a good thing!
How IAM Addresses Healthcare Security & Compliance
In the previous two articles of my three-part blog series, I explored how healthcare organizations are relying on identity and access management to improve user experiences and support integrated healthcare delivery. In this last article, I share how IAM helps healthcare organizations increase security and ensure compliance.
Regardless of your industry, you can’t avoid all of the talk about customer experience (also commonly shortened to CX). As a healthcare organization, you may use different terms, like patient or member, to describe your “customer,” but this doesn’t diminish your need to deliver better user experiences than ever before.
There’s just one problem.
You must simultaneously manage the growing security risks that come with improved customer experience, not to mention navigate complex regulatory requirements. Providing the experiences your “customers” expect would be easy—or at least much simpler—if you didn’t also face these very real challenges.
I don’t need to tell you that prioritizing experience at the expense of security is not an option. As the steward of your members’ and patients’ PHI and PII, you take very seriously your responsibility to maintain the security of the data you protect. Integrated healthcare delivery and providing third parties access to sensitive health data adds another layer of complexity to your already long list of security concerns.
But you also can’t afford to ignore the need for improved experience in the name of maintaining security. Your patients and members are today’s consumers. They expect from you the same types of digital interactions and experiences they get from their favorite online retailer. Or, being the consumers they are, they can and will search for another option.
It may seem that you’re stuck between a rock and a hard place. But the answer isn’t found in choosing security over experience. The solution likes in striking a balance between the two. And you do this with identity and access management (IAM).
When you’re dealing with the management of medical records, plus the personal data attached to them, you have a lot on your plate. You’re also a prime target for a data breach.
According to the 2017 Verizon Data Breach Investigations Report, which provides insights into where and how data breaches are occurring, healthcare remains a top target. The very initiatives intended to improve patient and member experiences have also expanded the breach attack surfaces, as hundreds of new apps now handle sensitive PHI and PII.
Should you be the unfortunate victim of a breach, you’ll also face a hefty remediation effort. The per capita cost of a data breach in healthcare far exceeds that of other industries, as found in the Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview.
A comprehensive IAM strategy helps you ensure only the right people have access to the right things, without negatively impacting user experience. Your strategy should include enabling federated single sign-on (SSO) to your in-house and third-party applications. This minimizes credential re-use, while simultaneously providing one-click access to needed resources.
The addition of adaptive multi-factor authentication (MFA) allows you to control authentication requirements based on the risk associated with the access request. This gives you an optimal—and fully customizable—balance of security and experience.
Once users have gained access, you can use centralized access security policies to ensure they only gain access to the data they need. And IAM capabilities like centrally governed access to data ensure that app developers comply with precautions recommended by HIPAA.
Security and compliance go hand in hand. Among the many regulations you must comply with, the HIPAA Security Rule is specifically intended to ensure the security of health data and provide guidance on building a strong access control foundation.
HIPAA defines defensive in-depth controls, including user identification and authentication requirements, as well as administrative, physical and technical safeguards for PHI to ensure only “minimum necessary” access to health records is granted. Failure to comply can mean steep fines. These fines are issued by the Department of Health and Human Services per violation category and per year that the violation was allowed to persist.
An IAM solution capable of satisfying HIPAA precautions will include identity federation and single sign-on to enable scalable and secure user authentication throughout the environment. This supports enforcement of authentication policies to ensure that only the right people have access to the right resources and information.
To learn more about how you can leverage the Ping Identity Platform to manage HIPAA compliance and security, read the Seamless and Secure Healthcare Delivery white paper, authored by Drew Labo, HIPAA privacy and security expert.