The following is a guest article by Paul Dant, Senior Solution Consultant at Radiant Logic
Hospitals and healthcare systems are reaching a breaking point. The Covid-19 pandemic didn’t create the industry’s challenges, but it exposed and accelerated them. Years of mergers and acquisitions, siloed data, and persistent staff turnover have left healthcare IT teams managing environments that are more complex, fragmented, and mission-critical than ever. Because of healthcare’s unique challenges and compliance requirements, this can create friction and, in the worst cases, impact patient care. Planning ahead and implementing a strong identity and access foundation improves security and compliance while reducing bottlenecks, creating a better patient and employee experience.
Complications in Healthcare IT
How do IT teams balance security and compliance requirements while giving healthcare providers the access they need to do their jobs? To effectively manage healthcare identity and access, we have to start by understanding the unique needs and challenges of the healthcare system and its workers.
Hospitals largely remain brick and mortar facilities, with physical systems that need to be connected across kiosks, medical devices, and other access points that must all be secure but accessible. Meanwhile, each healthcare facility, from Level 1 trauma centers to university hospitals to regional clinics, tends to be an “island” with its own IT system and tech platform. This creates friction after major events like mergers and acquisitions, when disparate systems have to be integrated, and staff may have to be onboarded or offboarded (or both).
It also creates friction in day-to-day operations, since healthcare providers often operate across multiple facilities with different roles and levels of access required. A surgeon affiliated with a teaching hospital might go from working in the hospital OR to evaluating pre-op patients at the clinic to teaching a course. In the course of a week, that doctor might have three different levels of access, and as they move from setting to setting, they need their identity and access to adjust to the corresponding role.
Patients also move between healthcare systems, with electronic healthcare records (EHRs) that their care teams need to be able to access. In a life-threatening situation, doctors need to be able to retrieve and review patient information quickly, regardless of where the information lives.
On top of the existing complexities of securing human access, non-human identities pose a growing challenge, especially with the increasing use of AI.
About 50% of non-human identities within a healthcare environment are devices, such as iPads, insulin pumps, and dialysis machines. Left unmanaged, these can pose a major threat: IoT vulnerabilities can reveal a patient’s personally identifiable information (PII) or even interfere with their care. Traffic between these devices and the healthcare system must be secured, and patient anonymity must be protected.
You Can’t Take It With You – Or Can You? When Patients and Doctors Move
When dealing with multiple “islands,” adding a layer of abstraction above the individual facility level allows hospitals and clinics to retain their unique systems while enacting identity and access measures across these systems. This enables hospitals and clinics to securely communicate essential data as doctors and patients move between facilities.
Additionally, creating identity “personas” within your IT system ensures that healthcare workers serving in multiple roles or locations can transition from one setting to the next without delay. With one set of credentials, the surgeon at the teaching hospital can access student information when they’re teaching at the university, or they can review patient information at the clinic or hospital. Their access and privileges will adjust depending on where they are and what role they are filling at the time.
Similarly, in a “break glass” scenario where time is of the essence, the care team needs to access patient information, but it is crucial to control that information with a defined model. Outlining parameters in advance for time-limited emergency access based on location and need – along with automatically creating an auditable record of every time these superseding permissions are granted – removes hurdles in an emergency situation, but preserves security and maintains compliance.
Laying the Foundations of Healthcare Identity Brick by Brick (and Cloud by Cloud)
Healthcare IT teams generally do an excellent job of implementing multifactor authentication and ensuring that the person accessing the system is who they say they are. As new software and system requirements come through, IT teams also must foresee potential issues and points of conflict, both in day-to-day healthcare operations and among networks and devices. Increasingly, tech is becoming part of the doctor and patient experience, from AI tools to telehealth platforms, adding an additional layer of risk to address.
Adding third-party vendors and their tech can alleviate heavy provider workloads and improve business operations, but it also increases the potential attack surface. (Estimates vary, but a significant number of attacks originate from third-party partners, including the 2024 Change Healthcare breach.) What are vendors’ security measures? Do they manage risk and cybersecurity on the backend? Are they open to working within your system? Asking questions and testing implementations before rolling out new tech can avert disaster.
If you are integrating AI software into your healthcare process, setting permissions early on for both human and non-human identities will reduce vulnerabilities and improve patient care. For example, an AI notetaker that will provide a summary to the healthcare provider to upload to the patient’s EHR does not need access to diagnostic imaging, let alone full admin access. And human access to the data from that AI notetaker should be limited to ensure HIPAA compliance – just as a doctor’s after-appointment notes would be.
Performing regular audits of both human and non-human identities to ensure that accounts reflect appropriate roles and permissions will help eliminate security vulnerabilities, such as orphan accounts. If staff have left or if the hospital no longer uses a third-party vendor, removing that account from the system removes a potential breach point. Conversely, giving new practitioners prompt access to the files they need will enable them to provide the best care possible to patients.
By planning these scenarios before the doctor arrives at the clinic (or the patient gets to the operating table), you can keep processes running smoothly while protecting sensitive patient data and securing digital and medical devices. With proactive identity management, you can deliver a safe, seamless transition across identity and access points throughout your medical system, no matter how complex.
Paul Dant serves as Senior Solution Consultant at Radiant Logic. He is a lifelong ethical hacker and sought-after advisor with nearly four decades of experience helping organizations anticipate, understand, and outmaneuver real-world adversaries. He’s spent his career demystifying cybersecurity for technical and non-technical audiences alike, presenting at dozens of conferences and consulting for hundreds of organizations.
As an award-winning cybersecurity product innovator, a top-rated RSA Conference speaker, and co-founder of the DEF CON IoT Hacking Village, Paul is known for bridging deep security insight with captivating storytelling and is passionate about making security a driver of innovation, growth, and trust.
No comments:
Post a Comment