How One Identity for Life Improves HIPAA Compliance
Proper identity management is challenging for any enterprise organization. Consolidating an individual’s information from accounts across the entire organizational IT ecosystem to form a single comprehensive identity is a daunting task. Yet proper identity management is critical for appropriate access, reducing risk, and improving compliance.
The stakes are high in heavily regulated industries like healthcare, and cybercriminals are everywhere. In 2019 alone, there were more than 4 million records disclosed due to unauthorized access or disclosure incidents. The following year, insider threats caused 48% of healthcare data breaches.
Patient care is often life or death, so healthcare workers don’t have time to wait for access. Meanwhile, Health Insurance Portability and Accountability Act (HIPAA) compliance mandates least privilege for every account that touches protected health information (PHI). And breaches result in significant federal and state fines. IBM Security places the cost of healthcare breaches at $7.13 million, which is the highest in any industry.
Healthcare organizations usually have a series of systems — Human Resources (HR), Electronic Health Records (EHR), educational systems, parking, and other administrative systems — each generating their own identity information. These systems have workers and their accounts listed in various ways and possibly under different names. Due to asynchronous data collection and infrequent syncing, these systems aren’t storing the same, up-to-date information. This makes tracking each individual’s level of information access increasingly difficult for security professionals who must show continuous compliance to HIPAA regulations and mitigate SoD violations.
Healthcare information security teams need a cohesive, authoritative solution that consolidates information from multiple systems and links together all separate identities. This makes collecting evidence of compliance for presentation at an audit faster. Managing identity sprawl not only improves HIPAA compliance it also helps bolster an organization’s cybersecurity risk posture.
Hear how Cerner takes a proactive approach to the health of its identity management.
Identity Context Switching
There’s an inherent complexity to managing identities and access in healthcare settings. It’s not uncommon for a single identity to have multiple roles, each requiring a different level of access. For example, it’s likely that many staff members at a university-affiliated hospital are also students. To ensure that an individual has the right access at the right time, it’s important to determine the current context of each identity. Make sure to first decide on a primary role, and then set the initial privileges and permissions accordingly. Later, that access can change as the person’s purview evolves.
An authoritative identity solution must also track context. When an individual unlocks access to a source, the system should assess the context and only allow actions for the current role in question. In other words, users should be provided access directly in line with their context at the time, and this access should be prevented or removed once that context changes. Identity governance and administration, access management, and privilege access management platforms have to work together to make this happen.
One Identity for Life
Each person in your organization can have several identity sources. People often transition to different roles or hold two or more roles at once. Their identities may be linked to domain controllers, HR systems, or other authoritative sources. This often leads to a variety of unique identifiers, as well as to a disassociation between individuals and what they can access.
Making a Match
Through artificial intelligence & machine learning, modern Identity Governance and Administration (IGA) solutions can identify patterns that correlate accounts and assess the confidence level in an individual’s identity. By implementing the One Identity for Life approach, healthcare managers can tie access directly to specific individuals. This “match and merge” technology is key to understanding the organization’s security posture and can be essential in satisfying HIPAA, Health Information Technology for Economic and Clinical Health (HITECH) and Segregation of Duties (SoD) requirements.
Saviynt’s “match and merge” technology consolidates information from multiple systems
One ID to Bind Them All
An authoritative ID refers to the unique ID that other identities will reference that is unique to a specific individual. While some organizations already have an internal identifier such as an employee or personID to utilize, Healthcare organizations are more complex with multiple identifiers that don’t have a common binding.
Utilizing a single authoritative source of information helps generate a core identity record. All other identity information is examined against it to discover overlapping accounts. For example, If HR records are the authoritative source, then that data is cross verified with government identity documents and other sources to ensure it is valid. Also, users tend to provide accurate information when their paychecks are involved. All other systems then validate their identity information against that HR identity record.
Keep Your Data Clean
When implementing One Identity for Life, take care that each new identity you create is unique and not a duplicate. As a best practice, make use of common fields with unique identifiers, such as home or mobile phone numbers. If you do have any duplicate identities, take steps to eliminate them while consolidating any information. Otherwise, you run the risk of having SoD violations or situations involving inappropriate access arise. Sanitizing data in this way is especially important when it comes to people who have left and later returned to the organization because they may have retained multiple identities.
Adopting a One Identity for Life approach helps healthcare organizations streamline management by having a single location to manage identities. This is important when it comes to establishing a risk-based assessment of access requests as required by HIPAA. Think of it as a single source of truth for what records an individual may or may not access, preventing toxic SoD violations. One Identity for Life takes a smarter and safer approach to identity management by establishing a cohesive identity that works throughout your organizational IT ecosystem.