Five reasons why healthcare organizations should rethink authorization
The healthcare industry suffers 340% more security incidents and attacks than the average industry.
In a US Department of Health and Human Services brief, the agency noted that electronic health records (EHRs) have a wide range of benefits that improve the quality of care.
However, they also stated that an EHR is “valuable to cyber attackers because of the Protected Health Information it contains and the profit they can make on the dark web or black market.”
The records are so valuable because they contain protected health information of patients which can include names, birthdates, account numbers, Social Security numbers, health plan information and biometric identifiers.
In a Health Insurance Portability and Accountability Act (HIPAA) Journal report, it shows that over seven million records were compromised in unauthorized access of the records.
These incidents were caused by employee errors, employees, negligence, snooping on medical records, and data theft by malicious insiders. The amount of incidents could have been reduced by having a proper authorization solution.
Authorization gives a person the ability to access a resource at a specific time based on policies or attributes that are put in place.
Here are five reasons why healthcare organizations should rethink authorization.
1. Reduce risk with strong identity security controls
The HIPAA Journal reported that between 2009 and 2021 there were 4,419 healthcare data breaches that involved 500 or more patient records. Plus, the annual number of breaches has nearly doubled from 368 in 2018 to 714 in 2021.
To protect sensitive data in EHRs and prevent disruption to patient care you can utilize a Zero Trust framework. The mantra of Zero Trust is to “Never Trust, Always Verify,” which can help prevent unauthorized access to health data.
Per the NIST framework, this can be achieved by implementing attribute-based access control (ABAC). The who, what, where, when and why attributes are essential to ABAC and to Zero Trust.
Through ABAC, a Zero Trust implementation leverages these types of attributes (and others) to ensure the appropriate level of access is given in line with the amount of risk an organization is comfortable with.
Cybersecurity is an important part of the HIPAA bill that requires the HHS to incentivize healthcare organizations that adopt a well-known cybersecurity model, such as Zero Trust. Currently only a reported 41% of organizations in a study said that they have deployed a Zero Trust architecture.
2. Reduce excess access
Many people have more access than they should in different applications. This puts you at higher risk of your data being compromised by malicious insiders.
A way to mitigate the risk is to use an attribute-based access control (ABAC) solution which plays into the concept of least privilege where a person should only have access to the data, resources and applications needed to complete their task.
ABAC makes access decisions in real-time at the point of access, each time, based on attributes at the exact point in time. Some of the attributes looked at include:
- Device in Use location; device in use; time of day; purpose of use; and data source – to enforce access to data inline with corporate policies and regulations.
This means sensitive data can only be accessed and used by those that have permission to do so and under the correct conditions, which can lower the risk.
EHRs are also exposed to the highest number of stakeholders. The electronic health matrix spans multiple roles and third parties – from insurance advisors and claims adjusters, to MDs, surgeons and nurses, to clinic receptionists and pharmaceutical retail outlets.
With all these stakeholders touching a health record at any given time, dynamically managing who can see what, from where and for what reason is critical.
3. Reduce IT burden
A study done by SailPoint shows that IT professionals in healthcare spend over a third (38%) of their time managing access and permissions for all identities in their organization. On average it takes two days to perform an access request regardless of if that is to change an existing worker’s access or setting up access for new workers.
When looking at the process of recertification, it can take many days and pull those working on it away from more strategic work.
A way to reduce the burden on the IT department is to automate the manual processes.
When using an ABAC solution, it makes access decisions in real-time at the point of access, each time, based on the attributes collected at that exact moment. This makes recertification and access control a quick activity therefore reducing the burden on the IT department.
4. Achieve a state of continuous compliance
Healthcare organizations must adhere to regulations and compliance mandates such as HIPAA in the US, General Data Protection Regulation (GDPR) in the EU, Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and others while providing a seamless user experience.
Organizations also have to consider isolated authorization, a process by which authorization is hard-coded and customized for each application. As this is application and user-case specific it creates a silo from the rest of the organization and as a result, there is no standardized approach to authorization.
This leads to an unscalable strategy, increased cybersecurity risks, and a lack of visibility from the business to verify that they are staying compliant.
When you have legacy authorization models which leverage role-based access control (RBAC) it can fail to ensure users only have access to what’s needed.
This falls into our point above that people have more access than what’s required to do their job. This can also cause organizations to find themselves struggling to comply with data regulations.
It can be easy to meet regulatory requirements when ABAC is running in real-time. It also aligns with various frameworks such as National Institutes of Standards and Technology (NIST) and can meet other regulatory industry requirements mentioned above.
5. Avoid fraud and both financial and reputational damage
Healthcare continues to be the industry that has one of the highest costs of data security breaches with a $10.10 million average cost of a data breach according to the annual Cost of Data Breach report.
This is an increase of 12.7% since their 2020 report. The United States had the highest cost of breach being an average of $9.44 million. This can be minimized by ABAC as it controls who can access what data and for what reason at all times.
The report also showed that breaches cost more for entities without Zero Trust policies – they incur an average of $1 million in greater breach costs compared to those that do deploy.
Take the next step
Cost amounts in this article are measured in US dollars (USD).