Tasked with managing an exploding volume of patient, provider, and employee data, hospitals and health systems are increasingly making IT security a top priority. This focus comes just in time, as the healthcare industry has emerged as a major target for cyber-attacks, accounting for 41 percent of all breaches last year (Beazley Breach Briefing – 2019, March 21, 2019.) Clearly, the healthcare industry must take all necessary steps to enhance systems and data protection without impacting the users—providers and healthcare workers across the board—of the systems.
Many of these cybersecurity challenges derive from healthcare’s initial transition to digital, during which we focused largely on implementing EHR systems, which were designed/built primarily to enable the management and support of the financial payer aspects of a healthcare delivery organization. Naturally the second audience for EHR systems were—and are—the providers and healthcare workers who are focused on the patient as their top priority. This new digital environment gave clinical users access to thick-client EHRs and other clinical applications on shared workstations, and—given the contained systems—organizations were able to employ relatively traditional network security controls to protect these systems, PHI, and other data.
Today’s healthcare organizations, however, are changing rapidly, shifting quickly to value-based care and transforming into fully modern digital enterprises with elevated focus on provider satisfaction and engagement. The rapid changes within the care delivery ecosystem has sparked an explosion of everything. This includes more people: providers, patients, and users on the network; more devices: shared mobile devices, interconnected medical devices, and personal devices; more points of access: virtual desktops, mobile applications, and the cloud; and more locations: hospitals, ambulatory clinics, and home care.
The once well-defined perimeter around the hospital network is now a blur, eroded by the proliferation of an expanding number of connected devices, an increasingly decentralized workforce, and applications and systems that may now be in the cloud. CIOs and
CISOs must now secure the full enterprise—and at a time when more and more users require access to information from anywhere, not just within the four walls of the hospital.
The challenges and ensuing benefits of this new ecosystem are familiar to other industries that have undertaken the digital transformation journey. Newly digital organizations must establish relationships of confidence and trust across a complex network of people, technology, and information. By focusing on a trusted digital identity, organizations can optimize processes and technologies to solve critical workflow, security, and compliance challenges.
But in healthcare, these challenges are truly unique.
For starters, we have more entities to consider than most other industries. The clinical staff is comprised of many different types of users, each with varying roles and access requirements which vary by environment, location, institution, and role. Furthermore, clinicians no longer represent the only set of users IT must worry about. In the modern healthcare enterprise, business, IT, and other administrative users—as well as affiliates, contractors and vendors—all require fast, efficient, compliant, and secure access to different applications and information.
Moreover, clinical workflows in healthcare are complicated by the industry’s complex operational and regulatory ecosystem. Nurses are using shared workstations and increasingly shared mobile devices in their rounds. Physicians, on the other hand, are heavy users of mobile devices—both their own personal devices and, at times, hospital-issued units. Providers—with their various access devices —need to access a myriad of clinical and business applications, all across various physical locations. These access requirements are compromised, meanwhile, by technology’s regrettable tendency to introduce barriers to service and care, further impacting user experience and workflow efficiency—all for the benefit of compliance, or security, or both.
These impacts on clinical user experience and workflow efficiency occur before we even address regulatory concerns. Healthcare is a heavily regulated industry, and the information that’s shared is highly sensitive. This requires compliance with unique and specific regulatory requirements, from HIPAA to DEA requirements for electronic prescribing of controlled substances (EPCS).
And let’s not forget that healthcare, because of the value of healthcare information and the services it provides, is constantly under attack. The cost of data breaches are amongst the highest of any industry, averaging $429 per medical record. (Cost of a Data Breach Report 2019, Ponemon Institute)
So, how do we overcome these challenges to give users simplified, and better yet transparent and secure access to the applications, devices, and information they need, anywhere and anytime they need it? This is where an architecture of trust is required, and this will depend largely on trusted digital identity in conjunction with access management (IAM).
As we build out this architecture of trust an important set of logical steps need to be considered.
First, IT teams need to understand the identity of the participants, of the users, and of the system. This can be accomplished with current existing systems, and more modern emerging systems offer further simplified identity validation processes. In many ways we do this now in the U.S. for EPCS—and this is a process that works.
Next, the trusted users are offered the appropriate levels of access into the right systems.
Automation can offer improvements in performance. For example, with the right identity management technology in place, healthcare organizations can automate the process of identity proofing, provisioning access, and seeding access with the correct credentials. And this access can be quickly suspended or terminated, without expunging the historical data and logs, should they be required for some future review.
Then, give users the “anytime, anywhere” access they need from any device by eliminating the overreliance on usernames and passwords. Single sign-on (SSO), for example, allows users to access their devices with a simple badge tap, and in that same process, automatically access their applications.
To further enhance security and achieve compliance, the next step is layering on multifactor authentication. Pick the combination of authentication methods that’s right for your organization. The combination of two or more factors including a push token, fingerprint biometrics, or hands-free authentication, amongst others, delivers trust and improves security. However, don’t neglect to invest in ease of use and tight integration—key tenets of an effective and utilized system. A secure system that is ignored or bypassed offers no value. Make it easy and convenient to use and your users will thank you for years to come.
As an industry, healthcare has traditionally focused on revenue cycle, and in locking down everything within our networks. We call this security and compliance—yet this has the unintended consequence of being a detriment of our providers —some of the most skilled and passionate professionals in the world—who are caring for our loved ones.
In the new digital world, it’s time to revamp our architecture so as to support the workload of our providers, yet do so with ease of use, simplicity, and, ideally, an invisible infrastructure that is fast, efficient, scalable, secure, and compliant.
