Whilst the peak of the healthcare crisis due to Covid-19 is thankfully over, by no means are things ‘back to normal’ for healthcare organisations.
There are still multiple challenges to face around staff shortages, increasing waiting lists and pressure on emergency services. In the UK for example, the NHS is the fifth largest employer in the world with thousands of vacancies across nursing, clinical and admin roles at any one time. With 1.3 million workers to keep track of, in terms of access rights and responsibilities, this level of movement is a huge headache for both the frontline and back-office functions.
There are also increasing external security threats to consider like ransomware attacks or data breaches. It’s no mean feat to keep the organisation protected whilst also accelerating cloud adoption to support a remote workforce, enhance telemedicine offerings, improve patient access, and expand clinical partnerships.
With the NHS reporting new records for A&E wait times in June 2022, ensuring there are no delays for clinicians in accessing the crucial data they need is one way to help reduce wait times. Providing clinicians with secure access to the right documents means they can get on with the most important job: caring for patients, without delay. So, what’s the best approach to managing identity security in healthcare?
Why access management is no longer good enough
Traditionally, healthcare organisations relied upon access management technologies like single-sign-on (SSO) for their identity security policy. However, the Covid-19 pandemic shined a spotlight on a variety of process gaps when it came to both managing and securing the access of clinical staff, ranging from those working in hospitals, to external consultants, specialists, and contract nurses. Now is the time for healthcare organisations to realise the value and positive impact that a more holistic and sophisticated identity security programme can bring to their organisation. It’s crucial today to strike the careful balance between managing access plus securing that access for all identities, based on their role attributes or position within the healthcare organisation.
With a vast amount of identity data required to manage complex user populations (employed, contracted, and affiliated staff), combined with the consistent and quick changes in people moving in and out of organisations, it becomes a challenge to manage identity security programmes by simply throwing people at the problem.
In fact, it’s pretty much impossible to leverage manual processes to manage today’s clinical access requirements. Instead, by leveraging AI at the foundation of an identity security programme, we can enable healthcare organisations to gain visibility and insights to automate access across complex identity populations, applications, and data.
AI-based identity security has the capability to look at clusters of identities and commonalities to grant access based on peer attributes and positions. Here’s an example; user access templates. These templates are a standard set of access levels for different users, for example receptionists and doctors will have different access levels to sensitive information. Today’s leading security teams are using AI-based identity security to evaluate these templates more effectively across broad sets of clinical positions or roles. This also allows you to identify effective ways to reduce the number of templates required, creating a more effective electronic health record access programme, and simultaneously reducing the chance of inappropriate access.
The right identity security programme enables healthcare organisations to realise both cost benefits and operational efficiency. Considering the incremental year-on-year cost increase of cybersecurity insurance, rapidly expanding clinical services, rapid adoption of remote workforce strategy, and onboarding of IoT devices, the need for adopting an identity security programme becomes glaringly obvious.
As a result of their experiences over the past two years, healthcare IT leaders have had an ‘ah-ha moment’ realising that having an enterprise-wide identity security programme can deliver immediate value to their internal ‘customers’ (i.e. clinical staff) while rapidly increasing the overall security posture. Of course, the most significant and most valuable benefit is that clinical staff can focus on patient care versus struggling to securely gain access to the core electronic health records they need to do their job.
How identity fits in to the Zero Trust model
Improving the identity security posture is an important part of aligning towards cybersecurity frameworks, like the Data Protection Security Toolkit (DPST) in the UK, and to achieve a Zero Trust model. Identity plays a critical role across these security frameworks by ensuring implicit trust for clinical staff access to a variety of clinical systems and sensitive personal health data. The balance, however, is implementing and enforcing these security frameworks while reducing the friction between security and clinical caregivers. After all, the technology must work as seamlessly as possible to ensure clinicians face no delay in being able to care for patients; time is paramount.
Today’s identity security programmes are not just IT projects. They are enterprise-wide transformational opportunities that can help enable productivity and collaboration, with the ultimate goal of saving lives faster. With the UK government’s plan to embed more digital technologies and increase the functionality of the NHS App, ensuring identity security is in place will be a key foundation to ensuring security for all.
Gregg Hardie is Public Sector Director at SailPoint. SailPoint is the leader in identity security for the modern enterprise. Harnessing the power of AI and machine learning, SailPoint automates the management and control of access, delivering only the required access to the right identities and technology resources at the right time.