Exploring the Role of Identity and Access Management in Healthcare

January 12, 2024 - Identity and access management (IAM) is a framework of processes, policies, and technologies that monitor digital identities, manage authentication controls, and grant employees and end users access to information that is relevant to their roles, and their roles only.

For example, if an employee in the finance department at an organization tried to access sensitive HR documents without a work-related reason for doing so, the organization’s IAM processes would kick into gear, denying that person access and maintaining security.

Every organization has unique access needs, compliance considerations, and risk levels, all of which play into the creation of its IAM strategy. In healthcare — a highly regulated and frequently targeted industry when it comes to cybersecurity — having a comprehensive IAM strategy is crucial to effectively protecting sensitive patient data.

While healthcare entities may face challenges in maintaining a large volume of dynamic digital identities, best practices such as role-based access and automation can help to streamline IAM processes and strengthen security across the organization.

Why is IAM Important in Healthcare?

“With a complex healthcare ecosystem, there are so many different personas and identities and third parties trying to get access to that environment or that given system,” Ferdinand Hamada, managing director of healthcare at MorganFranklin Consulting, said in an interview with HealthITSecurity.

“What IAM does is manage access to data and enable an organization to track, restrict, and ensure that roles and access are appropriate per an employee’s job responsibility and that they have the appropriate segregation of duties.”

The level of IAM complexity may vary depending on the size and scope of a healthcare organization, but it remains a crucial component of security for healthcare organizations of all sizes, for several reasons.

First, merger and acquisition (M&A) activity in healthcare is on the rise. As large healthcare organizations continue to acquire small, regional health systems, they are also acquiring a new set of digital identities that need to be managed.

“A lot of these institutions have affiliate systems, cancer institutions, or children's hospitals and things of the like,” Hamada added. “And so that just multiplies the different identities within that environment. And one nurse or one doctor may need different levels of access based on their jobs. Ultimately, that's why it's so critical. It's fundamental to any overall security program.”

Second, the sheer volume of identities makes security even more imperative, especially in an industry with strict security compliance requirements under HIPAA. Having an effective IAM strategy will ideally reduce risk by flagging anomalous access activity and restricting access when necessary.

Lastly, threat actors have taken an interest in exploiting victim organizations via credential theft.

“What these threat actors do is they compromise the system, they gain access to the environment and they use folks' credentials to traverse the environment and to get access to different areas based on that access,” Hamada explained. “It's really prudent for any healthcare institution to have an IAM program in place to make sure that these issues and problems aren't widespread.”

Increasing M&A activity, identity volume, and threat actor behavior are just a few of the reasons to invest time and capital in IAM as a healthcare organization.

Common Healthcare IAM Pain Points

Uplifting such a comprehensive set of systems and strategies will naturally come with challenges, some of which overlap with the very reason why IAM is so crucial in healthcare. For example, increasing M&A activity is both a reason to prioritize IAM and a challenge to doing so.

“In my experience working with larger hospitals, they are kind of umbrella organizations heavy with a lot of M&A activity. It creates what we call the identity warehouse,” said Kumar Lingam, a director at MorganFranklin who works directly with healthcare organizations.

“You have your primary HR feeds, you have affiliate feeds, maybe if it's a university medical center, you have the student feeds coming in. So you may have a resident who becomes a doctor or somebody who's a nurse who also maybe could prescribe having that dual persona. How do you identify where this person should go based on their role?”

It can be challenging to gain a holistic view of the entire identity landscape of an organization when these structures are constantly in flux. Another challenge that Lingam emphasized was IAM policy development. Solid identity policies must translate to actual processes and technologies in a fluid motion, which can be difficult to achieve, he reasoned.

“Another pain point that we've seen is that there are a lot of complaints on the volume, especially during COVID, the volume and churn of access that needs to be granted,” Hamada recalled.

“During COVID it was like rapid-fire - nurses needed this access immediately, and then they had to go through training. There were a lot of tickets related to making sure that access was granted. So that process and automating that process is a challenge.”

Automating these processes is a goal for many organizations, Hamada noted, as it can reduce the burden on healthcare organizations that may not have the staff to accommodate the volume of access changes.

Best Practices For IAM in Healthcare

Key IAM best practices can reduce the impact of the aforementioned pain points and ideally lead to a strengthened security posture going forward.  

A top best practice that both Hamada and Lingam emphasized is maintaining strong governance over IAM. While technology remains an important aspect of IAM, its success also hinges on proper governance and established processes.

The Identity Governance and Administration (IGA) aspect is “critical for success,” Hamada explained, and is often dictated in part by compliance and audit requirements.

“I always drill it down into domains of IAM. So, we talked about access management. If somebody joins a company, what do they have? What systems do they have access to? What tools do they use? We talked about two-factor authentication and multifactor single sign-on. That is one aspect is getting them access entry point access to a specific application,” Lingam continued.

“And then you have the governance layer. So now that they have access to that application, what are they entitled to? Do they have an administrative function? Are they just end users? That's where the identity governance aspect comes into it.”

Maintaining a reliable Privileged Access Management (PAM) system is another crucial component of any IAM framework, Hamada and Lingam added.

“It's really about locking down these privileged grants, rotating passwords, making sure that every day or even every 10 minutes there’s a new password,” Lingam noted.

“And even on top of that, having a good attestation program. You have all these tools and processes in place, but you are also doing monthly, quarterly, attestations that determine that these people have access to these systems, their manager approves it and just verifying that everything is working the way it should.”

Foundational zero trust concepts continue to prove their worth as best practices, but from Hamada’s perspective, healthcare has been slow to adopt them. Even so, zero trust will likely be a best practice going forward in order to further reduce risk and remediate security issues.

Hamada also pointed to the growing popularity of role-based access control (RBAC), which is a method of restricting network access based on the role of an individual, and user and entity behavior analytics (UEBA), which uses log data to identify traffic patterns and anomalies, as emerging best practices in the IAM space.

Lastly, Lingam pointed to the growing relevance of customer-facing identities in IAM discussions.

“Right now, we are talking mostly about workforce employees, non-employees, and contractors. But one thing that's really starting to hit the mark in the last couple of years is customer-facing identities. When folks log in to view their own patient records, the mechanism for securing that is also crucial,” Lingam reasoned. “Over the past year it's been a huge focus in a lot of the big healthcare systems.”

Employing these best practices can help healthcare organizations improve their IAM strategy and bolster overall security efforts.