This post was originally posted on Healthcare IT News.

An identity and access management expert illustrates this critical area of information security and offers tips on how to best control who is accessing protected health information.

The principle of least privilege or “minimum necessary” access rights for accounts use in a healthcare setting – such as access to electronic health records or payment information – often is overlooked, inappropriately configured, and not consistently measured and managed.

This “state” can lead to accidental disclosure, data spillage/leakage, or a crime of opportunity. In 2019, an organization should have a mature level of control for who has access to what and an understanding of when/how the access is used (auditing), said Ray Hillen, managing director of cybersecurity at Agio, a managed IT and cybersecurity company.

There should also be a framework for adapting these access rights based on personnel changes within the organization – for example, if an employee is promoted, or if one departs the organization, he added. Anything less can be seen as willful neglect, subject to the highest level of civil money penalties, and may rise to a criminal level, he stated.

Origins of data privacy breaches

“Past events demonstrate that employees and business associates, often accessing sensitive systems in the course of their duties, have been an origin of data privacy breaches,” Hillen explained. “Additionally, there are regulatory factors at the state and federal level that consider identity and access management a ‘standard’ today versus a ‘best practice.’”

Research and consulting firm Gartner defines identity and access management as the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. It is a set of business processes, information and technology for managing and using digital entities.

“The fundamental principle of identity and access management is one electronic/digital identity, one user,” Hillen said. “The organization must then maintain, modify and monitor that identity for as long as the user requires it. This is the ‘access lifecycle’ and allows that user to perform specific tasks. Roles are characterized according to job requirements, including authority and responsibility.”

“Organizations need to delineate the current systems, determine where the electronic PHI data ‘lives,’ and outline workflows to inform decisions about roles, configurations and privileges.”
Ray Hillen, Agio

A robust identity and access management program also includes user access review, he added. The ability to track that single digital identity is meaningless if no one in the organization evaluates a user’s activities, he explained.

“With the human and electronic risks present in healthcare, internally monitoring your organization’s user access is an important way to protect information,” he advised. “In larger corporations, employees enter and exit your workforce on a rotating basis. Further, they change positions within your organization.”

Healthcare is highly targeted

While strict access and security rules and regulations are reasons for implementing a strong identity and access management program, they are not the only reasons. The healthcare industry as a whole is highly targeted in terms of cybersecurity simply because of the value of healthcare records.

Names, addresses, social security numbers and even credit card data are collected. Regulators and patients alike expect their data to be available only to those who actually need it.

“Providers also are turning to mobile device usage as part of quality care improvement initiatives, cost reduction strategies and patient demands,” Hillen noted. “Telemedicine, for example, can reduce external costs associated with healthcare delivery, so much so that the global market for Health is expected to reach $60 billion by 2020.”

mHealth devices, however, are a challenging entry point to manage – the sheer numbers and types of devices can overwhelm even the most mature of IT departments. Simply keeping an accurate inventory is complex and difficult and, while mobile device management (MDM) systems make access management easier, it’s no panacea.

Identity and access management

The basic components of an identity and access management program, Hillen stated, include:

  • How individuals are identified in a system.
  • How roles are identified in a system and how they are assigned to individuals.
  • Adding, removing and updating individuals and their roles in a system.
  • Assigning levels of access to individuals or groups of individuals.
  • Protecting the sensitive data within the system and securing the system itself.

 

“Organizations need to delineate the current systems, determine where the electronic PHI data ‘lives,’ and outline workflows to inform decisions about roles, configurations and privileges,” Hillen advised. “Using this baseline, organizations should also consider the future state of their network infrastructure and any changes to offered services.”

Healthcare organizations also should review roles versus access configurations and determine whether they are appropriate for the needs of the users, he added. For example, a nurse floater role will need access to more areas/departments than a nurse who is tasked specifically to ICU.

“CISOs need to review existing policies and procedures for authorization, identify verification and monitoring of use to confirm they are consistent with recent regulatory guidance and system capabilities,” he stated. “In addition, one should review auditing requirements to avoid ‘alert fatigue’ and confirm that the logging is capturing the data necessary for effective decision making.”

Improving awareness and procedures

Healthcare organizations should involve, at minimum, the compliance officer, security and privacy officers, human resources, department and division managers, and information technology personnel in identity and access management. Involving the right people means that an organization can make enterprise-wide changes without undue disruption to patient care, Hillen said.

“A proactive access management program ensures that systems maintaining or processing sensitive electronic PHI data are available only to authorized individuals in the context of healthcare operations,” he said. “Access review protocols enable the organization to respond to inquiries, address security and privacy incidents, and prevent data breaches by detecting anomalous activity.”

Hillen offers five steps healthcare CIOs and CISOs can take now to improve identify access management awareness and procedures:

  1. Review administrative account access to servers and workstations. “Local admin” access often is overlooked with respect to end-points and can lead to unintended privileged access to systems or data.
  2. Review the process for elevated access requests and ensure that there is a strong separation of duties policy for administrative access. For example, a database engineer may need temporary privileges while a database administrator is absent. Such modifications should not be made unilaterally.
  3. Review group/shared accounts for necessity, then monitor their use for any anomalies or misuse.
  4. Review physical access logs for inappropriate access, such as an employee entering a restricted area outside of their normal work hours.
  5. Finally, review terminated employees, off-boarding workflows and employees with extended leaves of absence. A common finding is that terminated employees still have access to sensitive date 48 hours after their termination.