Establishing the Right Controls Within Your Environment, Combined With Automation, Boosts Speed and Efficiency and Reduces Access Friction.
There’s nothing more frustrating to a healthcare provider than to have a process get in the way of patient care. Yet this is often the case when getting access to applications they need to do their jobs. It’s common to blame the security controls put in place by the IT and security teams, but that misses the point: cyber attacks on healthcare organizations are increasing.
According to a recent U.S. Department of Health and Human Services report, the number of healthcare data breaches in the first half of 2022 was nearly double that of the same period last year. Security controls are essential. They exist to protect patient data, so how can you find a balance between that protection and easing the administrative burden on healthcare providers?
Enabling patient care requires correct and timely access to critical systems. Yet this is easier said than done. The complexity of the healthcare industry creates unique challenges in identity management and security. Everything from increased use of temporary workers and third-party contractors to mergers that require combining workforces to the proliferation of medical devices that require their own identities and access levels increase the need for appropriate security controls. Extensive use of manual processes adds to the complexity–and to the level of risk.
But there’s good news as well. You don’t have to sacrifice security to enable frictionless onboarding. By putting the right controls in place and leveraging automation, you can actually reduce access delays while ensuring appropriate access.
Manual Processes Create Access Delays and Increase Risk
Manual processes that have been put in place around access, whether they are manual requests that need to be placed, manual approvals that need to be done by one or more people, or manual provisioning of access, create delays and interfere with patient care. They can lead to over-worked administrators taking shortcuts that can result in over-provisioning, mistakes in entering data, and creation of duplicate identities.
It’s important to analyze your current infrastructure to determine if a lack of agility or capabilities within your existing tools creates the need for manual processes. Are all these steps necessary? Can some of them be reduced or eliminated? Are joiners given a basic bundle of access and then have to request everything else they need? How can care providers get more of the access they need initially without placing a request that may sit at the end of the approval queue?
This is not to say that security controls should be reduced. Healthcare organizations have strict regulations that must be met. One of the requirements of HIPAA, for example, is an adherence to the principle of least privilege, in which users are only given the access needed to do their jobs and nothing more.
Without technical controls, you’re essentially relying on people to be your security controls – and people make mistakes.
Deepen the Use of Rule-Based Automation
So, how can you reduce friction while maintaining the level of security needed to achieve compliance and protect your organization’s data?
There are two ways:
- Deepen rule-based provisioning automation
- Establish risk-driven policies and workflows
In rule-based provisioning automation, the idea is to expand the sophistication of what you’re doing automatically through birthright and user update rules that leverage attribute-based access control (ABAC) tools and time-based access to more precisely manage access. These tools incorporate intelligent analytics to create attributes such as user, object, action, or environment characteristics and dictate how a role can operate. Using automation for role-mining, security leaders will create authoritative identity sources. This increases organizational efficiency and agility by ensuring that the right people have the right access to the right resources for only the right amount of time.
Companies can streamline access controls by using intelligent analytics to monitor request risk and provide appropriate access. Users can request and obtain near-real-time access as their risk gets assessed across a wide swath of peer and usage-based data. Predictive analytics prevents excessive access and informs the requestor if access presents a risk.
Establish Risk-Driven Policies and Workflows
The second technique for reducing friction is to make it easier to get access to lower-risk resources by establishing risk-driven policies and workflows. This involves classification of applications and resources, establishing risk based on user type and contextual risk scoring.
Organizations are moving toward more in-depth use of AI/ML technologies to improve risk awareness and decision-making for identity-related business processes. Enterprises can use intelligent risk scoring – based on usage data, behavioral analytics, and peer group analysis – to optimize access certification, requests, role management, and other access management assignments and processes.
Reducing the amount of human intervention in access decision-making increases efficiency and security. It provides the intelligent, automated identity solution healthcare organizations need to reduce administrative burdens, eliminate access delays, and remove access barriers.
Most importantly, it frees care providers to concentrate on their primary goal: providing timely, accurate, and secure patient care.
For more information on the cybersecurity challenges of healthcare organizations, check out my previous post on managing external identities, and stay tuned for the third blog in this series, Optimizing EHR Governance.