Core Advisory
Risk Transformation
Enterprise Security Architecture
Cyber Defense and Incident Response
Emerging Technologies & AI
By Lawrence Wolf, Managing Partner
Today’s environment has created unprecedented challenges as healthcare organizations struggle with the management of internal and external identities. During COVID-19, they have been forced to make instant operational shifts which has created security and compliance concerns increasing provider risks.
The healthcare attack surface is clearly expanding. Employee and contractors connecting into systems remotely has soared this year. Additionally, many affiliated organizations, partners, suppliers, and patients are also connecting remotely, in numbers that dwarf anything healthcare saw before 2020. IoT devices within medical buildings are also exponentially increasing, as monitors and devices of all kinds are getting smarter. Consumer-grade IoT devices are also sharing network connections with all of those who are connecting remotely—plus in some cases unauthorized IoT devices are being introduced in medical buildings through Shadow IT and, worse, from cyberattackers posing as patients—and IoT alone is a major security concern.
How can healthcare organizations operate more securely, efficiently, govern and comply to regulatory mandates given today’s environment?
The answer is to become a more digital enterprise.
A more digital organization leverages a holistic security framework with compliance integrated into the solutions. A transformed digital organization can accelerate records processing, eliminate medical errors caused by manual processes and procedures, deliver a faster, easier, more secure experience for patients. This can also simplify secure onboarding and access of third-parties, non employees and employees. In short, it makes the organization more nimble—particularly in times of crisis.
Give the right person the right access at the right time
A big issue for healthcare companies during a pandemic has been hospitals need to bring in a lot of new people quickly. In this accelerated environment, the normal social security sensors—”Wait a second, I don’t know who you are, we need to double check this person”—are much less effective. Employees must place even more trust in company authentication systems.
Security controls and authentication are potentially even more important when it comes to third-party access. One of the biggest recent healthcare breaches involved a third-party bill collection firm that revealed the data of 24 million patients across 17 health institutions.
Many healthcare organizations are having trouble providing timely system access to vendors, affiliates, physician practices and customers. In some cases, health systems have grown through acquisitions, which tend to create large groups of disconnected users. Using manual processes, it can take weeks—or longer—to effectively onboard and offboard users. Digital companies can use a Bring Your Own Identity (BYOI) approach to automate these processes.
Offboarding former users who no longer need access—such as terminated employees or partners—is one of the biggest risks for any enterprise. A digital organization can use AI to review and verify correct user access for security and compliance and terminate access in a timely manner.
Here are some of the pandemic-induced operational changes healthcare companies are experiencing.
Updating databases with current patient information
Once ubiquitous, COVID protocols have thankfully eliminated waiting room clipboards from almost all medical practices. The critical security and compliance question is: What replaced them?
Some practices are still using paper but with a tiny dose of digital. In this hybrid scenario, forms are scanned at the medical facility and turned into a static PDF—meaning one that can’t be digitally filled. Patients must print the form, fill it in by hand (with legibility a function of how readable their writing may or may not be) and then either fax it to the medical office or, in a worst case scenario, physically hand the paper form to the medical staff, who then must read the possibly illegible handwritten form (data errors here could be life-threatening), type the data into the system and then shred the paper.
Other practices have gone all digital, with patients filling out forms entirely on a mobile or desktop device. Securely transmitted digital forms eliminate the need to rekey data and protect highly sensitive and personal health data from being intercepted.
Telehealth security and privacy
Using a proper and secure telehealth system is critical and yet we are still seeing medical offices switching to insecure consumer-grade services. This is just asking for privacy leaks and compliance problems.
Even though the US Department of Health and Human Services Office for Civil Rights (OCR) has said they will not impose penalties for noncompliance with regulatory requirements under HIPAA during the COVID-19 national emergency as it relates to telehealth services, medical practices may be using audio and video communication technologies that put the practice and their patients at much greater risk of data leakage—both PII (relevant to GDPR and the California Consumer Privacy Act) as well as deep medical data that is germane to HIPAA and similar regulations.
Questions that must be asked to mitigate telehealth security and privacy concerns include: Is the physical telehealth environment secure? Is it in an apartment with walls thin enough that neighbors can overhear sensitive protected discussions? Is it done from a home near digital devices that are constantly listening, such as a smartphone, an Amazon Echo, Apple HomePod or Google Assistant? Are the calls happening within earshot of family members or visitors?
Third-party medical testing services
Another positive change thanks to the new pandemic protocols is that patients hand-carrying medical test results, such as x-ray films or CDs of scans, is becoming scarce. When these forms of medical records and communications are transmitted digitally, practices must ensure that it’s being done in a controlled, secure manner that satisfies regulators. For efficiency, all such transmissions should be automatically coded and appended to the patient’s EHR/EMR.
Sharing security credentials
One age-old medical shortcut that the new COVID-19 environment has not lessened is the practice of physicians/nurse practitioners/physician’s assistants sharing their credentials with support staff because the professional doesn’t take the time to log in and personally handle the tasks. This undermines the authentication process and can complicate compliance efforts.
Proper procedure is to for support staff to have their own credentials so they can process items based on instructions from the professional.
Webinar: Securing Access to Internal and External Identities Leveraging an Integrated Platform
On September 30, 2020, IAM experts from Edgile, SailPoint and Microsoft will present a webinar on enabling and securing the modern healthcare workplace. You’ll learn how you can leverage your investments in Microsoft 365 Azure AD and SailPoint IdentityIQ to use one platform for a holistic view of both internal and external users.
Using relevant case studies, we will demonstrate how you can:
- Secure workforce access to cloud and on-premises applications in minutes instead of weeks;
- Use AI to review and verify correct user access for security and compliance;
- Protect ePHI, PII and other sensitive information in the cloud and on-premises;
- Periodically recertify access on a per user basis;
- Terminate user access in a timely manner;
- Save on software licensing costs.