The healthcare industry’s identity security diagnosis

Ensuring identity security in the healthcare industry is vital post-pandemic, as the NHS faces more cyber threats than ever. Here’s how we can better protect healthcare data

The healthcare industry faced an unprecedented challenge during the Covid-19 pandemic. All efforts needed to be focused on saving lives and protecting staff as much as possible. However, as the peak of the crisis is – mercifully – over, the industry is far from making a ‘speedy recovery’. The next challenge is ensuring cyber safety, says Gregg Hardie, the Public Sector Director at SailPoint.

We are seeing cyber-attacks on health bodies on the rise. In August for example, an NHS software supplier was attacked, leaving call handlers for the NHS 111 service working on paper. 

One of the reasons the healthcare industry can be vulnerable is because of the sheer volume of people involved. In the UK, for example, the NHS is one of the largest organisations in the country, and the fifth largest employer in the world, with thousands of vacancies across nursing, clinical and admin roles at any one time. Keeping a close eye on all employee’s security access and permissions can often be a cause for IT pain points, if it’s not managed properly. Any cracks like this in outdated management systems signal an opportunity for cybercriminals to slip through. 

However, despite the increased risk of security threats to consider – like ransomware attacks or data breaches – the healthcare industry is not helpless. By leveraging smarter, AI-based technology, the industry can not only better defend and safeguard its confidential data, but also provide clinicians with faster and more secure access to the right documents. This means they can get on with the most important job: caring for patients, without delay.

So, what is the best way to manage identity security in healthcare, to protect the industry in the long term?

Access to a more secure health system 

In the past, management technologies like single-sign-on (SSO) were the primary method that healthcare organisations relied on to support and stabilise their identity security policies. Then the Covid-19 pandemic hit. This highlighted the variety of process gaps the industry had when it came to both managing and securing the access of clinical staff, ranging from those working in hospitals, to external consultants, specialists, and contract nurses. 

Now is the opportunity for healthcare organisations to recognise the benefits of a more holistic and comprehensive identity security policy. The aim should be to find a careful balance between controlling access and safeguarding data. Therefore, granting permission to sensitive information must be carefully managed, only as much as roles and responsibilities allow – no more, no less.  

AI is the unsung technology hero

In any industry, it is a challenge to manage identity security manually, given frequent employee changes, staff moving departments and employees joining and leaving organisations regularly. Now imagine how hard identity security becomes when you have 1.3 million NHS workers to keep track of! AI can provide a quick and efficient solution. By utilising this technology as the foundation of an identity security programme, healthcare organisations are able to gain visibility and insights to automate access across complex identity populations, applications, and data.

AI-based identity security has the capability to look at clusters of identities and commonalities to grant access based on peer attributes and positions. Take user access templates, for example. These templates are a standard set of access levels for different users; for example receptionists, nurses and doctors will all have different access levels to sensitive information. The leading security teams that are using AI-based identity security today are evaluating these templates more effectively across broad sets of clinical positions or roles. This also allows you to identify effective ways to reduce the number of templates required, creating a more effective electronic health record access programme, and simultaneously reducing the chance of a breach.

Achieving operational efficiency 

Once AI-enabled security programmes are in place, healthcare organisations can realise cost benefits and operational efficiency. Considering the incremental year-on-year cost increase of cybersecurity insurance, rapidly expanding clinical services, adoption of remote workforce strategies, and onboarding of IoT devices, the need for adopting an identity security programme becomes glaringly obvious.

The pandemic has shone a light on cracks within the healthcare industry’s IT systems. But having an enterprise-wide identity security programme can not only enable immediate value to healthcare IT leaders internal ‘customers’ (i.e., clinical staff). Most importantly, it can allow clinical staff to focus their attention on patient care, rather than struggling to securely gain access to core electronic health records necessary to do their job. 

Building the foundations for Zero Trust 

By leveraging smart AI technologies today, we are helping to support the industry’s overall identity security posture for tomorrow. This will help healthcare organisations meet the regulatory demands as well – like the Data Protection Security Toolkit (DPST) in the UK, and to move towards a Zero Trust model. 

Identity can essentially delegate and grant implicit trust for clinical staff, allowing them access to a variety of clinical systems and sensitive personal health data. In an industry where time can mean the difference between life and death, the technology enabling clinicians to do their jobs must work as seamlessly as possible. 

On the road to recovery

AI-based identity security programmes are not just a ‘nice to have’ anymore. With rising cyber-attacks targeting the healthcare industry, they should be fundamental. With the UK government’s plan to embed more digital technologies and increase the functionality of the NHS App, ensuring identity security is in place will be a key foundation to ensuring security for all. Only with this at the core can the healthcare industry be well protected against the increasing threat landscape.