Future Proofing Healthcare Security & Identity: Embracing Innovation Without Sacrificing Compliance

It’s an all too common problem in the healthcare industry: organizations need to innovate, but the security risks of new technology — and the demands of regulatory requirements — are too great a deterrent. The end result? Healthcare often trails behind other industries in digital transformation.

But in the current digital climate, any risks from innovation are increasingly outweighed by risks from outdated systems. The only option for healthcare organizations wishing to improve the quality and accessibility of patient care is to move forward with cloud migration, adopting telehealth and integrating new types of devices into their IT environments.

Embracing swift change is vital, but maintaining compliance with stringent regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CPRA) is an equal and opposite challenge. Small mistakes can lead to large fines and require costly remediation. Security and risk management leaders must build robust processes and implement solutions that enable them to achieve risk-based access governance, comprehensive visibility, and identity management across their organizations.

This eBook explores how intelligent identity solutions — including Identity Governance Administration (IGA) and Privileged Access Management (PAM) — can help healthcare providers navigate present-day security and privacy challenges.

The Catalysts for Evolution

Even before the onset of the global COVID-19 crisis, the pace of digital transformation in healthcare was accelerating. Technology adoption is reshaping how patients interact with care providers, how providers decide on treatment protocols and how payers and providers exchange lifesaving data. The benefits are many: technological innovations can improve the quality of care, enhance treatment outcomes, boost efficiency and reduce errors. These innovations can also help providers reduce costs by as much as 7–11%, according to a pre-pandemic study on digital transformation in healthcare conducted by McKinsey & Company.

Today’s patients are embracing technological transformation in many areas of their lives, and as a result, they increasingly expect healthcare providers to deliver access to health information online. They’re also looking to incorporate data from wearables, mobile health apps, and telehealth visits into their interactions with providers — all in an effort to take greater control of their own digital health and wellness.

In addition, the use of the Internet of Medical Things (IoMT) and “smart” medical devices has skyrocketed recently. The U.S. Department of Health and Human Services estimates that there are 10-15 network-connected medical devices per patient bed in U.S. hospitals today. These range from medication dose-monitoring systems to hospital beds that can automatically sense the presence of a patient, to electrocardiogram (EKG) machines, ventilators and defibrillators. As growing numbers of these devices are integrated into health systems’ IT networks, the data management and security challenges increase exponentially.

Naturally, the events of 2020 further amplified the need for digital transformation in healthcare, with a dramatic increase in the number of virtual visits. Providers also increased their use of email, SMS messaging, and other electronic media to communicate with patients. Even with the return of in-person care, virtual models of care delivery will be with us for the long term.

Though the baseline number of outpatient telehealth visits has since dropped from its mid-2020 peak, a 2021 Rock Health survey found that telemedicine remains widely available through primary care physician practices, with 73% of respondents reporting that they expect to continue using it at the same rate or more in the future.

10-15

The average number of network-connected medical devices per patient in the U.S.

Source: US DHHS

Despite the shifts in technology adoption across the healthcare sector, the regulatory requirements that providers face remain largely unchanged. HIPAA has received no major updates since 2013, though a pending set of rule changes was proposed in December 2020.

This means that although there have been massive increases in data volumes, emerging technologies, and the size of their attack surfaces, healthcare organizations are expected to uphold the same level of security. In 2021, over 50 million healthcare records were exposed or compromised, a 24% increase from the previous year. As a result, fines from HIPAA violations have increased, with last year’s largest penalty reaching $6.8 million following a data breach at Premera Blue Cross, as reported in the HIPAA Journal.

While HIPAA enforcement was relaxed in the spring of 2020 due to the extraordinary stresses the coronavirus pandemic placed upon the healthcare system, it was never abandoned outright. Now that pandemic restrictions are loosening, full-scale enforcement will resume.

Providers and payers alike are also confronting a new wave of consumer-oriented privacy legislation like the GDPR and CCPA, which further ups their risk of being issued fines if found non-compliant. Average GDPR fines spiked to nearly 1 billion Euros in Q3 2021 — 20 times greater than for Q1 and Q2 combined — with Swedish healthcare provider Capio St. Göran paying a 2.9 million Euro penalty for failing to implement appropriate risk assessments and access controls at one of its hospitals.

The prevalence of these financial penalties at least partially explains why data breach costs are so much higher in healthcare than in other industries. Compared to an average cost of $3.86 million across all sectors, healthcare faced an average of $9.23 million per breach between May 2020 and March 2021 — a $2 million increase from the previous year, according to a report from IBM. The cost of data breaches overall is the highest it’s been in the 17-year history of the Cost of a Data Breach Report, at an average of $4.24 million per incident.

Nearly half (44 percent) of the breaches exposed consumers’ personal data, such as names, email addresses, passwords, and even healthcare data — representing the most common type of breached record in the report.

Electronic Health Record Compliance

Around the world, Electronic Health Record (EHR) adoption has become ubiquitous. As of mid-2018, 98% of hospitals in the U.S. had an EHR system in place or an implementation in progress. Adoption will necessarily increase to 100% as the Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Final Rule comes into effect in July of 2021. This rule will require providers and payers to be able to share data from EHRs with the goal of reducing costs and improving patients’ access to their own health information. In the EU, as many as 96% of healthcare providers rely on EHR, with adoption rates near 100% in countries like Estonia, Denmark, Finland, and Sweden.

Because EHR systems are now essential for providing high-quality patient care and sharing information with payers and other providers, it’s imperative that healthcare organizations ensure their systems’ security and ongoing compliance.

Data Breach Cost Icon
$9.23M
The average cost of a healthcare data breach.

Source: IBM Report

Each Regulation Has Unique EHR Priorities

Regulation

HIPAA
  • Most information within EHR is considered Protected Health Information (PHI) and is covered under HIPAA.
  • EHR systems must be certified compliant, but merely implementing a compliant software solution doesn’t guarantee compliance. The organization must also have the appropriate administrative, physical, and organizational standards — as well as adopt and enforce compliant policies and procedures.
  • EHR systems must follow the Minimum Necessary rule, whereby all users are limited to the minimum amount of ePHI access required to do their jobs.
  • EHR implementation entails unique user IDs and strong passwords for every user, and should enforce role or user-based access controls.
GDPR
  • E.U. citizens can always share and access their health data securely across member states.
  • The E.U. has standardized EHR formats required within member states.
  • EHR access control strategies and policies must be secure and in full compliance with GDPR.
  • An identity governance provider should have physical data centers located in and limited to the E.U. from which cloud-based services are delivered to E.U. citizens.
CCPA
  • While HIPAA-protected data is exempt from CCPA regulations, many other types of data collected and stored by healthcare organizations are not.
  • CCPA covers any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes website cookies, marketing preferences and fundraising information, among other things.
  • Under CCPA, the principles of least privilege and privacy by design should be applied.
  • Identity validation requires special attention; using automation in identity governance systems can ease and simplify the audit process.

Implications of Telehealth

The COVID-19 crisis sparked a massive rise in virtual healthcare by way of video meetings, but the telehealth category also includes mobile health apps, online patient portals, remote/wearable monitoring, and patient-provider electronic communication. Since these technologies handle and share protected health information (PHI), each one has the potential for security, privacy, and compliance concerns.

Patient portals enable patients to access their own health information while providing interoperability—both of which are required by multiple regulations. But decisions in favor of user experience can open the door for access management challenges. Successful systems maintain a balance between smooth authentication free from bottlenecking and perennial security controls that ensure compliance and prevent fraud.

Remote monitoring offers major benefits, including improved patient care and health outcomes by incorporating accurate patient telemetry data into EHR. This makes it easier for providers to maintain a current understanding of patient conditions and respond rapidly to potential alerts. But the wearables and IoMT devices used for remote monitoring introduce additional security concerns. Often designed without security at the forefront, each device presents unique variables like poor encryption or outdated firmware.

Virtual visits dramatically improve access to care—including behavioral health—but can raise privacy concerns when session content is overheard or if video conferencing data is unencrypted. Including telehealth conferencing within an org’s suite of SaaS applications can increase the number of manageable identities. And when more platforms from third-party providers are in use, consistent controls become harder to enforce.

Liking this eBook? Save it for later.

Challenges in Healthcare Security

Healthcare organizations confront complex and unavoidable industry-specific security risks. Health data is uniquely prized by the criminals who trade it on the black market. According to a recent Trustwave report, a single EHR may fetch up to $250 on the Dark Web, compared to only $5.40 for payment card data, the next most-highly valued record type.

It’s thus unsurprising that the industry has reached a peak in real-world cybersecurity risks. In 2020, the HIPAA Journal reported that there were 642 significant healthcare data breaches—a 25.4% increase from 2019 and 74.5% increase from 2018. Ransomware attack volumes are also up, with threat researchers noting that health systems already under major strain due to the pandemic became the favorite target of several advanced threat groups. According to the 2022 SonicWall Cyberthreat Security Report, the healthcare sector faced a 755% increase in healthcare ransomware attacks in 2021, along with a 71% year-over-year jump in IoT malware.

As growing numbers of healthcare organizations move more of their infrastructure to the cloud, configuration management is absorbing more resources and leading to an increase in configuration-related breaches. In just 90 hours of research, the threat research team at IntSights was able to find 15 databases belonging to healthcare systems compromised by improper configuration.

With continuous growth in cloud usage, legacy technologies and practices are increasingly unequipped for these often-targeted ecosystems. They’re simply unable to protect against today’s sophisticated threats. Basic tools like role-based access control (RBAC) do not meet HIPAA’s explicit requirements, while traditional security technologies such as firewalls that were designed for premises-based infrastructures cannot offer adequate protection for distributed and ephemeral cloud resources.

Identity Sprawl

Healthcare organizations often maintain multiple siloed software systems – from EHR to human resources (HR) solutions, and from education and training tools to new telehealth solutions – and it’s typical for each to have its own independent identity repository. It’s also commonplace for individual employees to fill multiple roles within the same organization. For instance, a student may also serve as a care provider, or a researcher may engage in clinical practice. This means that one individual may need to hold multiple context-specific identities within EHR systems and software applications.

However, HIPAA mandates that consistent information access policies and segregation of duties (SoD) controls be maintained across all systems. It’s also necessary that the rule of least privilege (stipulating that each user has access only to the bare minimum amount of privilege necessary to fulfill their professional responsibilities) be enforced consistently.

To simplify HIPAA compliance, it’s critical to have a single solution that can consolidate information from multiple systems in one place, providing a centralized repository for all of the separate identities that are in use across the organization. Context-sensitive identity solutions can also ensure that each person has the right access at the right time. This will reduce administrative overhead, ease the audit process and strengthen the organization’s overall cybersecurity risk profile.

Data Leak Icon
25%
Increase in healthcare data breaches from 2019-2020.

Source: HIPAA Journal

One Identity for Life

In industries like healthcare, where users’ roles and identity personas are complex and often overlapping, it can be challenging to ensure that each individual has only one single, cohesive identity across the entirety of the organizational IT ecosystem. With a One Identity for Life strategy, all user identities are consolidated and managed centrally. This eliminates information silos, enables risk-based decision-making about access and makes it possible to avoid SoD violations. It also provides broad visibility into who has access to which resources at any given time.

Temporary Employees Play a Large Role in the Healthcare Workforce

It’s common for hospitals and health systems to make use of large numbers of temporary workers. More than 40,000 physicians work in what’s known as locum tenens roles – providing short-term coverage to fill staffing gaps caused by vacations, vacancies or seasonal disease outbreaks. Approximately 94% of U.S. healthcare facilities use locum tenens workers each year. It’s also common for a single long-term employee in a healthcare setting to cycle through different departments or clinical locations over the course of a workweek or month (e.g., a nurse covering both obstetrics and pediatrics rotations).

In either case, the existence of so many temporary roles in healthcare creates significant identity management and compliance challenges. Managing these short-lived identities manually introduces risks that role-based access will be excessive, or that orphaned accounts will become a persistent problem. And the dynamic nature of these roles makes it especially important to provide temporary workers with the right permissions for their current role without allowing them to inherit permissions that are no longer applicable.

Regulatory compliance makes it essential to maintain an audit trail throughout this complex lifecycle of access management. It’s also necessary to enforce control in a way that’s precise and granular. But IGA systems must be flexible enough to ensure that there will never be delays to granting access when it’s needed for patient care, since this could make the difference between life and death in case of an emergency.

Just-in-Time Access

While the rule of least privilege states that users should be granted access to only those resources that are necessary to do their jobs, the concept of Just-in-Time Access states that access — and especially privileged access — should be granted for just the minimum amount of time needed to get the work done. A core component of the Zero Trust security paradigm, Just-in-Time access automatically eliminates privileges after a certain amount of time has passed. This way, permissions don’t linger long after they’re no longer needed, and as users move from one role to another, the appropriate privilege levels can be adjusted dynamically. But users can quickly get access to the resources they need without having to go through a lengthy approval process or prearrange their accounts.

Insider Threats

According to Verizon, nearly half (48%) of the data breaches that took place in the healthcare industry over the past year began with insider threats. This isn’t because healthcare organizations tend to hire more bad actors than other kinds of companies. Rather, it may be due to the fact that individuals with the best of intentions can unwittingly fall prey to cybercriminals when they’re victimized in social engineering attacks or phishing schemes. And healthcare data is among the most valuable types of sensitive information, making healthcare employees exceptionally attractive targets for opportunistic criminals, so they’re more likely to receive higher volumes of email-borne threats.

Further, a HIPAA violation is said to take place whenever an individual has access to PHI that they shouldn’t have access to, regardless of whether this took place intentionally or occurred by accident. However, failing to adhere to identity management best practices makes it possible for insider threats – or errors – to develop into significant breaches. These failures can include providing over-permissioned access, maintaining standing privileges, and having weak or no monitoring processes in place.

Zero Standing Privilege

Zero Standing Privilege (ZSP) helps deliver the robust security and data privacy protections that HIPAA and other regulations require. ZSP entails adopting a proactive approach to access and privilege management. No one holds or is granted access to protected data by default. Instead, each individual access request is evaluated within the context of the risks that it might pose. When privileged access is provisioned, this is done for a limited amount of time only. Superuser accounts, which are dangerous and which tend to multiply in large organizations, are never created in the first place.

Hardening Healthcare

As cloud-based EHR systems become increasingly prevalent in healthcare, security solutions must move to the cloud as well. It’s much more feasible to secure SaaS applications, cloud databases and other cloud resources with a solution that was designed and built for the cloud.

Identity is the New Perimeter

In the days of legacy on-premises computing, security teams relied on what was then referred to as the “castle and moat” approach to protecting IT resources and networks. Traffic behind the corporate firewall was presumed to be trustworthy, user privileges were longstanding, and access was granted to “walled off” resources via virtual private network (VPN) tunnels. This model is incompatible with the shape and nature of today’s cloud-based computing ecosystems. In the modern cloud era, resources are ephemeral and workloads are constantly shifting. Clouds thus require a new kind of perimeter to protect the resources inside them. Identity is this perimeter. Every resource access request should be considered individually, and denied or granted based on a thorough assessment of risk.

To guard this new perimeter in their complex cloud-based and hybrid IT ecosystems, today’s healthcare organizations need identity governance and privileged access management solutions that will enable them to balance the need to share information openly with patients and providers and the need to maintain privacy and compliance. In order to achieve this aim, they’ll have to develop several core capabilities.

Identity and Access Lifecycle Management

It’s critical that healthcare organizations become able to rationalize identities, aligning data and user account access consistently across the whole of their IT ecosystem. To do so, they’ll need to directly link accounts to identities in a single, centralized platform repository that’s tied to any federation platforms in use in the environment.

This will also make it possible to automate provisioning and de-provisioning when identities are added, moved or removed, ensuring that credentials are not orphaned. Necessary for maintaining HIPAA compliance, this capability is also crucial for being able to deliver access whenever it’s truly needed, while removing it when it’s not.

An identity and access lifecycle management that incorporates risk-based decision-making will need to bring in-depth knowledge of the existing access and identity context to the decisioning process. Not only can the right solution greatly simplify the process of meeting compliance mandates, but it can save time and reduce labor costs.

The Need to Integrate Identity Governance and EHR

Even as cloud EHR usage continues to grow, the solutions currently on the market do not incorporate native access controls that are adequate to effectively protect patient privacy in situations when diverse user groups have complex and dynamic access needs.

For instance, maintaining the principle of least privilege for temporary workers requires fine-grained control and deep visibility into how access is managed. Individual access requests should be evaluated on the basis of contextual and/or behavioral risk, and access should always be time-limited.

An integrated IGA solution that logs and monitors the state of applied controls and access can streamline the continuous, and consistent application of controls. Risk-based analytics can quickly deliver access when it’s needed – in situations when patients’ lives are on the line – without compromising security.

Enforcing the Principle of Least Privilege with Fine-Grained Entitlements

As EHR solutions become more capable, they inherently become more complex. And as they do, the entitlements that individual identities require become increasingly nuanced. These challenges are only exacerbated as increasing numbers of connected devices and interoperable software applications become a part of healthcare IT environments. The complex security hierarchies that develop demand the ability to enforce fine-grained entitlements across the entire IT ecosystem.

Look for a solution that can handle setting specific permissions such as read-only, update and delete, can enable shifting access levels based on context, and can handle SAP T-Codes and Authorization Objects, Oracle EBS Menus and Functions and multiple functionalities within widely-used EHR platforms like Epic and Cerner.

Simplifying Compliance with a Centralized Control Repository and Single Source of Truth Documentation

Compliance requirements impose an additional documentation burden upon healthcare organizations. Not only do they need to implement compliance controls and ensure that they remain in place on an ongoing basis, but they must also be able to prove that they’ve done so. Having readily accessible, “single source of truth” documentation makes it easy to satisfy auditors and regulators’ needs, while streamlining security and IT team members’ jobs.

Saviynt’s Solutions for Healthcare: Embrace Innovation Without Compromising Patient Care

As healthcare providers shift away from on-premises solutions and embrace the cloud, IT teams face a widening threat landscape of new identities, apps, and infrastructure. How do they manage who has access to what, when — and ensure that access is being used appropriately?

Built on Saviynt’s industry-leading Enterprise Identity Cloud (EIC) architecture, Saviynt Healthcare Identity Cloud (HIC) merges critical identity and access management capabilities into one integrated platform that protects people, data, and networks. HIC not only empowers organizations to modernize their identity program, it also ensures a user-friendly experience, streamlined administration, and access controls that help clinicians focus on what matters most: providing excellent patient care.

Empower the Workforce

Natively integrated with mission-critical healthcare platforms like Epic and Cerner, HIC comes ready to run with the apps and infrastructure healthcare organizations already rely on every day. Reduce application onboarding times by up to 90% with an extensive set of pre-built templates, a robust control library, and an intuitive wizard that helps users become productive on day one.

Drive Efficiency

By centralizing all identity management, Saviynt HIC reduces operational headaches by matching and merging identities to enable “one identity for life.” It also streamlines third-party and temporary staff identity management as they join, move, and leave the organization — while lowering the costs and remediation times when access issues arise.

Secure Patient, Employee, and Organizational Data

Saviynt HIC can help move organizations down the zero trust pathway, no matter where they stand today. By providing a 360° view of all applications and identities (even shadow IT), Saviynt analytics with artificial intelligence and machine learning allows deeper insights into how identities are acting throughout the environment and helps establish a roadmap for strengthening controls.

The platform also integrates with other security tools (such as SIEMs, CASBs, etc) to provide holistic access visibility and works seamlessly across the application ecosystem to define SoD controls.

Saviynt HIC also provides privileged access management (PAM) with “break glass” capabilities for just-in-time access and the monitoring and reporting needed to maintain regulatory compliance without impacting services.

Streamline compliance

With out-of-the-box controls that map to HIPAA, HITRUST, PCI, and other regulations, Saviynt Healthcare Identity Cloud helps you protect sensitive data, deliver continuous regulatory compliance and deliver robust reporting for audits. Organizations can integrate HIC with learning management systems (LMS) to automate controls based on training compliance (i.e., HIPAA training).

As the only cloud identity platform that unifies identity governance and administration (IGA), application access governance (AAG), and privileged access management (PAM) into one business-ready solution, the benefits of Saviynt’s HIC solution suite can empower healthcare organizations to embrace their digital transformation journey with confidence.

Get the capabilities needed to protect sensitive ePHI, maintain compliance, and cultivate a robust security posture — all while embracing innovation and the benefits of cloud.

Explore Saviynt’s Healthcare Identity Cloud here.

Saviynt’s Enterprise Identity Cloud helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. The platform brings together identity governance (IGA), granular application access, cloud security, and privileged access (PAM) to secure the entire business ecosystem and provide a frictionless user experience. The world’s largest brands trust Saviynt to accelerate digital transformation, empower distributed workforces, and meet continuous compliance, including BP, Western Digital, Mass Mutual, and Koch Industries. For more information, please visit saviynt.com.

Want to talk to an identity and security expert?

#1 IGA Solution. New Identity Leader for the Cloud Era.

Gartner | 2021 IGA Solution Scorecard