Curing IAM Headaches in HealthcareInsights on Tackling Identity and Access Management Challenges
"It's very hard to give fine-grained access control, taking it down to a level within the clinical systems," says Ford, a principal in Deloitte Consulting's cyber-risk services practice.
On top of that, managing identities and access of doctors and other clinicians who often work in multiple departments - or at multiple locations - is another key challenge, he says in an interview with Information Security Media Group.
Organizations are faced with finding a way to standardize their approach to user identity and access management across the enterprise, he says.
"In the past, the provider community has tended to look for that 'silver bullet' kind of identity and access management solution," he says. "That might mean you plug in an enterprise single sign-on solution that can solve that problem of signing on once and having access to the back-end clinical system, for example. But the challenge comes in managing that user on an enterprise basis."
For instance, he notes, "A doctor who works at one hospital on Mondays, but works at a different hospital on Tuesdays. When you get into the larger [health systems], that gets very complex and hard to manage," he says.
"The idea behind identity and access management is to centralize the process of a user in those environments, and try to bring a more simplified and single sign-on environment across the enterprise, and that's hard to do when you do it more tactically," he adds.
In the interview, Ford also discusses:
- Steps that healthcare organizations can take to improve their overall identity and access management to help prevent inappropriate access to records;
- The biggest cyberthreats the healthcare sector is facing now, and new threats that are on the horizon;
- How the level of cyber preparedness varies among life sciences companies, health plans and healthcare providers.
Ford is principal in Deloitte's cyber-risk services practice and the lead for the life sciences and Health Care industry. In this role, he has consulted with dozens of healthcare organizations participating in the HITECH Act electronic health records incentive program. Before taking on the healthcare leadership role, he established Deloitte's identity and access management and led the service line for about 10 years.