Why Healthcare Cybersecurity Starts Inside Out
Locking the doors might keep out unwanted intruders, but what happens when it’s the users inside the perimeter whom you should worry about the most? In a recent Wall Street Journal article, it was reported that out of 450 data breaches at hospitals, health insurers, and other healthcare-related service providers who house sensitive patient information, 192 were blamed on insiders (99 were classified as accidental and 91 were a result of “insider wrongdoing”).
The article reaffirms something we all know, but often forget— that humans are imperfect in their actions and intent. And when it comes to security, all of us are capable of making mistakes and exercising poor judgment. Some may even act maliciously.
Making up for Imperfections
Given the risks and consequences associated with exposing patient data, healthcare providers need to consider the following as part of their overall security strategy.
When security awareness is low, risk rises. Employees must be aware of the rules for handling sensitive material. But don’t settle for simply handing them a Word document upon joining your organization. A comprehensive approach is required. Start with new hire training, visual cues throughout the work environment, ongoing education, and regular communications (including anecdotal stories of good and bad behaviors). The key here is changing the employee mindset from protecting data as a secondary responsibility, to protecting patients and their data as a primary purpose and mission. The strategy for driving sustained awareness and influencing proactive behavior should leverage a mix of efforts that motivate and enable employees on the personal, social and structural levels.
Hospitals and other health services organizations also need to put controls in place that minimize the opportunity for making costly mistakes. That effort should be centered on identity governance. Identity governance connects users with the access required to perform their jobs in a visible and structured way. Here are seven success factors for identity governance in healthcare.
- Start with a clear understanding of business needs – As the Manager of IT Security Compliance at one institution pointed out, “It’s the wrong approach to buy a tool and then figure out access policies and controls.” The first steps must be to define the goals that the new identity governance program will set out to achieve.
- Address the “people component” as a first priority – Identity governance projects succeed in improving security when they align with business needs, including how they are designed to accommodate the rules and politics of the organization or the points of view of various stakeholders (of which there are many in today’s modern healthcare organization). There is often a large gap in understanding between the technical side of the house and the business users, and this type of project requires the buy-in and participation of many different groups within the organization.
- Work to achieve business accountability – Managing user accounts and privileges and ensuring effective access control is not a mission that is commonly embraced by business users. Often, business application owners are not held accountable for ensuring adequate governance and compliance with internal controls. Thus, IT inevitably ends up with the responsibility for business risks. To succeed with an identity governance program, it’s vital that the accountability and ownership of risk is assigned to its rightful owner: the business side of the house.
- Choose your project leader based on your organization’s needs – The success of your identity governance project will depend upon the performance of key team members – especially the program or project manager. It’s vital that you find an individual with the right skills and motivation to truly lead the effort. This person will be critical to bridging across the different functional teams involved in the project.
- Find and maintain strong executive leadership – All successful identity governance projects require executive sponsorship. From the planning phase through implementation, the right executive will champion the vision to the company, set the strategy, secure the required resources/budget and drive stakeholder participation.
- Communicate results early and often – Visibility is key to the success of any project and identity governance is no different. Don’t wait until the project goes live to divulge plans, goals and expectations. And don’t simply focus on execution plans and timetables; most stakeholders want to know why the project is important (e.g., risk exposures and possible consequences), what benefits it’s attempting to achieve and what changes are coming that impact them.
- Avoid the “big bang” approach; start small and build momentum – Identity governance projects are very well-suited for phased implementation rollouts. You can focus initial phases of the project on a set of users or applications (e.g., one business unit), or you can limit functionality to one aspect of governance (e.g., access reviews or provisioning).
With security awareness programs to drive mindset and influence behavior, and an identity governance program that minimizes opportunities for mistakes, you may think you’ve got your bases covered. The reality is, there are more doors left unlocked than you think. I’ll touch on that in my next blog. For now, you can get much more detail by downloading a copy of our whitepaper, ‘Seven Success Factors for Identity Governance.‘