By GUS MALEZIS
Healthcare is in the midst of a digital transformation, creating information security, compliance, and workflow challenges. The engagement of an increasingly decentralized workforce along with anytime anyplace healthcare and the proliferation of cloud-based applications, databases, and mobile devices have now (or soon will have) eroded the once well-defined network perimeter.
The healthcare industry remains one of the most highly targeted for cyber-attacks – a recent report from Beazley Breach Insights showed that, 41 percent of all breaches in 2018 occurred in the healthcare sector. This means that, going forward, healthcare organizations must pay particular attention to cybersecurity and do so without restricting or compromising access to the systems and services providers and patients are now using and may do in the future. A successful cybersecurity plan requires these organizations to focus on establishing and managing trusted digital identities for all users, applications, and devices throughout the entire extended digital healthcare enterprise – from the hospital, to the cloud, and beyond.
Why are modern hackers targeting healthcare? Because they can, and they have the opportunity to do so! Hackers also know the value of the data stored within provider systems. Today, medical records fetch up to ten times more money on the dark web than the average credit card.
Healthcare IT professionals are scrambling to shore up security and ensure system availability while supporting the complex workflows of their providers. However, the rapid pace of healthcare’s digital transformation along with the rapid growth of service locations and the integration of cloud apps and services creates an inescapable challenge.
In our new digital world, we see a series of “planes” that are expanding rapidly:
- Today’s healthcare systems, and those of the future, have a much more extensive and expansive population of providers – both formal employees as well as visiting staff, interns and locum tenens – all of whom require access to IT systems and data if they are to be productive and efficient.
- Providers are now operating from multiple locations, more than ever.
- Patients are requiring more digital services – with access to their chart, their physician, scheduling and a plethora of other services, all from the convenience of their smartphone, or browser – from any location and at any time.
- The number of devices and applications – both
on-premises and in cloud – is exploding.
Nursing station systems are now augmented by mobile systems, smartphones and tablets.
Healthcare organizations must now protect privacy across a complex network of people, technology and information – and while there are other planes to consider, those noted above are enough to send the average HIT architect, CIO and CISO into…a dark room.
In this new environment, digital identity is critical and an opportunity to leapfrog. Yet common myths persist. To help healthcare organizations build out an architecture of trust, let’s break down some common misperceptions about digital identity and better understand what digital identity is – and what it isn’t.
Myth #1: You have a trusted digital ID
Fact: No, you do not have a trusted
Digital ID, possibly with one exception.
Digital identities may seem like a simple concept, yet ask most people what their digital identity is, and they’ll likely ponder the question, and perhaps offer their email, a device, or an IP address – and that’s just one piece of a much larger puzzle. Yet none of these are verified or trustworthy identities. How do you really know if the person behind that device or email is who they say they are? How do they prove it?
The one exception would perhaps be your bank client number. Before a bank will offer you an account or a credit card they will collect a set of data on your person, which will then be used to verify your identity. Only when the bank is satisfied of your identity will they provide you with a client number – your trusted Digital Identity – usable for that institution, and that only. So, if you have a bank account – and most of us do – you do have a trusted digital ID, yet it is strictly used for that bank and not beyond. So, while you may have several IDs unless you’ve been identity proofed for EPCS, or some government institution, you do NOT have a usable trusted digital ID.
In our digital age, we must trust a digital identity – much like we trust a driver’s license or passport in the physical world. “Trust” means a reliable way to validate digital identities across disparate devices and channels. Establishing this trust requires creating trusted digital identities and then maintaining, modifying, and monitoring them as needed. Key components include onboarding and provisioning, dynamic access management based on changing roles, attributes and permissions of each trusted identity, and off-boarding and de-provisioning when an identity is no longer part of the organization.
A digital ID is not something that just exists; it must be created with trust and other attributes, must be managed, protected, secured, and shared in the appropriate conditions. It is this trusted digital identity that will be your gateway of simple efficient access to our ever-expanding digital universe.
Myth #2: Multi-factor Authentication is complicated, Will Take More Time
Fact: The next generation of 2FA and MFA
are virtually invisible.
The idea of using multi-factor authentication (MFA) isn’t new. Banking has successfully incorporated identity-proofing by using multiple layers of quality verification. If you swipe your bank card at the ATM and then enter a pin or log into a website, for example, that sends a numeric code to your phone to access an account, and that is MFA in action. Ok., it’s an additional step or two or more – but it elevates security and trust and that’s a great outcome. Yes, it takes some extra clicks and that we should look to compress, optimize and eliminate if possible. Yet Security and convenience can co-exist.
With two-factor authentication, healthcare organizations can combat phishing attacks and safeguard patients and their electronic health records (EHR). Most cyberattacks are preventable by using a good two-factor authentication. By “good” we are probably moving away from SMS as the token presentation, knowing that this has become a relative insecure way of carrying the token, and looking at other methods such as secure token apps or fobs. Still, why are only 45% of organizations using it? Some hospitals fear inconvenience to their clinical workflows, but this concern is misplaced – multifactor authentication solutions can still be secure and convenient without compromising provider productivity. New approaches to MFA, purpose-built for healthcare, now leverage Bluetooth, biometrics, smartphone technology and other innovative technologies to eliminate any extra steps that may frustrate clinicians. These solutions are seamless and invisible and eliminate any potential to create inefficiency, disrupt workflow, or contribute to physician burnout.
New approaches to MFA, purpose-built for healthcare, now deliver “skip-2nd factor” or “Hands-Free 2nd Factor Authentication” and do so by leveraging Bluetooth, biometrics, smartphone technology and other innovative technologies to eliminate any extra steps that may frustrate clinicians. These solutions are seamless and invisible and eliminate any potential to create inefficiency, disrupt workflow, or contribute to physician burnout.
Myth #3: The U.S. is Unlikely to Adopt A National Digital ID Very Soon
Fact: In the US we are rapidly progressing towards a national trusted Digital ID.
Fact: Other countries around the world already have trusted Digital ID systems.
Government officials are now developing a solution for digital patient and physician identification. This past year, the U.S. House of Representatives voted to repeal a 21-year ban on funding for a national patient identifier – a number or code that would be assigned to every person, similar to Social Security numbers.
A unique patient identifier would link health and identity to avoid mix-ups between, for example, patients and physicians with the same name. Again, this doesn’t solve healthcare’s cybersecurity challenges on its own. And implementation certainly won’t happen overnight. Policymakers must first consider the best tools to use, such as biometric technologies. Many potential solutions also face resistance and skepticism from privacy advocates. Getting a program in place could take years.
Meantime, healthcare organizations can’t afford to wait. As the industry continues its shift to digital and increasingly becomes more connected, the challenges only grow. Protection must advance apace with technology. Digital identity will play a crucial role in protecting organizations, but solutions must be convenient, flexible, and purpose-built to meet the unique, demanding, constantly changing security, compliance, and workflow challenges of the modern healthcare enterprise.
Gus Malezis is the President and Chief Executive Officer of Imprivata, where he continues his strong track record of delivering growth and innovation for leading technology and security companies such as Tripwire, McAfee, and 3Com
This is an exquisite example of an appeal to hospital administrators that completely ignores the perspective of patients and physicians and then claims to achieve “trust”. A brief list in order of appearance:
– “… information security, compliance, and workflow challenges.” is quite true but ignores the elephant in the room, privacy. You could snap your fingers today and fix all of the security issues in healthcare and that would still leave US with a $Trillion in excess spending, personal bankruptcies, and disparities unique among rich economies.
– “…providers and patients…” ignores and misleads the vast difference between the providers who hold the power and the patients who are scared and vulnerable. Compliance is a provider perspective. Privacy just gets in the way of their “workflow”. Real trust requires the providers to be completely transparent and public while the patients are completely private and often anonymous.
– Myth #1 – the bank ID example is confusing as applied to patients and might be bad for trust when applied to providers. The whole point of a bank ID is that it’s siloed to relationships with that one issuing bank. Imagine if every hospital, lab, insurance company, etc. a patient deals with issued you a separate digital ID (just like they do today without the “digital”)? Also, consider that bank IDs are only used under strict consent and transparency. Health records are typically used without _any_ consent under HIPAA TPO exemptions. As for physicians, trust is not helped when a physician can (mal)practice under different identities in different places.
– Myth #2 – MFA for patients is not practical today. Do you really expect two different provider organizations to accept the same authentication scheme in today’s US environment? ApplePay everywhere for patients would be a wonderful thing but who will be trusted to play the role of Apple? Who will pay to upgrade to hundreds of thousands of patient registration systems to accept the new standard for MFA?
– Myth #3 – There is slow progress toward digital IDs and government is constructively involved through the Department of Homeland Security. The role of government is to insist on standards so that digital ID, be it government or privately issued, is interoperable across the various providers and vendors. The majority of digital ID initiatives these days, around the world, focus on standards like W3C Decentralized Identifiers.
Given the rapid evolution of privacy laws in EU, California, and quite likely US at the Federal level, it’s hard to imagine any proprietary digital ID solution adopted by an institution today as a reasonable investment for tomorrow. I hope Imprivata and others trying to sell their wares to administrators does a better job of considering the perspective of patients and physicians and moves toward privacy-preserving and standards-compliant digital ID.