An overlooked weapon in your cyber security arsenal: IAM

Wes Wright
Apr 10, 2019

There’s no escaping the fact that cyber criminals are hitting healthcare hard. According to a threat report released last year by security firm Cylance, 34% of ransomware attacks in 2017 targeted healthcare, far more than any other industry. It makes perfect sense. Healthcare organizations are repositories of sensitive personal information including SSNs, DOB, and insurance information. While SSNs alone go for about $15 on the Dark Web, medical records go for at least $60 per record.

What’s worse: HIMSS research shows that 21% of attacks on healthcare are actually caused by insiders. Why are we letting this happen? As an industry, we’re focused on locking down everything on our networks, hiding it, scrambling it, etc. But we aren’t taking the same precautions when it comes to our people: whom do we trust to have access to what information?  

Like IoMT, the first thing you have to do is find all the people on your network, know if they should be there, and know what they have access and authorization to. To do this, we should look towards an often overlooked weapon in the fight against cyber-attacks: an integrated Identity and Access Management (IAM) platform.

I’ve had the dreaded audits that showed someone left and we didn’t get them deprovisioned in a timely manner, but still hadn’t thought of an IAM platform as a tool in my security toolbox. We need to start thinking of it that way. Sure, we all know we have to provision folks so that when they arrive at work, they’re ready to do their jobs—especially the providers. And, we know we have to get folks deprovisioned so they can’t get back into our systems if they leave the organization, by their choice, or ours. That’s the easy part of IAM, and we all pretty much do it in some way, shape, or form. 

Many organizations that have embraced the Imprivata authentication platform are now also focusing on automating their approach to Governance, Risk Management and Compliance (GRC). They’re doing this to reduce IT costs, strengthen data security and compliance, and empower care providers to deliver high quality care the moment they join the hospital. And this is the part of your system that you’ll use as your weapon against cyber threats.

A good GRC piece of your IAM system can help you keep your environment as locked down as possible. You should use that system to see who has access to which applications, and—if it’s good enough—which authorizations within that application they have. Most healthcare IT folks (myself included!) want to map out our entire IAM process starting with the roles we need to have, then group the apps, then the permissions, etc. Because we think like that, we often don’t get started! It’s so hard, and we use the “I have to involve so many people” excuse. Plus, we view IAM as a “back office” system that’s like plumbing, so there’s no glory in it. Sound familiar, cybersecurity friends?

You have to get started on this. In healthcare, unlike in most other industries, we have a lot of systems that aren’t AD integrated. In other industries, where almost all apps are integrated with some kind of directory system, if you kill the directory account, you’ve killed access. We all know that’s not true in HIT. How many accounts do you send over to the PACS or Cardio folks so they can build accounts in those systems? Those are the dangerous ones because you don’t have continuous visibility into what’s happening with those accounts. That’s where a good IAM platform can help as well, back to the GRC part.

One of the first reports I would look at is “orphaned accounts”—that is, accounts that are in your system, but don’t have a directory-based account associated with them (e.g., no AD account). That tells you those accounts, while dead in the overall system, still have access to another system/app within your domain. That’s very dangerous and unsettling in HIT because we know how many accounts are built and maintained outside of IS. This is just one example of how you can use an IAM platform to help in your fight against cyber threats.

Imprivata Identity Governance integrates with the Imprivata authentication platform to provide a holistic view of access risk vulnerabilities, including excessive or abnormal access rights and un-provisioned access. I’d encourage you to take a look at our IAM platform to see not only how you can help prevent cyber-attacks with proper GRC, but also how you can decrease IT costs, improve data security, and ultimately shift the focus to quality patient care, exactly where it should be.