If we didn’t realise it before, 2017 has proven that no country and no sector is immune to cyber attack. From WannaCry to NotPetya, threats have continued to present themselves to organisations large and small across the globe – and healthcare is no exception.
In a bid to combat the threats heading for our most sensitive information, earlier this year the Australian Digital Health Agency established a cyber security centre to help safeguard the My Health Record system.
In its own words, the centre’s goal is to “ensure Australian healthcare is at the cutting edge of international data security.” Just in time too. Studies show that Australians are putting their health at risk by withholding critical information from healthcare providers because they are concerned there could be a breach of their records.
While news headlines are focused on unwanted intrusions by outsiders, healthcare providers and businesses should keep in mind that approximately half of all healthcare data breaches in 2016 were attributed to insiders, whether due to malicious intent or by accident.
Who are the insiders? They are clinical and operational employees, contractors, vendors and partners – all of whom require access to sensitive data as part of their regular workflow.
The concept of “identity management” must be placed at the heart of a healthcare organisation’s cybersecurity program to provide complete visibility and control over who has access to critical applications and data, including electronic health record systems.
When done effectively, managing access strikes a healthy balance between the need for strong security and the need for streamlined clinical and operational workflow. Ultimately, this enables providers to focus on what they do best – delivering patient care.
For healthcare providers this includes:
- Finding and classifying sensitive information – detecting and locating sensitive and unprotected files residing throughout the entire provider organisation and across cloud and on-premises file shares.
- Gaining visibility into who has access to what – gathering and reconciling identity and access information across all applications and resources, whether on-premises or in the cloud, and creating a governance foundation for establishing controls over that access.
- Monitoring user activity – identifying potentially rogue users attempting to access sensitive health records or making changes to permissions and groups.
- Streamlining access request and delivery – enabling automated access to users based on their role within the organisation, and providing self-service features, which empower users to request additional access within a governance framework.
- Managing complex user relationsghips – uitilising a comprehensive identity model to manage users with multiple identities (or “personas”) common to healthcare providers (e.g. a practicing physician that also serves as a department head).
- Maintaining and demonstrating compliance – reducing compliance costs while meeting the highest standards of corporate governance mandated by regulations.
There’s no doubt about it, the healthcare sector will always be a target for data breaches. To effectively manage risk, healthcare organisations must be proactive in their approach to dealing with these threats – after all, prevention is better than cure.
Identity management is one of the key ways for the healthcare industry to confidently meet healthcare regulatory compliance audit requirements, while securely managing access to sensitive data and optimising clinical and operational workflow.
Kevin Cunningham is the chief strategy officer and cofounder of Sailpoint.