gain access. Once the user’s credentials are authenticated, authorization determines which activities, resources or services can be accessed. Finally, accounting measures the resources allotted for user consumption during access. By deploying a AAA framework to address identity and access management (IAM), you’ll be better positioned to meet regulatory compliance.
1. Establish a strong AAA framework
Off the bat, deploy an AAA framework with a dedicated AAA server program in your network to perform authentication, authorization and accounting functions. This server interacts with network access and gateway servers, as well as with databases and directories that contain user credentials and protocols.
2. Adopt effective identity management technologies
Speed and security seem like contradictory elements when it comes to managing access to the systems and data in the high-stress healthcare environment. Health professionals need quick system access that can respond effectively and securely under severe conditions: for instance, ER admitting, nurses and attending physicians may need near-simultaneous access to personal, medical and insurance information on an incoming patient with a life-threatening injury.
The security of the data and PHI in your system is only as good as the security of your network. A well-managed, AAA-based, secure network that supports IAM technologies with a strong authentication policy can help combat the vulnerabilities and risks that can accompany a high-pressure, shared healthcare environment.
As part of a basic access management policy, organizations of any size benefit by adopting a strong password requirement. This is a solution that should be a part of the implementation of an overall IAM policy.
One of the most prevalent IAM technologies is single sign-on (SSO), a solution that allows users to quickly access multiple systems with a single login. A 2019 KLAS/CHIME survey, “How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines,” encompassing more than 600 healthcare professionals, discovered that 83 percent of the surveyed organizations already implemented SSO. However, while SSO supports multi-system access, its use can be complicated by a single user with different roles that may need access at different levels at different times.
By adopting another IAM technology that’s gaining acceptance, multifactor authentication (MFA), healthcare organizations can implement a required protocol with passwords, biometrics, ID numbers or tokens to create a combination of unique logins to access data, systems, applications or devices. MFA has proven successful at preventing unauthorized access to PHI with stolen credentials. The KLAS study reports that less than half of small health organizations currently use an MFA solution.
3. Ask Insight about their expertise and services to help you build and deploy effective AIM
Insight's secure access services can guide and support any healthcare organization that wants to transition away from a homegrown or insufficient access control to more sophisticated, inclusive IAM technologies with third-party tools. They offer you assessment and testing (for instance, penetration testing) to identify vulnerabilities in your network. This will be used to correctly map a customized set of solutions for building a AAA model within your network as part of secure IAM.
By applying Insight-assisted access management to your network perimeter, as well as endpoint security, secure backup, encryption and a complete portfolio of solutions within your network, you can bring multiple layers of protection to the data across your organization. Insight also enables you to strengthen and maintain role-based access control (RBAC) across departments and facilities and provide remediation when necessary. This will help you retain the fluidity of different roles within your environment without compromising access to PHI.
Insight offers your organization a secure access framework that encompasses IAM, network authentication control, mobile device management, MFA and virtual private networks (VPN), as well as physical system security.
Importantly, Insight’s deep relationship with Microsoft and Microsoft Azure, as well as with major third-party vendors, enables expertise with Active Directory and Azure Active Directory to work with you to strengthen your databases against unauthorized penetration by malware and bad actors.