Healthcare Information Security

Cybersecurity News

Why Healthcare Identity and Access Management is Essential

Nicklaus Children's Hospital CISO and Director of IT Governance explained to HealthITSecurity.com why it opted for an identity and access management platform to help with data security.

By Elizabeth Snell

- Employee training is a critical aspect to healthcare administrative safeguards, but it is also important that staff members are given the necessary tools to remain as efficient as possible. Healthcare identity and access management (IAM) is one such way for covered entities to ensure that data security is not compromised while employees perform daily operations.

Identity and access management platforms can be critical part to healthcare data security

Nicklaus Children's Hospital, formerly Miami Children's Hospital, decided to improve its IAM capabilities and implemented options from Courion. According to Director of IT Governance and CISO Alex Naveira, the IAM platform brought in many aspects into process improvement through automated provisioning.

Along with process efficiencies, service levels were also impacted, Naveira explained, so employees were able to be efficient day one when they got on board.

“The process levels also impacted the financials, because now the automated or provisioning processes are so much more effective that you don’t need to increase your staff,” Naveira said. “The staff can now focus on more proactive items within the access government’s framework.”

Increased healthcare security was another key benefit, according to Naveira.

READ MORE: OCR Urges End-to-End Security, Verified HTTPS to Protect PHI

“Anyone in security wants to make sure that you have a continuous improvement, or a continuous governance framework in place, so that you have quick insight into the behavior in your environment,” he said. “That way you know exactly what occurs at what time.” 

From a healthcare security standpoint, Naveira said that IAM options and the potential benefits they can provide always seemed ideal. For example, IAM can ensure that a facility has a role-based access framework, and that the proper access is provided to the proper individuals.

“From the time we started talking to the time we end this conversation, I know that the network is going to be different,” Naveira explained. “The access environment is going to be different, and I can tell you that not having insight into that is very risky. Being able to bring Courion into the mix provided us that understanding of the risk levels within the access environment and how we need to address any kind of strange things that are occurring there.”

Why should other healthcare providers consider IAM?

IAM options can provide covered entities with a whole other level of security, according to Naveira. It is also a very important added level of security, he said, and IAM implementation is very strategic.

READ MORE: 3 Tips for Creating Healthcare Security Change, Process Controls

“I see it as continuous security improvement when you’re able to have some intelligence in your environment that can tell you at any point in time when somebody moves into a very high risk level of access in there,” Naveira said.

With many healthcare data breaches being caused by unauthorized access or disclosure of information, an IAM platform could be critical in keeping patient data secure.

“If you don’t have a governance or control over who has access to what in your environment, it’s very difficult to maintain a safe and secure environment,” added Naveira.

Overall, the whole world is becoming very focused on healthcare, he said, and many of the regulation laws that are coming down are very healthcare-centric.

“It’s an industry that’s growing throughout the nation,” Naveira stated. “If you look at all parts of the nation as far as growth, healthcare is the leader. There is going to be a lot more focus into the healthcare field and the automation within it.”

READ MORE: Preparing for Online Attacks in Hospital Data Security

When large-scale healthcare data breaches do take place, such as what occurred with Anthem earlier in 2015, Naveira explained that it is essential to learn from them.

“Every negative has a positive,” he said. “You really need to learn from what they did not have in place. What were the processes? Was it a lack of technology, a lack of expertise? Whatever it might have been, you have to really learn from the bad that has occurred within these breaches.”

The industry as a whole needs to look at how much emphasis is being put on security, added Naveira. It can’t just be one line item on a healthcare provider’s budget. Senior leadership need to put in a concentrated effort to secure sensitive information, and there needs to be the realization that they are holding a “large honeypot” of sensitive data that needs to be protected, Naveira said.

“It’s the focus that banks have had for many years,” he explained. “I think healthcare has always kind of lagged behind the curve. We’re finally catching up but there really needs to be a lot of focus on protection and privacy within the healthcare environment.”

Automation is going to be essential for the future of healthcare security, Naveira concluded, which was why the IAM platform was so critical for Nicklaus Children’s.

“We saw so many benefits with the automated provisioning and the automation within Courion,” he said. “Just having the manual processes doesn’t give you a good understanding of what’s going on in your environment as quickly as you need to know what’s going on.”

Not having the technical ability to look at what is taking place within a healthcare environment proactively and dynamically, because a facility is doing things in a manual fashion, that’s where trouble can occur, Naveira said.

“That’s where people can be cruising around your network and looking at the data, extracting your data, and you not knowing about it because you’re manual,” he concluded. “I really do think that bringing in technology, automation, is extremely important in understanding what’s going on.”

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks