Classic IAM Implementation Mistakes in Healthcare

… and how to fix them.
If you belong to healthcare IT Security, I urge you to do this. Open a search engine and type recent breach in healthcare information security.
Go ahead and move to news tab of your search engine. Alarmed! Right?
Interestingly cyber-crime including the ones reported recently in Washington, DC based MedStar Health system and the Hollywood Presbyterian Medical Center in Los Angeles were not unusual.

By taking note of important aspects of IAM, healthcare providers can avoid costly IAM mistakes!

Being in the IT industry, we cannot hope that the attacks will stop and they won’t stop. However, given the pattern adopted by criminals’ point at lack of checks and laziness in blocking or addressing the loopholes in the IT systems. In such a scenario, all healthcare providers can do is to implement the right technology and avoid costly mistakes due to a compromised IT system. The sensitivity of the information in the Healthcare IT security space cannot be undermined, because it can potentially result in sensitive information being stolen such as SSNs, Birthdates or any PII related information. This can dent the reputation, lead to loss of customers, monetary loss in the form of regulatory penalization and cost involved in putting the right technology in place to rectify the system.
I am assuming you must have heard the statement, “Prevention is better than cure”. It rightly fits into this scenario. One such solution that can be implemented to introduce preventive control is implementing IAM. However, there are some mistakes that are made widely while implementation of IAM technology or execution of IAM tasks. Hence, I am writing this article to expose these IAM mistakes to some extent.
For being experts in the field of IAM, and having taken up a lot of healthcare-related projects at Avancer.

Listed below are classic IAM implementation mistakes in Healthcare that our experts have come across:

  1. Setting up a system for the sake of compliance:

    2. Many healthcare organizations look at regulatory compliance as a liability. However, they fail to look at it as an opportunity to create agile IT systems by setting the right networks and placing application integrators that seamlessly interact with the IAM system that also works in ensuring compliance. HIPAA, HITECH, management of Electronic Health Records (EHRs) have been enforced through a range of regulations. They act as high-level guidelines rather than prescriptive recommendations, but many organizations treat them as comprehensive security rulebooks. IAM experts discourage this kind of approach as it leaves healthcare providers compliant with regulations, but not in the spirit of regulation.

  2. Missing out on minimizing information duplicity:

    3. Clinical errors emerging from duplicate or incomplete patient records can compromise patient safety. IAM systems need to integrate and communicate with data silos created not just within a healthcare establishment but also between various stakeholders. Moving into an electronic environment points at the need for an accurate system of patient identification. In addition, integrating APIs into the system becomes important in bringing together silos of information related to patient records, and then further strategizing this information through correct access.

  3. Overreliance on internal expertise:

    4. IAM is a niche technology, and an important cyber security element. It is not possible to find the right set of talent. Without sufficient investments in advanced tools and human capital, a firm’s internal cybersecurity staff and systems will always be deficient in skills and capabilities. As healthcare service providers cannot afford to fumble on IT Security, therefore getting IAM consultants on board can help. Such association helps in knowledge exchange and learning avenues for the in-house IT team, bringing them in contact with IAM mentors. This is a win-win situation for both – the IT employees to gain greater knowledge of the system and the organization to have a better IT security shield.

  4. Missing out on educating and mentoring employees:

    5. While an employee might mistakenly leave a loop open for cybercriminals, employers must take this threat as an opportunity to create a digitally healthy workforce. Just being aware of risks faced by a user (read employee) in IT/Cyberspace can potentially shut down a threat funnel. In addition to establishing security checks such as access governance, user identity verification and activity auditing, training employees of recommended IT practices is becoming more critical to ensuring IT Security.

  5. Under-investment in technology:

    6. CIO’s and IT Security professionals struggle with justifying the cost of making an IAM investment. It is however not the possibility of attack, but the impact of an attack that should drive investment into IAM infrastructure. Even after having an IAM system in place, manual management of various applications acts as a deterrent to the spirit of placing an IAM system. Application Integrators must be utilized to strengthen interaction amongst IAM Systems and various applications.

By taking note of above-mentioned mistakes and making rectifications on the same can help in achieving robust IAM Systems that interact effortlessly with the IT System.

If you have any specialized need for Healthcare IAM, reach out to experts at Avancer.

Drop us a request
/ Industry Insights, Security & Compliance

About the Author

Rajesh Mittal

With over 20 years of experience in Application Security, Identity Management and IT infrastructure related projects, Rajesh has a developed a solid understanding of all aspects of IT security field and has assisted clients, of all sizes, in almost all segments of their Identity and Access Management journey. His core competency and passion lies in integrating heterogeneous products, fostering innovation to develop new Solutions and solving customer problems quickly and effectively. He is VP of Technology and Co-Founder of Avancer Corporation and leads Technical Strategic Planning, New Business Development, Marketing and Business Expansion. Prior to starting Avancer Corporation, Rajesh’s entrepreneurial venture, he has worked with PWC Consulting/Entology/HSBC/ LG Electronics in various capacities developing IT security solutions spanning multiple geographies. Rajesh holds a BE in Electronics Engineering from University of Pune, and MBA in Finance and Leadership from Stern School of Business, New York University.