Why Healthcare Can’t Afford to Ignore Digital Identity
Investing in digital identity can improve security, increase clinical productivity, and boost healthcare’s bottom line. — by Gus Malezis, CEO of Imprivata
Digitalization has created immeasurable opportunities for businesses over the past two decades. But the growth of hybrid work and expansion of Internet of Things (IoT) has outpaced traditional ‘castle and moat’ cybersecurity, introducing unprecedented vulnerabilities, especially in the healthcare industry. Although all organizations have important data to secure, healthcare holds some of the public’s most sensitive personal health information (PHI) – not to mention insurance and financial data, as well.
We all expect this information to be secured and protected, especially with HIPAA laws in place. However, due to increasing IT fragmentation and the growing sophistication of cyberattacks, this is no longer guaranteed. In fact, the number of individuals affected by health data breaches in the U.S. since 2009 is greater than the U.S. population of just over 330 million, according to HIPAA. It’s clear that legacy methods to protect PHI aren’t up to par. Today’s healthcare organizations need to prioritize a strategy focused on securing the user (the digital identity) and their credentials, not the environment.
The benefits of digital identity for your bottom line
We all understand the concept of insurance in our personal lives and pay those premiums to ensure coverage if tragedy strikes. We don’t view insurance to be the sole layer of protection, and indeed we consider prerequisites such as good knowledge, training, preparation and accreditation (where applicable) as basic investments. Insurance offers the final layer of protection. The same must hold true for the organizations responsible for protecting PHI and other sensitive data. That’s where cyber insurance becomes essential; however, without a sound digital identity strategy in place, the likelihood of qualifying is low (if not impossible).
Many underwriters require organizations to go through an in-depth vetting process to ensure they have robust solutions to control and monitor the access of users across their systems. This means less risk for the organization, and less risk for them. It also means less expensive premiums, which skyrocketed by 26.8% in 2022. Digital identity is the key to meeting these requirements. Implementing a holistic strategy can effectively reduce the cost of the premium and the long-term risk of a cyberattack or breach – putting more savings towards your bottom line and patient care.
Investing in digital identity is an investment in healthcare systems and patients.
Establishing a digital identity strategy is an investment, but it’s one that is prudent, practical, and necessary for future-proofing your infrastructure. It provides a myriad of security, compliance, and privacy benefits that clinicians, security teams, and patients experience every day. From a clinical perspective, digital identity makes accessing technology completely transparent – invisible even. Tools like no click access single sign-on can streamline logins and authentication processes to all applications, systems, and data, whether on-prem or in the cloud, to give back more time for patient care and reduce time spent with technology. IT teams also experience workflow improvements with digital identity, as it secures credentials and improves the compliance and security posture. And from a patient perspective, digital identity means better protection of PHI, and more meaningful time spent focused on care.
With that in mind, implementing a comprehensive strategy can be daunting for those with fragmented IT environments and countless users and roles that change daily. To get started, healthcare organizations should:
- Assess and consolidate their tech stack. Healthcare organizations are often running thousands of applications. This excess not only increases the attack surface, but also the risks associated with more third-party vendors accessing your systems – especially considering that only 34% of organizations assess their vendors for basic security requirements. Rationalizing applications will provide better visibility over the environment, improve operability, and reduce unnecessary costs and exposure.
- Automate user account provisioning and de-provisioning. Healthcare workers need access to clinical applications from the moment they are onboarded, but manual provisioning is slow and error prone. Likewise, as roles change or staff leave the organization, healthcare systems need to be vigilant off-boarding users, too. Stolen credentials were a leading vector for breaches in 2022. By automating the provisioning and de-provisioning processes, organizations can disable access instantly to eliminate the risk of compromised credentials from an inactive account.
- Implement multifactor authentication (MFA). MFA is becoming more widely adopted for businesses and consumers alike. But with two or more verification factors required for clinicians to prescribe medication or access the electronic health record, it’s essential for this process to be efficient and secure. With digital identity, health systems can verify access without impacting clinical workflows through biometric or badge tap authentication. This added layer of efficient security can prevent a bad actor from laterally moving across a network, while improving time to access for clinicians and directing time back to patient care.
- Give users a password-less experience. Passwords have a tricky habit of protecting AND making organizations vulnerable. If they’re easy to remember, they’re easier to hack. But if they’re too complex most people will find workarounds, like writing them on post-its or sharing credentials with other users. Single sign-on (SSO) solutions can eliminate password fatigue and simplify access by replacing logins with no-click authentication, while enforcing complex passwords that users rarely need to enter.
- Practice the principle of least privilege. Although most organizations rely on third-party vendors, 50% have experienced a third-party data breach, primarily as a result of giving too much privileged access. With privileged access management, a user is only granted access to perform a specific task, and nothing more. This improves security and safeguards access to the organization’s most sensitive information.
As healthcare organizations adapt to a new normal of IT security, it’s essential to implement a digital identity strategy. With insurance requirements becoming more costly and stringent, and cyberattacks more threatening, digital identity is the key to future-proofing healthcare digitalization. It ticks the box for several cyber insurance and federal compliance requirements, in addition to following zero trust principles. Between strained budgets and escalating cyber risks, digital identity can reduce risk while improving compliance, streamlining user access, and bolstering security.
Given the frequency and severity of today’s cyberattacks, the next one is a matter of if, not when. It’s time for healthcare to save more by proactively investing in digital identity.
Note: This article is written by Gus Malezis, CEO of Imprivata, a digital identity company that helps mission- and life-critical industries solve complex workflow, security, and compliance challenges. Their platform offers identity, authentication, and access management solutions for managing and securing enterprise and third-party digital identities, operating in over 45 countries.