New H-ISAC Guidance Underscores the Importance of Identity-First Security

Late last year, the Health Information Sharing and Analysis Center ( H-ISAC ) released a new white paper focused on interoperability to help CISOs and other technology decision-makers navigate the 21st Century Cures Act. The Cures Act includes a series of interoperability mandates that require healthcare organizations to implement new APIs designed to facilitate increased digitization of electronic health information (EHI).

Security Challenges for Healthcare Organizations

In today’s healthcare environment, patients expect to have access to their healthcare data. And providers don’t just need to share this data with patients but with other healthcare organizations as well. Similarly, a Medical Group Management Association survey indicates that 97% of healthcare leaders have expanded their telehealth access since the start of the pandemic. Securely interacting with patients and patient data without it falling into the wrong hands is critical—but the new interoperability mandates implemented by the Cures Act have created additional challenges for those in the healthcare industry. The new guidance from H-ISAC suggests that healthcare organizations can address those challenges by shifting to a more identity-focused approach to data sharing.

Healthcare Remains a Prime Target

Cyberattacks are on the rise, and healthcare remains one of the most valuable targets for attackers. The annual IBM/Ponemon Cost of a Data Breach report found that an average breach cost victims nearly $4 million last year, which rose to $7.13 million in the healthcare industry. Today’s attackers aren’t just about stealing money or financial data. Attackers recognize that personal information can be just as valuable—healthcare data in particular. As a result, a growing number of attackers are focusing their efforts on the industry, and providers are struggling to keep up. The Cares Act—while well-intentioned—has forced healthcare organizations to account for another variable amid an already complex situation.

H-ISAC’s Guidance

Fortunately, H-ISAC’s guidance provides actionable recommendations for those organizations to follow. Some are straightforward—for instance, the guidance notes that multi-factor authentication (MFA) can add an extra layer of security. While MFA is not infallible, the best way to disrupt an attack is to make the adversary’s life harder. MFA adds another factor a would-be attacker must address. It is also worth noting that the government takes HIPAA violations seriously, and poor authentication mechanisms have resulted in fines for healthcare organizations in the past. At the very least, MFA can help demonstrate that the organization takes the issue seriously.

Ultimately, though, MFA is not a complete solution—identity-focused security must also be included. H-ISAC’s guidance notes that “strong identity solutions are the “key” that keeps EHI secure,” and further notes that “healthcare organizations have an opportunity as they deploy more robust identity solutions to modernize the way they deliver healthcare, enabling new innovation that can improve patient experiences.” H-ISAC recognizes that by focusing on identity-based security solutions, today’s healthcare providers can keep EHI secure and take meaningful steps toward a complete digital transformation.

Embracing Identity-First Security in Healthcare

The H-ISAC guide identifies several challenges tied to identity:

  • Authentication and Access. Ensuring that only authorized parties can access EHI, detecting and defending against intruders, and ensuring that data can be shared and transmitted securely
  • Authorization. Allowing patients to easily share records (or partial records) while also documenting consent
  • Governance and Administration. Creating and managing digital identities and putting controls in place to determine appropriate permissions
  • Patient Matching. Ensuring that the correct user is paired with the correct data, even if multiple patients have the same or similar names.

The guide notes that organizations must meet and overcome these challenges to comply with the Cares Act. Healthcare organizations must embrace identity-based security solutions that provide the required functionality. Identity security solutions that provide continuous visibility to exposures and Identity Threat  Detection and Response (ITDR) solutions have given organizations new identity tools to enhance defenses. These solutions go further than traditional identity protection tools like Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) by providing greater visibility into areas like credential misuse, entitlement exposures, privileged escalation, and other vulnerabilities commonly exploited by today’s attackers. ITDR solutions specifically add in the detection of credential theft, misuse, and live attacks on Active Directory.

Closing Gaps Between Endpoint Security and IAM Solutions

There is no one-size-fits-all solution to the challenge of identity protection. Still, with increased visibility to identity exposures and IDR’s ability to detect and derail identity theft and exploits many gaps between endpoint security and IAM solutions will be closed. Used alongside tools like Endpoint Detection and Response (EDR), IDR provides a critical, identity-based component that is required with hybrid working and where identity has become the new perimeter to defend.

As H-ISAC noted, a “robust identity infrastructure” can provide benefits that go beyond security. It can help organizations launch new health apps more quickly, integrate with other providers and partners, streamline workflows, simplify consent capture and management, empower patients to have greater control over their health data, and more. It can also help streamline—and secure—tools like telehealth, particularly as the MGMA survey indicates security challenges such as file-transfer protocol vulnerabilities, endpoint vulnerabilities enabling data theft, and malware have all skyrocketed during the pandemic. .

Looking Forward and Shifting Toward an Identity-Based Approach

H-ISAC says that “identity is a journey,” which is true. A growing number of organizations are shifting toward a more identity-based approach, and as hybrid working becomes the new norm, and new regulations impact healthcare and other industries, that journey will continue. Fortunately, modern identity management tools have put powerful new resources in the hands of healthcare organizations, and challenges like authentication and access, authorization, and governance and management. New identity security innovations have also made it easier to protect the credentials, privileges and the systems that manage them, regardless of where workers or patients are accessing them information from.

“As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role,” the H-ISAC guide concludes. “Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers.”

Attivo's Identity Suite
Ready to experience Attivo Networks, the market’s leading identity security suite?