Healthcare Identity Governance in the Era of COVID-19

By John Racine, Managing Director of the Identity and Access Management Business, Core Security
Twitter: @CoreSecurity

Five Critical Issues Your Organization Can’t Afford to Overlook

The impact of COVID-19 has been far-reaching across nearly every sector. But none has been so greatly disrupted as the healthcare industry. Managing through this crisis has required healthcare systems to expand some aspects of their workforce and redeploy others virtually overnight in order to transform the way they offer services to patients.

Redeploying resources, leveraging a mobile workforce, increasing provider scope of practice, easing in-state regulatory and licensing requirements, preparing for surge capacity, and providing widespread telehealth delivery capabilities has fundamentally altered the healthcare landscape. In April 2020, the National Governors Association put out a groundbreaking memo calling for specific strategies like these to address the urgent need to quickly augment the healthcare workforce and facility capacity of health systems.

Increased Risk Accompanies an Expanded Healthcare Workforce
The necessity of these actions during the global pandemic and the speed in which they were enacted, however, has opened the door for increased cybersecurity risks within health systems. By relying on redeployed physicians, nurses, medical students, interns, non-employee clinicians, out-of-state practitioners, and other healthcare workers, health systems have accelerated the identity-related access risks of a highly mobile workforce across an expansive network of resources and systems.

Because many healthcare organizations lack a centralized process to manage user access to accounts and resources, they often have limited visibility into access levels users possess to data and systems within the organization. And unfortunately, when accounts are not managed properly or are added and changed quickly, especially in response to the current environment, they are more easily compromised and potentially lead to costly data breaches. According to the Cost of a Data Breach Report by the Ponemon Institute, data breaches across healthcare organizations cost an average of $6.45 million, higher than any other industry.

Further, when contingent healthcare workers have more access than they need, which can occur when the speed of providing clinical access becomes a higher priority than ensuring ‘least privileged’ access, there is more opportunity to target users with elevated access levels, resulting in increased risk. This risk becomes greater if excess privileges are unused because nefarious access can go undetected. It is also common for contingent workers not to be incorporated into a system of record, like an HRIS, making it even more difficult to track access.

Healthcare organizations must also recognize contingent worker identities come from multiple sources. These disparate sources can include a flat file of input for interns or student nurses, credentialing data from the medical staff office, or ad hoc requirements for data input. This makes it difficult to accurately track a contingent workforce, increasing the risk that personnel may have unnecessary access. These factors significantly increase healthcare information security risks and make it difficult to limit access risks within the health system—especially as healthcare workers try to maintain focus on addressing the growing COVID-19 crisis.

The Compelling Case for Intelligent Identity Governance and Administration
Mitigating identity-related access risks is increasingly challenging in the era of COVID-19. The chaos that results from supporting countless resources, applications, and systems with access to key data is harder to manage than ever before. Many healthcare organizations lack the resources of larger, global enterprises, yet face the same security and compliance demands.

Manual provisioning processes, insufficient visibility into access levels across the organization, and a lack of automation with limited centralized processes frequently leads to overprovisioning, rubber stamping of approval requests and access reviews, excessive distribution of access, orphaned accounts, and increased risks, including insider threats, across the health system. So what actions can healthcare organizations take to mitigate risks associated with an expanded healthcare workforce?

#1: Harnessing Access Risk Intelligence
One way to reveal immediate threats is to leverage access risk intelligence. Healthcare organizations need to develop deep insights on both current and historic access risk, and should constantly monitor data to understand trends that affect identity risks. By leveraging visual-based intelligence, health systems can examine large amounts of user entitlement data, rapidly correlate access relationships to prioritize risks, and uncover deeply nested and hidden relationships that exist between user identities and their granular access within an organization.

Healthcare systems also need a way to immediately diagnose and instantly reveal hidden access risks in their organization. Arming themselves with actionable information enables health systems to put a plan in place to effectively address their biggest identity risks. This is applicable not only to the risk that is easy to identify, but to access risk that is hidden from direct view or generated in a complex, dynamic environment.

#2: Leveraging Intelligent Role-Based Access
Healthcare organizations can simplify the complexity of access management by taking an approach where it’s easy to see what roles belong together. Think of a role as a collection of access privileges typically defined around a job title or job function. A role-based approach means identifying and grouping common access privileges together across individual users ahead of time so that they can be easily used to mitigate risk and improve efficiencies.

Using roles, healthcare organizations can have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs and what access to remove—reducing the time needed to onboard clinicians without introducing the risk of overprovisioning. And with the ability to now automatically generate and prioritize lists of intelligently proposed roles, healthcare organizations can enforce least privileged access and easily adopt a role-based approach for their identity governance programs. This enables them to focus on role definitions rather than individual users, improving the speed of providing access as well as bolstering organizational security.

#3: Simplifying Access Management Complexity
Providing the right access to users in a timely, reliable manner in accordance with policy is a major challenge for healthcare organizations today. Managers or application owners often find themselves automatically approving access requests or just copying access from an existing user because of the extensive time and resources required to review manual requests. Using paper forms, emails or tickets results in an inconsistent method for creating accounts and does not ensure proper access is approved using the right channels. Mitigating identity-related access risks requires an innovative, automated solution that makes the process of user access requests and approvals easy to complete and adopt.

Automating provisioning and deprovisioning based on the user lifecycle is also essential for healthcare organizations. This includes when a new healthcare employee or non-employee receives initial accounts and access to appropriate systems and applications. This allows access that is approved and granted initially to be fully tracked so that the organization can specifically know who has access to what. Even more important, when the healthcare worker leaves the organization, accounts should be quickly and automatically disabled, preventing any opportunity for individuals to retain access to data upon their departure—with no guesswork.

#4: Taking Advantage of Micro-Certifications
Healthcare organizations also need to take advantage of micro-certifications to ensure they have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. This means that when an access event is triggered where a healthcare worker may have new or different access and entitlements than what is expected, or gains access through an outside process, commonly referred to as ‘out of band,’ a manager or application owner will be alerted and can perform an access review immediately associated with the risk event. Provisioning outside standard processes is a common way that healthcare workers receive access that can be overlooked when it is time to remove it—especially as contingent workers are regularly joining and leaving healthcare organizations in the current environment.

#5: Ensuring Strong Password Management and Authentication
With so many applications and devices, it can be difficult to enforce complex password policies without interrupting operations. It is essential to have strong password management and maintain password policies that enforce complexity and non-reuse rules. For the clinical worker, ease of use and 24×7 self-service availability is necessary to avoid interrupting patient care.

But this must be done in a way that leverages secure and flexible authentication methods. A variety of password reset authentication channels, including mobile reset applications, telephone-based keypad resets, or voice biometrics increase user adoption rates, while maintaining a secure reset channel. Healthcare organizations seeking to mitigate potential risks with healthcare workers should enforce strong password management across the organization and look for a solution that delivers authenticated self-service password management.

High Stakes for Healthcare Organizations During COVID-19
The intensified climate of COVID-19 heightens the need for healthcare organizations to pay attention to identity-related access risks across their workers and their systems, and do so without adversely impacting patient care. Investing in intelligent, efficient identity governance supports regulatory compliance, increases operational efficiencies, and enables healthcare organizations to safeguard valuable health information. Most importantly, it keeps healthcare professionals focused on providing quality care to patients and combating the even bigger risk of COVID-19.