Identity + RBAC Tighten Security in Healthcare
As worries about coronavirus (also known as COVID-19) mount daily, healthcare and health care organizations work valiantly to deliver quality healthcare. Potential exposure of health care workers to COVID-19 risks further shortages of hospital staff and clinical service providers. This presents a security challenge in rapidly authorizing individuals to fill needed roles as they are temporarily vacated. Role-based access control (RBAC) has long been the standard many organizations adhere to when establishing security and limiting access to resources. In a rapidly changing environment RBAC alone falls short of meeting data privacy and security needs.
Role-based Access Control (RBAC) is Challenging to do Right
Implementation of role-based access controls (RBAC) alone no longer aligns with the needs of modern healthcare or the incorporation of cloud software and ecosystems. RBAC indicates the use of static roles and groups to restrict access to sensitive data and critical systems with a set it and forget it mindset. In the past RBAC alone was sufficient, but cloud migration strategies and a fluid workforce require time-bound access to maintain proper governance. Healthcare organizations have a dynamic structure and must accommodate individuals working in varying shifts, multiple clinics, or research areas, which requires shifting permissions depending on their duties at a given time. RBAC alone simply cannot keep pace with modern healthcare security needs.
Healthcare organizations, like most modern enterprises, focus on external threats. This is important but fails to consider the threat within their own walls can elevate their risk, because according to 2019 Verizon Data Breach Investigation Report internal threat actors are a primary cause of data breaches. RBAC lacks the agility the healthcare systems need to address the access of individuals working the same position but in different areas, such as a nurse working in the ER one day but assigned to a floor shift the next day. If all access is driven by RBAC, individuals such as our hypothetical nurse may be assigned far greater permission sets than necessary to meet their shifting job roles, which opens the gate for potential violations of the principle of least privilege and expands our exposure. When a breach happens due to an account misuse, an overly wide scope of access increases the already-steep impact at an average of $408* per record.
Healthcare organizations are no stranger to emergencies and require the ability to allow healthcare workers to rapidly access data for patient care. RBAC does not allow for the quick delegation of access in a world where seconds could mean life or death. Near real-time access on an as-needed but time-limited basis to EHR, cloud systems, and other data repositories is a must to ensure providers have all the information at their fingertips whether their facing pandemic or dealing with day to day patient care.
RBAC is typically defined with high-level, coarse-grained access controls which allow organizations to quickly and easily define permissions over wide swaths of resources. While this makes it easy to implement, it doesn’t allow for the precision of restrictions required by HIPAA and many regulations. Coarse-grained RBAC does not have the ability to limit access on a fine-grained basis to prevent accidental disclosures maintain data privacy and security.
For instance, both the surgical and the imaging departments need access to the EHR application, but the information needed by each group is significantly different. In order to maintain least privilege, a more fine-grained definition of privileges needs to not only be defined for each department but for each role or function within a department.
Modernizing the Approach
Managing a modern workplace requires a shift from static access control to more continuous management of both the identity and the access rights. By utilizing identity and continuous controls, organizations can create a holistic approach to data security and privacy without compromising the operational agility and effectiveness.
Identity extends across the on-premises and cloud ecosystem to encompass all the access of each entity. Understanding the scope and scale of identity access can identify areas where changes need to be made. Identity management and governance creates and aggregates user attributes and roles to inform access, and access management applies these attributes by performing the real-time authentication and the application of policy to deliver appropriate access.
The classic example is a clinical worker who prescribes medication should not also be able to dispense medication. In this example, identity management dictates the identity and rights of the user, and prevents a user from having the rights to both prescribe and dispense. Access management, meanwhile, applies the access rights when the user logs into the clinical application, preventing him from engaging in both activities within the application and thus ensuring segregation of duties. Correct access relies upon correct identity management and attributes.
As we discussed previously, part of the change in mindset when migrating to a more modern approach is to no longer think of resources and rights as large buckets to be allocated out to equally broad groups of individuals. Instead, the new paradigm is to provide time-bound and fine-grained entitlements, helping you more precisely define access controls for your ecosystem. Saviynt utilizes dynamic, context-aware attribute-based access controls (ABAC) to create these fine-grained access policies. With knowledge of role, function, location, group and other attributes, policy can use a variety of factors to determine access. Fine-grained access policies both protect you from privilege misuse and provide better access for your employees.
In order to make a modernized approach possible from an implementation point of view, administration must not impose a burden. This can be challenging because as an organization grows and individuals require more access, the number of requests can become overwhelming. Saviynt utilizes intelligent analytics to monitor request risk and provide appropriate access. Users can request and obtain near-real-time access as their risk is assessed across a wide swath of peer and usage-based data. These predictive analytics help to prevent users from excessive access and inform the requestor if access will incur risk.
For requests that have excessive risk and cannot be automatically granted, Saviynt provides approvers analytical data in a single-pane-of-glass interface. Approvers can examine the risk in question and, if uncertain about approval, can easily consult with other relevant parties in the organization. The approver never has to do significant an in depth review manually, it is all right at their fingertips, and whatever information isn’t there can swiftly be gathered from other decision-makers. This greatly reduces the burden of work an approver would have to do in order to make data driven decisions about granting or denying access.
Emergency Access Requests
In a highly volatile healthcare environment, there will always be emergencies where someone needs access they don’t have, and they can’t wait for an approval. In emergency situations where a clinician needs immediate, elevated access to patient information, Saviynt can provide break-the-glass access according to organizational policies while also limiting the length of time of access and logging all activity taken with this temporary elevation. The appropriate security party is notified, and logs are maintained so you know the right person is doing the right activities with the right temporary access.
We provide native integration with EHR platforms such as Cerner, Epic, and McKesson while also integrating with the most business-critical ERP, IaaS, PaaS, and Software-as-a-Service (SaaS) solutions used in the healthcare industry.
Our platform provides a single location for managing HIPAA, HITECH, PCI, SOX and other compliance requirements and connects across cloud-based infrastructures so that the organization can maintain compliance with internal Segregation of Duties (SoD) policies as well as external governmental and industry-standard requirements.
Saviynt comes with over 250 security controls and risk signatures available out-of-the-box. These controls directly map back to industry standard compliance frameworks such as HIPAA, HITECH, and PCI. With our easily customizable drag-and-drop interface, Healthcare customers have a jump-start in configuring controls to meet compliance mandates.
Saviynt Makes Access Manageable
Saviynt helps Healthcare organizations embrace new technologies and migrate to a modern, identity-based foundation for security. Saviynt facilitates transcending rigid RBAC controls and instead leverages agile ABAC and time-based access to more precisely manage access. Saviynt’s cloud-native Identity Governance and Administration (IGA) platform protects your most sensitive information and increases organizational efficiency and agility by ensuring that the right people have the right access to the right resources for only the right amount of time.
For more information about how Saviynt secures access to patient information and protects organizations from SOD violations, contact us for a demo today.
To read more about how Saviynt enables healthcare organizations to shift their focus from “privacy” to “access,” read our whitepaper, “Role of Identity Governance and Administration with Healthcare.”
* HIPAA Journal, ‘Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record’, 2018, https://www.hipaajournal.com/healthcare-data-breach-costs-highest-of-any-industry-at-408-per-record/