Imagine being a doctor or nurse on your first day in a care unit at a new hospital. You get an urgent message that you are needed to help treat a patient in critical condition, but know very little of his or her medical history, including any allergies, recently administered medications, past conditions, or any recent hospital visits. As you quickly enter the room and assess the patient’s condition to provide immediate care, you quickly search for additional patient information that can help you save a life. After accessing the information needed within the electronic medical record (EMR) system, you do what you do best and the patient quickly stabilizes. You return to the unit and realize something dramatic, if you did not have access to that “vital” information on your first day, the patient could have had a different outcome. You then check your inbox, report a suspicious looking email as potential “phishing,” and continue with your workday.
This scenario illustrates what we have accomplished by building a powerful and well-managed identity security solution as part of a holistic cybersecurity program.
According to Referral MD in an August 2016 report, “Patients’ charts cannot be found on 30 percent of visits,” and “80 percent of all serious medical errors involve miscommunication during care transitions.” With statistics such as these, it is essential that healthcare organizations have an identity security solution that supports quick and easy access into patient information systems.
At Nicklaus Children’s Health System, it is expected that our clinical staff be able to quickly access what they need to rapidly treat a patient from day one. Thus, it became vitally important to the entire organization that our identity security solution, as well as the cybersecurity program that surrounds it, is automated, efficient, and reliable, while being easy-to-use and even easier to understand and support. Of course, we had to think differently to design a program that fits our needs.
Designing programs with identity and security together
Research has found that 477 data breaches occurred in the healthcare industry in 2017, which exposed around 5.6 million patient records. That is an average of 1.3 breaches with over 15,300 records compromised each day! Many breaches typically start with something as simple as a phishing email, the point of which is to trick users into giving up their credentials. As a result, implementing identity security solutions requires careful planning, communication, and education of the humans who use it in order to be effective.
In designing our approach, we learned six things that helped us implement an effective and holistic program. We believe these six essential components are key for any such program. Central to this approach is the high level of importance and focus that needs to be placed on identity and security playing well together – identities, networks and hosts merging into a single architecture, provides a stronger ability for organizations to protect themselves. Now, this is only as effective as the people that proactively monitor and/or use the system each day.
When we built our program, we took a more methodical approach that required much more from our teams—including unconventional thinking—and it paid off. Below are the six things we learned while designing our holistic identity security program:
1. Be proactive and practical in assessing your existing environment
We had to answer many questions about ourselves to establish a baseline of where we were with our current environment: Where and what were our current gaps? What were our current risks? Where were our vulnerabilities? Does the current environment address any, all, or none of our business drivers? Is there anything we could leverage out of our existing environment? This “readiness” assessment was crucial in providing us a better understanding of the environment and a baseline to begin to transform our thinking.
2. Eliminate technology silos in favor of a single environment
In this interconnected world, cybersecurity and identities are interwoven in every area of technology-driven organizations. A recent survey from SecureAuth—who provides our identity security solution—found that six out of ten IT security professionals report that cybersecurity and identity decisions are separate in their organizations. Disintegrating these technology silos is a necessity, but achieving it requires a visionary leader who can thoroughly assess the landscape of current technologies to create that holistic and “single environment.”
3. Become a strategic facilitator/partner of the business, not an obstacle
Members on cybersecurity teams need to be knowledgeable of the entire cyber threat landscape for their industry, not just their own technical environment. In addition, knowing what current technologies are available to support the future vision of the “business” is highly valuable. A visionary security leader, who serves as a strategic facilitator and/or partner of the business, is key in achieving a successful identity security program, in essence, making it a reality. For us, it meant having a leader who aligned protective needs with process enhancements, and organizational strategy, had great communication across business units, and was able to evangelize the benefits of cyber and identity security to business leaders. Having this kind of 360 degree leadership, is the difference between acquiring the necessary funding and not.
4. Ensure that an actual cybersecurity program is established
At times, technologies are seen as “tactical” (i.e. a destination). This means that a technology implementation has been mandated to decrease a certain level of risk. To us, this short-term approach is not sustainable. Instead, we see cyber and identity security as an ongoing program that needs to support the continuous communication with other business units, other platform solutions, other applications, etc., and it needs to be continuously monitored and managed in a consistent and coordinated fashion. In other words, it is a journey, not a destination.
5. Humanize cybersecurity awareness training
According to an article in HIPAA Journal, 52 percent of the 627 healthcare professionals they surveyed, said the lack of security awareness was affecting their organization’s security posture. It also noted that 91 percent of attacks started with an opened phishing email. To err is human, but successful cybersecurity educational programs can minimize human errors and reduce the potential for a breach. While many organizations put together virtual training modules that employees are required to complete, it does not really generate the required “human connection needed for trainees to fully absorb what they are learning.
To us, cybersecurity awareness training continues to be vitally important to the overall health of our environment, as our employees are the ones that can prevent many attacks from ever taking place. Thus, we believe in a robust, face-to-face awareness training program that allows our employees to feel as part of a community (i.e. a team), and not inconvenienced by another training module. We make sure that our leader speaks face-to-face with staff, introduces some members of the security team that are protecting the organization, and educates staff on how to protect their work or personal online identities. This demonstrates that we are all in this together, and the more we know and help each other out, the stronger we become.
6. Ensuring the Internet of Medical Things (IoMT) is safe and reliable
As healthcare seeks to improve patient care, increase efficiencies and reduce costs, IoMT is becoming more and more prevalent. From wireless devices that are connected to the patient at bedside, to wearable devices gaining momentum, it is essential to ensure effective visibility, testing, monitoring, and segregation of these devices on the network. This wireless medical device revolution is introducing dramatic improvements in the quality of care, but also introducing a greater attack surface that must be closely monitored to safeguard reliability and up time within medical-grade networks.
For the sake of human lives
The pace of adoption of identity security programs in the healthcare industry needs to increase for the sake of human lives. While there is some movement towards a better understanding of why both identity and cybersecurity programs are important to implement, we still have a long way to go. Yes, identity security programs require visionary leadership and thinking, an eagerness to explore the right options and genuine compassion for the humans that need to be protected. This pales in comparison to the effect these programs have on the patient whose life is saved because a doctor or nurse was able to easily access “vital” information within an EMR to help treat a patient in critical condition.
Alex Naveira is the head of IT governance, assurance, and identity and access management programs at Nicklaus Children’s Health System
