Cybersecurity Challenges
Solving healthcare issues while improving efficiency and patient care
- By Sheila Loy
- Sep 01, 2018
Healthcare institutions face a variety of cybersecurity
challenges, and the threats continue
to grow and evolve. Hospitals are particularly
vulnerable to data breaches and ransomware
attacks because of the high value of healthcare
data. In addition, most doctors and hospitals
now use electronic prescribing, which is vulnerable to
theft and fraud. Clearly, patient safety and data privacy come
first, but at the same time, administrators are under intense
cost pressures that can only be alleviated by improving operational
security and the efficiency of clinical workflows.
Trusted identities offer the means to accomplish these objectives
through a holistic, end-to-end approach to identity and
authentication that spans multi-factor authentication, credential
management, digital certificates and physical identity and access
management (PIAM). Today’s comprehensive solutions strengthen
security while making it easier for healthcare organizations
to comply with regulatory mandates aimed at protecting patient
information and the integrity of healthcare delivery in an increasingly
digital world.
They also enable administrators embrace a more connected
and efficient hospital in the Internet of Trusted Things (IoTT),
and they open the door to using big data and machine learning in
ways that will fundamentally change how healthcare institutions
operate, manage risk and deliver care and other services.
The Compliance Challenge
and Opportunity
Trusted identities are integral to regulatory compliance in two
key ways. First, they are used when physicians complete an authentication
process to comply with the HIPAA Security Rule
aimed at protecting patient health information. Additionally,
they are used to comply with the Drug Enforcement Administration (DEA) mandate for a separate two-factor authentication
when using electronic prescribing for controlled substances
(EPCS) solutions—a key weapon in the opioids battle.
Rather than addressing these two authentication requirements
separately, administrators can realize significant cost efficiencies by
moving to integrated systems that extend multi-factor authentication
across the entire identity and access management lifecycle. Integrated
systems can also be designed to elevate trust through the
use of digital certificates and signatures and signing, all backed by
public key infrastructure (PKI) security. They can incorporate One
Time Password (OTP) tokens and biometrics to comply with the
DEA and HIPAA for Electronic Prescription of Controlled Substances
(EPCS), and the same systems can also be used to protect
patient records and data, implement secure access to facilities, and
authenticate remotely to VPNs using mobile devices.
Indeed, unified platforms offer the opportunity to tie everything
together and automate other manual workflows. The result
is an end-to-end physical identity and access management solution
that integrates with access control systems, logical identity
and other internal applications so healthcare organizations can
manage all types of physical identities and their details.
Truly converged access control will ultimately consist of a single
security policy, one credential, and one audit log. The goal is
a fully interoperable, multi-layered security infrastructure that is
based on a flexible and adaptable platform. Such a platform will
enable hospital administrators to preserve their investments as
they grow, evolve, and continually improve their security capabilities
in the face of ever-changing threats. The healthcare industry
will deliver an improved patient experience, more comprehensive
security view, and more coordinated approach for protecting privacy
while controlling access to patient data, electronic prescriptions,
equipment and facilities.
The Power of Convergence
One of the first places where this convergence is happening is
with the combination of physical and data security onto a single
credential. In much the same way that users are gravitating to
mobile solutions, in part, because they like how it interconnects
their digital world, so too are healthcare institutions embracing
converged credentials. Users want to do far more with their
trusted identity credentials than just open doors, especially when
they also must access healthcare records, electronic prescriptions
for controlled substance (EPCS) systems and other hospital systems
many times each day.
Healthcare institutions are among the first to harness the
power of converged credentials. Many are using a cloud-based
model to provision IDs and perform authentication for physical
and logical access control, and for managing EPCS. The next step
is to migrate to convergence solutions that pull everything related
to identity management into a unified system capable of granting
and managing access rights.
The convergence trend will drive the adoption of PIAM software
to unify identity lifecycle management by connecting the
enterprise’s multiple and disparate physical access control systems
(PACS) and IT security systems to other parts of the IT
ecosystem such as user directories and HR systems. PIAM software
works with existing hardware and infrastructure to collect,
collate, store, process and analyze identity and other data from
multiple security and non-security solutions, becoming the hub
for all these systems while also tying in key external services for
running background checks or verifying the identities of visitors
and others.
A single PIAM solution standardizes identity management
for employees, contractors, visitors, suppliers, tenants and vendors,
enabling organizations to manage all identities and issue
credential across all buildings, systems, permissions and associated
workflows, regardless of the underlying access-control system
at any given location. Visitor management is a particularly
important element to consider when assessing hospital security—
ideally, hospitals should integrate visitor management software
with real-time patient feeds, preregistration information and the
hospital’s access control system, and then use PIAM software to
standardize identity management while tying in external services.
PIAM software also enables PACS to connect to cloudbased
card issuance systems and wireless locks, and to locationbased
services that enable healthcare institutions to know where
people and assets are in the building. Unifying identity management
in this way improves efficiency and security while facilitating
new IoT use cases that connect the world of people with the
world of things.
Protecting the Connected Hospital
When healthcare administrators deploy new IoT capabilities they
must be confident patients will be safe. Today’s real-time and
proximity-based location technologies create a trusted environment
for connecting, monitoring and managing patients, mobile
clinicians and staff. They include a cloud service, portals and
Bluetooth beacons in the form of smart cards and provide a onecard
solution for both indoor positioning services and physical
access control. Their cloud-based model and minimal hardware
requirements also eliminate the expensive infrastructure setup
of antennas, servers and wired infrastructure to further reduce
total cost of ownership. Installation simply entails plugging in
AC-powered BLE/WiFi gateways and then providing staff with
the smart card beacon.
A big benefit of location-based services is the deeper analytics
they provide around the movement of personnel in a hospital
building. This provides better insights for optimizing usage of
facilities, common areas and individual exam and other rooms,
as well as workflows in emergency departments and clinical operations.
The proximity-based services verify when personnel are
nearby a given area for use cases such as monitoring staff check
in and check out. They also help organizations meet health and
safety regulations by monitoring room occupancy.
Location-based services also can include visitor awareness
capabilities to achieve a complete solution for checking in visitors,
running background checks, managing identities and issuing
credentials. The services also provide wayfinding for patients
and visitors navigating the hospital, and historical information
about where visitors and other people have been in the building
in the event of an emergency, security breach or theft. Additionally,
they can help staff to more efficiently manage physical assets, including quickly locating critical medical equipment, beds, crash
carts and other medical devices by providing the missing link between
these assets and a trusted ecosystem.
Another emerging IoT trend in healthcare is the use of digital
certificates to secure hospital assets such as IP-based video
surveillance cameras so they are not vulnerable to cyberattacks.
Until now, these security cameras connected to the IoT were vulnerable
to hackers who could compromise them and gain access
to an organization’s IT infrastructure. Now, they can be turned
into trusted edge devices in the IoT through the use of digital
certificates. Embedding certificates into these items provides a
way to authenticate them and to encrypt the data traffic flowing
between them.
The future of connected health may be even brighter in the
home. The combination of NFC tags, mobile apps, cloud authentication
services and web applications simplifies “proof of
presence” by making it easier to document the time, location and
accurate delivery of prescribed care. This is helping to drive growing
adoption of electronic visit verification (EVV), which helps
streamline in-home patient visits, ensure security and patient privacy,
and eliminate billing fraud.
Reducing Risk
One of the most promising weapons in the fight against healthcare
fraud, malware and data breaches is real-time risk profiling technology
that protects against both established and recent threats that
target users both on-line and on mobile devices. Today’s risk management
solutions protect a wide variety of transaction systems
and sensitive applications, providing a combination of evidencebased
capabilities and behavioral biometrics supported by machine
learning. They offer a highly promising way for hospitals to detect
phishing, malware and fraudulent medical or financial transactions,
and prevent medical account takeovers and session stealing.
There is a revolution underway in healthcare that is spurring
active investment in the security infrastructure. Administrators
are prioritizing their expenditures to fuel key initiatives including
adopting a seamless trusted identity management experience that
fights cybersecurity threats while streamlining compliance and
ushering in exciting new connected health capabilities, from the
hospital to the home.
This article originally appeared in the September 2018 issue of Security Today.