GISEC 2022 Part 2– Managing Digital Identity – The Elephant in the Room

There was a significant presence at the Gulf Information Security Expo & Conference (GISEC) in Dubai, which I attended recently. My previous blog covers many of the enlightening facts and viewpoints discussed, with Zero Trust very much a common thread discussed by almost all presenters and the topic of Identity highlighted as fundamental to this. The elephant in the room that wasn’t addressed was the challenge of managing digital identity, specifically in a complex healthcare setting. I explain here what I mean by that, and suggest some solutions.

Cyber risk – optimise for the business

An intriguing point was made by Omar Khawaja, CISO of Highmark Health, describing how at the start of COVID he had sat with his team with a view to identifying which security controls they could eliminate in order to give more time back to the care providers. In his view a transition needs to be made from security leaders to cyber risk leaders. The accompanying shift in thinking should empower and encourage leaders to care enough about the business to actually eliminate security controls and free up time.

This leads nicely to the elephant in the room. There was consensus on the failure of perimeter-based security frameworks, on the need to embrace Zero Trust, and on the importance of identity as a fundamental step on that journey.

However, what nobody addressed was the extreme challenge of how to establish identity in the busy, fast moving, time-pressured environment characteristic of healthcare.

When shared workstation usage across the campus is the norm, many organisations eliminate controls on workstation access, making use of shared generic accounts, but the associated lack of identity information is a hindrance to a ZT architecture. Other organisations don’t accept this risk and insist on users authenticating individually, but the reality is this is an impossible demand and clinicians find workarounds such as sharing credentials.

Perhaps this is why only 14% of healthcare is enabling ZT against 78% of industry in general; could the challenge be perceived as too great?

Digital ID and Healthcare

Imprivata’s focus for some time has been on analysing the challenges associated with digital identities in the healthcare environment, and we’ve consolidated expertise from a variety of respected analysts and institutions into the Imprivata Digital Identity Framework (DIF).

Imprivata’s integrated portfolio delivers many of the DIF requirements and addresses the key themes I heard with Imprivata OneSign and Imprivata Identity Governance.

Imprivata OneSign provides our customers with the ability to switch users on shared workstations incredibly quickly. The enterprise-level fast multi-factor authentication combined with multiple avenues for single sign-on are both capabilities that are fundamental to achieving pillar #1 (Identity) of the CISA Zero Trust model. Not only that, but we deliver this as a security control that actually frees-up significant time for our care providers, who adopt it with enthusiasm.

Imprivata Identity Governance deals with the problem of accidental over-delivery of permissions, automating the provisioning process and providing full Governance, Risk and Compliance (GRC) controls throughout the lifecycle of the identity – including privileged identities that can further be controlled through Imprivata Privileged Access Management.

Each of these solutions can be delivered as one of the small chunks in the step-by-step strategy advocated by MK Palmore, former head of FBI San Francisco, now a Silicon Valley cybersecurity strategic advisor. Small chunks, easily delivered within a realistic timeframe measured in months, but of greater impact in a Zero Trust journey than perhaps I had realised.