Why healthcare cyber security starts inside out

Paul Trulove of SailPoint discusses how to deploy identity governance in healthcare

Paul Trulove

In the UK alone, there have been several reports of NHS trusts leaking private information due to the actions of individuals inside the network, with the NHS admitting that patient confidentiality could be undermined under its current centralised database system. In this piece, Paul Trulove, vice president of product management at Sailpoint, outlines seven success factors for identity governance in healthcare

Locking the doors might keep out unwanted intruders, but what happens when it’s the users inside the perimeter you should worry about the most?

With security awareness programmes to drive mindset and influence behaviour, and an identity governance programme that minimises opportunities for mistakes, you may think you’ve got your bases covered. The reality is, there are more doors left unlocked than you think

In the UK alone, there have been several reports of NHS trusts leaking private information due to the actions of individuals inside the network, with the NHS admitting that patient confidentiality could be undermined under its current centralised database system.

This reaffirms something we already know, but often forget - humans are imperfect in their actions and intent.

And, when it comes to security, all of us are capable of making mistakes and exercising poor judgement. Some may even act maliciously.

Making up for imperfections

Given the risks and consequences associated with exposing patient data, healthcare providers need to consider the following as part of their overall security strategy.

When security awareness is low, risk rises. Employees must be aware of the rules for handling sensitive material. But don’t settle for simply handing them a Word document upon joining your organisation.

A comprehensive approach is required.

Hospitals and other health services organisations also need to put controls in place that minimise the opportunity for making costly mistakes

Start with new hire training, visual cues throughout the work environment, ongoing education, and regular communications, including anecdotal stories of good and bad behaviours.

The key here is changing the employee mindset from protecting data as a secondary responsibility to protecting patients and their data as a primary purpose and mission.

The strategy for driving sustained awareness and influencing proactive behaviour should leverage a mix of efforts that motivate and enable employees on the personal, social and structural levels.

Hospitals and other health services organisations also need to put controls in place that minimise the opportunity for making costly mistakes.

That effort should be centred on identity governance.

Identity governance connects users with the access required to perform their jobs in a visible and structured way.

Here are seven success factors for identity governance in healthcare:

1. Start with a clear understanding of business needs

As the manager of IT security compliance at one institution pointed out, ‘It’s the wrong approach to buy a tool and then figure out access policies and controls’. The first steps must be to define the goals that the new identity governance program will set out to achieve.

2. Address the ‘people component’ as a first priority

Identity governance projects succeed in improving security when they align with business needs, including how they are designed to accommodate the rules and politics of the organisation or the points of view of various stakeholders, of which there are many in today’s modern healthcare organisation. There is often a large gap in understanding between the technical side of the house and the business users, and this type of project requires the buy-in and participation of many different groups within the organisation.

3. Work to achieve business accountability

Managing user accounts and privileges and ensuring effective access control is not a mission that is commonly embraced by business users. Often, business application owners are not held accountable for ensuring adequate governance and compliance with internal controls. Thus, IT inevitably ends up with the responsibility for business risks. To succeed with an identity governance programme, it’s vital that the accountability and ownership of risk is assigned to its rightful owner: the business side of the house.

4. Choose your project leader based on your organisation’s needs

The success of your identity governance project will depend upon the performance of key team members – especially the programme or project manager. It’s vital that you find an individual with the right skills and motivation to truly lead the effort. This person will be critical to bridging across the different functional teams involved in the project.

5. Find and maintain strong executive leadership

All successful identity governance projects require executive sponsorship. From the planning phase through implementation, the right executive will champion the vision to the company, set the strategy, secure the required resources/budget and drive stakeholder participation.

6. Communicate results early and often

Given the risks and consequences associated with exposing patient data, healthcare providers need to consider the following as part of their overall security strategy

Visibility is key to the success of any project and identity governance is no different. Don’t wait until the project goes live to divulge plans, goals and expectations. And don’t simply focus on execution plans and timetables; most stakeholders want to know why the project is important (e.g., risk exposures and possible consequences), what benefits it’s attempting to achieve and what changes are coming that impact them.

7. Avoid the ‘big bang’ approach; start small and build momentum

Identity governance projects are very well suited for phased implementation rollouts. You can focus initial phases of the project on a set of users or applications (eg one business unit), or you can limit functionality to one aspect of governance (eg access reviews or provisioning).

With security awareness programmes to drive mindset and influence behaviour, and an identity governance programme that minimises opportunities for mistakes, you may think you’ve got your bases covered.

The reality is, there are more doors left unlocked than you think.

Companies