PAM: Privileged Access Management in Remote and Hybrid Healthcare Work

Zero-Trust PAM for Distributed Healthcare Teams

For healthcare organizations, PAM is essential for two main reasons: It helps protect their highly valuable data and their mission-critical systems. But PAM becomes even more crucial for organizations that have remote or hybrid workers or that work with an intricate mix of third parties such as contractors, technology vendors and service providers.

Many remote or hybrid workers work on the health system’s devices with the entire security stack, such as anti-malware, endpoint/extended detection and response, and data loss prevention software. But it’s a different situation when service providers’ remote or hybrid workers use equipment that the organization does not own.

“There’s no real perimeter. The castle-and-moat paradigm is dead,” Burleson-Davis says.

That’s why, instead of a network perimeter-based security approach, organizations with zero-trust PAM extend their security boundaries to the people accessing their systems.

“If we’re going to allow a remote worker to access any type of sensitive data, we want that remote system to be, for all intents and purposes, part of the organization. It should not be an unmanaged or personal device,” Monks says. “Zero trust has the tagline that identity is the new boundary, and that does work well in a remote or hybrid workplace.”

PAM allows healthcare organizations to gain visibility on and monitor authentications and authorizations globally, both onsite and remotely. Whether with face recognition, passkeys or ID verification, PAM’s high levels of authentication provide assurance of the user’s identity.

READ MORE: IAM addresses the challenges of increasingly complex IT environments.

Risk-Based Authentication for Healthcare Users

User identity alone is not enough, however. A PAM solution also considers a user’s normal behavior patterns and determines any deviation from the norm.

PAM considers a range of factors and risks to determine if access should be granted or denied, such as the type of data that a user wants to access, whether the data is sensitive or not, and whether such a request from that user is normal or not.

Is the individual working from their usual home office and during their usual hours? Or are their location and time suddenly different? Has a user who typically logs in to the EHR system just once a week been logging in to that system several times a day?

These risk signals indicate that further authentication, such as with a passkey or with step-up authentication for users already connected to the system, may be needed.

“They are very adaptive in nature,” Monks says of PAM solutions that leverage intelligent behavior analytics. “It’s about understanding the context of the request: where the user is connecting from, what type of data access they want and what type of device they’re on.”

Clinical Workflow Integration and Emergency Access

With PAM, users do not have standing access to privileged accounts. Instead, they can gain only just-in-time and just-enough access — that is, the least amount of privilege needed. For instance, a physician working from home to update patient records needs access to one or two systems, not the entire healthcare network.

With credential management rotation, users gain access to privileged systems only once they prove they are who they say they are, and only for a set period. After that, the credential cannot be used again.

But healthcare systems must leverage PAM without hampering clinical workflow or emergency access. “One of the really tricky parts about PAM is that organizations are constantly weighing the benefits and ease of use from a user perspective with the security,” Monks says.

PAM tools with built-in automation and intelligence can detect and respond to risk signals without slowing down the workflow.

So, if IT administrators in their usual place and time access the usual systems, intelligent PAM tools can consider the behavioral dynamics and determine that three-level authentication is not needed. But when any risk signals change, the tools automatically require more authentication.

“It’s about creating increasingly bigger speed bumps without ever creating a block, unless it is malicious,” Monks says. “It’s about creating the right friction for the right scenario.”

EXPLORE: Navigate identity and access management in the era of AI.

HIPAA Compliance and Auditability in Remote Access Scenarios

Privileged access for remote third parties represents a significant risk for HIPAA compliance. By securing privileged access to critical systems such as EHRs, a PAM solution helps ensure HIPAA compliance for health systems working with remote or hybrid third parties — reducing risk and improving resiliency.

“If a healthcare organization has all of its nonemployees and its EHR well managed in a PAM system, it’s in a really good spot,” Burleson-Davis says.

And auditability is key. PAM processes must be auditable “so we know exactly what happened” whenever a user accesses a privileged system, he says. “We need to be able to go back and replay it, so we know exactly what happened.”