Fun fact: Personal healthcare information is 50 times more valuable than financial information on the black market. With the steady rise in cybercrime and attackers’ increasingly sophisticated and destructive tactics, if you support the healthcare industry, now is a really good time to make sure you’ve got a handle on IT healthcare compliance.
What Is IT Healthcare Compliance?
While safeguarding patients’ personal data is one part of IT healthcare compliance (no one wants to be on the wrong side of a HIPAA violation), we also need to focus on the access management aspects of compliance. That is, we need to secure, control, manage, and monitor who has access to the organization’s systems and know how they got it.
Auditing is an integral part of IT in highly regulated industries. The government and other regulatory agencies require periodic audit data that shows your organization is playing by the rules. When it comes to IT healthcare compliance, you need irrefutable audit data that shows who has access to a system, why they have access, where they got the access, and who confirmed that this person has access and their authorization.
In a complex industry like healthcare, this audit trail can be pretty convoluted. For example, a doctor is affiliated with a particular hospital. When she is rounding at the hospital, she and her office staff need access to the system. But if the doctor terminates her affiliation with the hospital, both the doctor and her staff must be deprovisioned.
To maintain compliance, the audit trail in this scenario needs to follow each individual’s access all the way up and all the way back down to verify that all of the proper procedures were followed.
How IT Healthcare Compliance Affects the Organization
At the organizational level, IT healthcare compliance drives identity governance and lifecycle management efforts.
Identity governance helps define who owns which parts of access management—IT or the business. In an organization with an established identity governance and administration (IGA) framework, generally, IT owns the technology and business owns the access decision making, access review process, and separation of duty policy enforcement. The lines are more blurry in organizations without mature IGA.
Strict adherence to separation of duty policies is crucial to maintaining compliance in a healthcare setting. Businesses must assign appropriate roles and entitlements to prevent “double-dipping” scenarios, such as staff members who can prescribe opioids also being permitted to dispense opioids.
Lifecycle management is complex in healthcare settings and can affect compliance. There tends to be a highly variable workforce, with staff who often need different levels of access and entitlements based on the role they are filling at a given time. For example, at large teaching hospitals someone may be a student during the day, then pick up nursing shifts in the evening. This individual has two roles, each requiring different levels of access at different times.
InfoSec professionals in the healthcare industry have a daunting job to put it mildly. Managing data security in large, complex healthcare environments has always been a challenge. But with the proliferation of IoT and the hundreds of different mobile devices used to access EMRs and provide medical care today, a high-functioning InfoSec team has never been so crucial.
Hospitals and other healthcare organizations have always been popular targets for cybercriminals, and in the wake of COVID-19, threats to healthcare organizations have increased exponentially.
The very specialized access needs of healthcare organizations paired with the highly sensitive data they must protect makes implementing an IGA and Zero Trust security strategy a solid choice for this environment.
Firewalls, intrusion detection systems, and anti-malware tools provide protection from many of these outside threats, but they aren’t as effective at combating internal threats. Integrating IGA and Zero Trust helps reduce the threat vectors for security breaches, both internal and external.
IGA policies and strategies help healthcare organizations minimize access-related vulnerabilities by creating visibility into user identity and privileges so the business can manage who can access which systems and when.
IGA automates the processes that create, manage, and certify individual user access within the organization. It also sets in place and enforces role, entitlement, and security policies to streamline employee provisioning, access reviews, and other access management processes that would otherwise land in IT’s lap.
In today’s highly transitional healthcare settings, Zero Trust is a must for securing access to applications and data. With an unprecedented amount of movement into, out of, and within healthcare organizations, and the huge number of employees working remotely, Zero Trust does away with the traditional firewalls and safety nets and makes the people the security perimeter.
The Zero Trust approach works off the premise that no person, system, or service is to be automatically trusted. Everyone and everything must be verified. By clearly defining access control policies based on user, device, and service profiles, the network can be partitioned and policies applied with a high level of granularity.
Assigning access with this level of specificity minimizes the risk of an internal user accessing resources they are not authorized to. It also minimizes damage from external sources by limiting how far an attacker can penetrate the network.
Like many industries, healthcare is in the midst of a digital transformation. Driven by efforts to streamline processes to save money—and currently to minimize face-to-face interaction—medical software and applications are being used for everything from health exams to charting to making sure staff certifications are up-to-date.
Telemedicine has been a boon to healthcare providers during the pandemic because it enables doctors and patients to meet safely. While convenient and sensible, increased reliance on telemedicine for the foreseeable future means doctors and nurses will be accessing electronic medical records (EMR) from pretty much anywhere on a variety of devices.
This mobility adds additional IAM complexity for healthcare IT to navigate and secure in order to maintain compliance and protect data. The need for healthcare organizations to manage who can access EMRs, when they can access them, and prevent unauthorized or malicious access is yet another reason Zero Trust is crucial to providing the level of security the healthcare industry requires.
Another factor in healthcare’s digital transformation is the adoption of integrated certification management systems. Healthcare organizations are implementing these systems to ensure staff certifications stay up to date and in compliance. If a critical certification lapses, the application automatically revokes access to relevant business systems until recertification is verified. The software tracks and documents the process end-to-end to provide audit-ready data that meets compliance standards.
Mergers and acquisitions
Healthcare mergers and acquisitions (M&A) is a huge business, even in the middle of a global health crisis. The M&A process creates a lot of security and compliance challenges. As the saying goes, “Complexity is the enemy of security.” Things get complex pretty quickly when you start trying to integrate two healthcare organizations.
Step one in securing access and shoring up compliance efforts is to quickly determine how employee access and user identities will be defined in order to centralize identity management across both organizations.
Once this is established, IT can move forward with automating the provisioning/deprovisioning process for new and departing employees, conducting audit reviews to ensure the right people have access to the right resources—no more, no less—and establishing that the audit trail is intact for both entities.
IT Healthcare Compliance in the Time of COVID-19
As the healthcare system fights its way through the challenging events of 2020, healthcare compliance rules have temporarily become more fluid to adapt.
Out of necessity, some compliance requirements have been relaxed during the COVID-19 crisis to facilitate dissemination of information between healthcare providers, patients, and patients’ families. We also have seen frequent and rapid role changes within healthcare facilities, which has made lifecycle management tricky for organizations that didn’t already have an automated identity management solution in place.
While it’s still hard to see any light at the end of the tunnel, at some point compliance rules will tighten back up and many organizations are going to be without appropriate audit data for a significant amount of time.
Organizations that already had an automated IAM solution in place will fare better, because they were able to easily add a rule that gave everyone elevated access to certain systems for a period of time. These organizations will also be able to quickly remove the rule later, and they’ll have a solid, end-to-end audit trail each way.
Healthcare is one of the most regulated industries, which makes implementing a comprehensive IT healthcare compliance strategy important at the best of times, and critical in the current global health environment.
Identity and access management tools can help you take control of your regulatory and compliance efforts and create a robust solution that meets today’s needs and sets your organization up for whatever comes next.