Managing security and access in healthcare isn’t easy. It’s one of the most strictly regulated industries worldwide. Nearly every aspect of healthcare is regulated, especially patient health information. Complex changes to regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI/DSS), keep healthcare cybersecurity professionals on their toes.
Recent innovations in healthcare technology have only added to the load. Things start to get extremely complicated when managing access to protected health information (PHI) for numerous devices — and individuals — using everything from Electronic Health Records (EHRs) to telehealth features. When you consider that in 2020, there were 642 significant healthcare data breaches, securing patient health information can seem like a daunting task.
It’s easy to assume that healthcare cybersecurity risks consist solely of bad actors and other external threats. But the truth is that nearly half (48%) of healthcare industry breaches begin with insider threats. Insider threats arise when someone “uses their authorized access — intentionally or unintentionally — to compromise your organization’s network, data or devices,” according to Verizon. But current employees aren’t the only insider threats. Contractors, board members, and former employees who still have lingering access can be insider threats too.
''Insider threats arise when someone uses their authorized access — intentionally or unintentionally — to compromise your organization's network, data or devices.''
Healthcare relies on a constant ebb and flow of doctors, nurses, technicians, contractors, and vendors. The use of temporary staff is widespread, with 94% of healthcare facilities utilizing locum physicians. Flex staff may work at various hospital locations on different days, increasing the changing permission needs. These locum tenens require access to sensitive data to perform their jobs. But, that access must be removed or modified when they leave or change roles. Too often, privileges linger, raising the risk of insider threats and the chance that data falls into the wrong hands.
Healthcare providers must strike the right balance between security and patient care. The goal is to protect digital assets and privacy without preventing healthcare providers from delivering quality care. That’s why it’s crucial to take an approach that provides frictionless access to EHRs while ensuring patient privacy at the same time.
For instance, an orthopedist consulting in the ER on a patient needs immediate access to that patient’s records, but not to the records of anyone else in the ER that day. HIPAA requires her request get evaluated based on the context of her current role and responsibilities to that individual patient. To maintain compliance, her access must be disabled once her work with that patient is complete. This type of fine-grained access is challenging to execute with passwords, account permissions, and user groups alone.
HIPAA mandates that healthcare institutions safeguard patient health information and ensure access is granted only as needed to deliver care. Using risk to evaluate which users get access is a start. But this process can be cumbersome when addressing requests on a case-by-case basis. It also runs the risk of access remaining well past when it is needed. Standing privilege, orphaned accounts – coupled with a high-churn rotating workforce – leave healthcare organizations vulnerable.
Enter the concept of zero standing privilege (ZSP), which helps deliver the security and privacy level that HIPAA and similar healthcare security regulations require. ZSP is a proactive security framework wherein nobody holds or receives access to protected data by default. Superuser accounts, which are dangerous and tend to multiply in large institutions, no longer exist. Every access request requires a risk-based evaluation and gets provisioned for a limited period. ZSP applies the principle of least privilege in its most potent form.
Implementing least privilege in the fast-paced healthcare industry is a formidable task. Users are dynamic, moving from one role to another, one ward to another, and even one hospital to another — and often all in the same week. Resources healthcare workers needed one week aren’t required the next. This is where zero standing privilege comes into play. Because access is automatically disabled after a period of time, excessive permissions won’t linger under the radar, and access management becomes less cumbersome.
Hear Vibhuti Sinha discuss Just-in-Time Access at KC Live
Zero standing privilege relies heavily on Just-in-Time (JIT) Access. It’s referred to as “Just-in-Time” because users can quickly get access to needed resources. This eliminates the need to prearrange accounts or go through a lengthy approval process that impedes their productivity.
Instead of providing high-level access as JIT Provisioning does, modern Identity Governance and Administration (IGA) solutions offer JIT Access. Users simply request the access they need when they need it. If there is little to no risk, they often receive access to the application, data, or system automatically, reducing the IT burden in the process. In the cases where access looks risky, the request escalates for a human review. With JIT Access, users only have access to protected health information and sensitive resources for the minimum time period necessary, after which it’s automatically disabled.
The use of JIT Access mitigates the risk of privileged account abuse. It significantly narrows the scope of an attack and limits the damage a malicious insider can cause. It also reduces the potential for accidental account abuse preventing users from gaining unauthorized access to sensitive data. At the same time, providers can deliver healthcare faster – all without compromising security.
Modern IGA solutions that apply Zero Trust security principles streamline the access request process with automation. These platforms use AI & ML (machine learning) to evaluate access and apply organizational and industry-standard policies. Through the use of peer and usage analytics, each request is evaluated based on contextual identity information. As access approvals and denials occur, the platform gathers data from each request, while the system learns from that data. Eventually, the AI understands appropriate responses to access request scenarios common within the organization. This alleviates the burden of repetitive requests and enables approvers to focus on unusual or high-risk requests.
Combating insider threats is an additional burden as healthcare organizations continue to face down a worldwide pandemic. Zero standing privilege offers a way to mitigate the risk of privileged account abuse, limits the damage done by malicious insiders, and reduces the chance of accidental account misuse. By implementing ZSP, combined with Just-in-Time Access, risk-based analytics, and automation, healthcare organizations can continue to focus on delivering high-quality healthcare without compromising security or compliance.
Learn more about how Saviynt helps healthcare organizations address the challenges of efficiently providing patient services while simultaneously protecting their data.