This guest blog was contributed by Zubaid Kazmi, Managing Director, Identity Access Management, MorganFranklin Consulting
In January, Lurie’s Children’s Hospital of Chicago was hit by a cyberattack, which resulted in the organization shutting down its network. While the hospital remains operational, it’s still working to restore its computer systems, leaving email, phones and other electronic systems affected.
This is just the latest attack spotlighting increasing threats against healthcare organizations, making it more important now than ever to closely monitor who and what is connected to hospital networks.
To help mitigate the risk of cyberattacks, hospitals should proactively develop a centralized identity access management (IAM) system. IAM systems play a crucial role in hospital cybersecurity by helping detect inappropriate access and permissions risks as both preventative and detective measures, allowing hospitals to take action before incidents become major problems.
Hospital security leaders should focus on three key areas to create a robust IAM program that reduces the impact of cyberattacks on patient safety, revenue, reputational loss, and operations.
Implement a centralized dashboard to provide essential, real-time IAM functions.
User rights and privileges, or simply who in an organization has access to which data and systems, need to be readily visible to the security team. Using IAM platforms and tools provides a scalable and automated foundation for granting access, password management, compliance, and identity-enabled visibility.
Implementing a centralized IAM system enables an organization to achieve full visibility and control over its information. These solutions can also help reduce manual workload and save a security team’s time. For example, automating standard procedures and threat alerts can give security teams more time to focus on real-time monitoring and intercepting potential remote access threats.
Manage access and risk.
In many healthcare organizations, staff have access to more systems than needed to perform their core duties. To keep information safe, access to data and other valuable assets should be limited and permissions requests should be accurately validated. There are several ways to reduce access, but no one approach stands alone. Determining the best combination of strategies will depend on how an organization currently accesses data and its larger security objectives.
Web Single Sign-On: Multiple parts of an organization’s internal and external web presence require user authentication and authorization to properly secure sensitive data. Web single sign-on frameworks simplify this process by maintaining a user’s authenticated state throughout their entire web session.
Adaptive Access: Different information and resources carry different levels of risk. Adaptive access enables an organization to easily require more robust authentication for riskier assets while easing accessibility for low-risk resources.
Reverse Proxy: A reverse proxy sits behind the company firewall and forwards web requests to a server for response. This simplifies the user experience and reduces the amount of information about an organization’s internal network structure that is shared with third parties.
Federation Login: Contractor partners require limited systems access, but creating accounts within an organization’s identity management system can be time-consuming and adds complexity. Federation enables secure identity sharing across organizations by simplifying authentication and access management for partner organizations.
Role Based Access Controls (RBAC): There are ways to quickly create groupings of access pre-approved for different roles and responsibilities across an organization that can be dynamically assigned or self-service requested by individuals and management teams.
Implementing new or updated access procedures should also work with existing internal or external frameworks, policies, and technologies. This enables a seamless transition to a new IAM model, promoting appropriate access to data and resources across an entire organization.
Develop checklists to securely manage employee onboarding and offboarding.
While security programs primarily focus on mitigating external threats, employees themselves can pose the same or greater security risk to hospitals and patients, whether purposefully or accidentally. Human security risks come in a variety of different forms:
Social Engineering and Phishing: Social engineering attacks aim to gain physical access to a secure area or system using human interaction. These attacks often occur using convincing messages for phishing. Phishing can happen via email, telephone (voice phishing or vishing), text message (SMS phishing or smishing) and even on social media.
Insider Threats: Insider threats are caused by employees, contractors and vendors who have access to the hospital’s systems, and they can occur unintentionally, intentionally, or collusively.
Negligent Behavior: Employees can also inadvertently place data and security at risk by doing things like insecurely using applications and devices or sharing passwords.
These types of human-based threats can also increase during transitional periods, so it’s important to have IAM plans and procedures in place to minimize their risk. Developing checklists to control access during onboarding and offboarding processes can help ensure smooth changeovers. Additionally, employee security training should include how to manage security risks within your specific organization in addition to traditional threats like phishing and reporting lost devices.
IAM for healthier security.
As increasing cyberattacks continue to plague the healthcare industry, hospitals can significantly improve their security by gaining better data protection across their organizations. An IAM program should be the foundation of any hospital security plan, including implementing a centralized management system to secure employee and device access and monitor sensitive information. IAM programs have the power to mitigate potential cybersecurity risks and ultimately protect patient information, hospital systems, reputations, and revenue.
###
About the Author
Zubaid Kazmi is the Managing Director for Identity and Access Management at MorganFranklin Consulting. Prior to joining MorganFranklin, Zubaid held managing director and director positions at large and boutique consulting firms with a specific focus on Identity & Access Management and Digital Identity governance. Combined with over 20 years in professional service, Zubaid brings his experience advising clients on how to realize their IAM transformation objectives while advancing their compliance, security, and business initiatives.