Payers turn to identity and access management to protect data

Identity and access management solutions are playing a growing role in protecting against cyberattacks in the healthcare sector, experts say.

Martin Kuppinger, information and security expert with European-based KuppingerCole Analysts, says it’s time for healthcare organizations to take on Identity and access management (IAM) for security reasons. “Healthcare organizations deal with highly sensitive information,” he says in a recent white paper entitled, “IAM for Healthcare: It’s time to act.”

Healthcare organizations “face challenges in complying with ever-tightening regulations, combating ever increasing cyber risks and adapting to digital transformation,” Kuppinger says. “Comprehensive healthcare IAM, beyond pure SSO, helps healthcare organizations to better cope with these challenges.”

Litton-James-CROP.jpg
James Litton

"While there are many point products that address individual cybersecurity challenges, today’s threat landscape requires a more integrated approach,” says James Litton, CEO of Identity Automation, a company with a product, RapidIdentity Platform, that it says is capable of delivering administration, authentication, authorization and audits.

“Loosely piecing together multiple point solutions doesn’t provide the same value as a comprehensive identity and access management platform.” he says. IAM solutions, which include the use of passwordless logins, enable clinicians to log in on any secure endpoint with the tap of a badge, eliminating the need for weak passwords.

Litton traveled the country last year speaking to healthcare organizations about their cybersecurity concerns. “Generally speaking, when we talked to healthcare organizations, they are focused on how practitioners can get at data and protect access, and at the same time, they want to know how they can stay off the 11 o’clock news,” he says.

If they are trying to avoid being breached, for some, that won’t be easy. Few organizations, if any, manage the lifecycle access of an employee. Lifecycle management is the process that happens when a new employee is hired and how the company or organization gets them into the system as quickly as possible. When the employee leaves, it’s a matter of how to quickly get them out of the system, so they can’t abuse the accounts that may continue to live in the environment where they worked, or so a hacker can’t leverage those accounts, Litton says.

Contrary to popular belief, most cyberattacks do not originate from hackers in eastern Europe; rather, they walk right through the front door, Litton says. For example, maybe an employee has been at a company for 20 years, with access to a number of accounts as they moved through the company. This is exactly what “the bad guy” wants to exploit when it comes to cybersecurity. If the hacker can compromise Jane Doe’s account and she had access to everything, it makes for a bigger breach. Automated lifecycle management tools deal with that problem. As people move from role to role, the tool grants access as needed and removes it when it’s not needed.

Hackers discover passwords through a game of chance, Litton says, that is made 50 percent easier when companies use email addresses for usernames, which most companies do. Now half of the access is a given, because hackers can find the email addresses easily. There are also now “copious amounts” of password information available from material that has been hacked. It is easily accessible, and “not even on the Dark Web,” Litton says. This makes it just a matter of time until hackers can gain access, or they run random passwords until they get a win. They might explore access for weeks or even months.

As far as payers go, more of them are using the cloud to store data. “The more you push out to the cloud, the more you lose control,” Litton says. Identity management is one way of regaining control.

With the advent of value-based care and health plans setting up platforms and connections with healthcare providers, health plans are left more vulnerable. Hackers can reach through to the payer’s system, if the health system is breached.

Access the KuppingerCole white paper here.

For reprint and licensing requests for this article, click here.