Healthcare organizations handle critical, sensitive data, but not everyone needs access to that data at all times. And with staff turnover and other organizational changes, IT teams must ensure that access is managed appropriately and with minimal interruptions to workflow.
“Effective IAM lets users access the data they need without undue risk, excess privileges or a cumbersome user experience,” write several CDW security experts in a 2024 white paper. “In fact, IAM can help organizations resolve the perceived tension between cybersecurity and UX, as simpler security procedures tend to increase employee compliance. IAM is also a prerequisite for zero trust, an effective defense against data breaches.”
How Identity Fits into Healthcare Zero Trust Strategies
Identity is one of the five pillars of the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model. According to the agency, “zero trust presents a shift from a location-centric model to an identity, context, and data-centric approach with fine-tuned security controls between users, systems, applications, data, and assets that change over time.”
Healthcare IT teams must manage hundreds if not thousands of identities, and the fluctuating nature of the workforce poses significant hurdles. Leaders from Ohio-based aging services provider Eliza Jennings discussed their experiences during the LeadingAge 2023 Annual Meeting and Expo.
Senior care organizations rely on temporary workers in many departments, and managing temporary credentials has proven to be a difficult task. Though universal login credentials are useful for efficiency, they’re not ideal from a security standpoint. Access to physical spaces is also a key consideration for ongoing security training and management.
“I think that we get a little complacent a lot of times with keys and access, especially with offboarding employees, making sure the keys are collected and we’re documenting. So, include them in the training as well,” Vice President of IT Michael Gray said during the session.
A 2023 Okta survey found that more than 9 out of 10 healthcare respondents named identity as either very important or somewhat important to their zero-trust security strategies. However, when it comes to how healthcare organizations verify internal and external users, passwords were still the top method at 61%, followed by security questions at 51% and one-time passwords in hardware at 38%.
READ MORE: Getting identity management right is crucial for healthcare security.
The Benefits of an IAM Approach to Zero Trust in Healthcare
Healthcare organizations that strengthen their IAM will find improvements in third-party management, increased efficiency for IT teams and reduced security risks.
Health systems inevitably will work with multiple vendors, but they can still shore up their approach to third-party risk management. “IAM helps organizations manage these risks by applying managing lifecycle access through rigorous authentication and access controls to third-party users. This includes limiting their privileges and revoking access when it is no longer needed. IAM solutions can simplify these processes by increasing visibility into third-party access privileges and histories and assigning access based on carefully defined roles,” the CDW experts write.
IAM solutions can reduce complexity and support IT teams with customizable workflows and policies, dashboards and other features. Automation can streamline onboarding and offboarding processes and reduce error.
And as concerns grow about insider threats, IAM solutions allow IT teams to monitor user activity and enforce least privilege access. “IAM also addresses vulnerabilities arising from human error, including weak passwords, susceptibility to phishing, and outdated software or devices,” the CDW experts note.