Why It's Time to Reassess IAM in HealthcareHHS OCR Offers Insights on Access Management Strategies
As cyberattacks continue to surge, federal regulators are reminding healthcare organizations of the importance of implementing strong identity and access management practices, policies and controls.
The Department of Health and Human Services' Office for Civil Rights, in a cybersecurity e-newsletter issued this week, advises HIPAA-covered entities and business associates to carefully examine their policies, practices and controls for accessing electronic protected health information.
"The rise in data breaches due to hacking, as well as threats to ePHI by malicious insiders, highlight the importance of establishing and implementing appropriate policies and procedures regarding these HIPAA Security Rule requirements," OCR says.
"Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats."
"OCR is correct in highlighting access as the key," says former healthcare CISO Mark Johnson, who now leads the healthcare security practice at the consultancy LBMC Information Security. "OCR is also focusing on … identity … as the new perimeter. As providers move into the cloud, this will result in even bigger problems unless this is proactively addressed."
Unfortunately, investing in secure IAM hasn’t been as big a priority in healthcare as it is in other sectors, says Jeremy Grant, a managing director at law firm Venable LLP and former senior adviser to the National Institute of Standards and Technology's national strategy for trusted identities in cyberspace.
But that's changing, Grant says, because threat actors are increasingly targeting healthcare organizations and because new regulations, including those tied to the 21st Century Cures Act, are requiring providers and payers to create new APIs to share patient data. "Those regulations are spurring a new round of investment, particularly in customer IAM systems," he says.
"Roles and role-based access control have unique challenges for healthcare providers."
—Mark Johnson, LBMC Information Security
Johnson cautions, however, against relying on IAM technology to "solve a broken process."
Healthcare organizations, he says, must "understand their current state of IAM, formulate their future state and define the use cases, processes and governance structures that the IAM program will manage. This is all before a technology is evaluated."
OCR in its advisory notes that "the flexible, scalable, and technology-neutral nature of the HIPAA Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI." Such controls "could include role-based access, user-based access, attribute-based access or any other access control mechanisms the organization deems appropriate."
The HIPAA access control standard includes four implementation specifications - including unique user identification - for limiting access to only authorized users, OCR points out.
"While the use of shared or generic usernames and passwords may seem to provide some short-term convenience, it severely degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised," OCR notes.
"If information is improperly entered, altered or deleted, whether intentionally or not, it can be very difficult to identify the person responsible - including for training or sanctions - or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization." And because shared usernames and passwords can become widely known, "it may be difficult to know whether the person responsible was an authorized user," OCR writes.
The inability to identify and track a user’s identity due to the use of shared user IDs can also impede necessary investigations when the shared user ID is used for unauthorized or even criminal activity, according to OCR.
"Robust digital identity solutions are critical to enabling secure access to electronic health information."
—Jeremy Grant, Venable LLP
Another required implementation specification is emergency access procedures for how authorized users can obtain ePHI during situations such as power failures or the loss of internet connectivity, OCR notes.
"Access controls are still necessary during an emergency, but may be very different from normal operations," OCR notes.
For example, during the COVID-19 public health emergency, many organizations needed to quickly implement mass telework policies to allow workforce members to securely access ePHI remotely.
Former healthcare CIO David Finn, executive vice president at security and privacy consultancy CynergisTek, notes that COVID-19 further complicated many healthcare entities' IAM efforts.
"You had new people coming into the organization with no access or account, and you had your own people coming in from unknown networks on personal devices," he notes. "People were being asked to fulfill multiple duties and roles. You had people, devices and credentials being added very quickly with no additional resources to do that; you likely had relaxation of controls to make things happen quickly."
Healthcare Providers' Challenges
Experts note that different segments of healthcare can also face different difficulties with IAM.
"Providers face big challenges, payers less so, but more akin to other industries," Johnson says. For instance, "roles and role-based access control have unique challenges for healthcare providers. The IAM industry has recognized this and created the idea of 'personas,'" he notes.
"A provider might be accessing data to treat patients in the morning and access similar data as a researcher in the afternoon. This is just one simple example of the many challenges providers face," he says.
"Healthcare does have some unique operational requirements that complicate the issuance of identities/credentials for devices, users and processes."
—David Finn, CynergisTek
Finn offers a similar perspective. "Healthcare does have some unique operational requirements that complicate the issuance of identities/credentials for devices, users and processes," he says.
"A teaching hospital may have residents, interns and fellows who rotate through services. … These are temporary or short-term accesses to systems, and then they may rotate back in a different area or the very same area - turning access on and off and making sure you have the right changes each time gets time-consuming, at best, and forgotten at worst," he notes. "So, accounts may remain active, if unused, until someone with [ill] intent figures out how to use it."
Grant says it's important for healthcare organizations to "make sure their CISO owns identity, or if not owning it, they at least need to have major influence and signoff over decisions."
For instance, in many healthcare enterprises, "IAM is owned by healthcare delivery or IT operations - those groups generally don’t prioritize security," he says. "And that’s what often leads to IAM being exploited by threat actors to steal data or launch ransomware attacks."
Grant suggests that every healthcare organization should take time to review the Health Information Sharing and Analysis Center's Framework for CISOs to Manage Identity.
Providers and payers also need to plan their strategies for securing the new APIs they are building to comply with the 21st Century Cures Act regulations that require enabling the sharing of patient data, he notes. "Robust digital identity solutions are critical to enabling secure access to electronic health information," he says.
Finn stresses that multifactor authentication "should be the default" for any type of remote access to internal resources.
"It is not cheap. But you can pay a trusted security vendor to put that in, or you can pay [an attacker] a ransom, which will be some very significant multiple of what you would have paid your vendor."