Electronic Health Reporter

Guest post by Rachel Weeks, director at Courion Corp.

Medical records are confidential. Until a breach occurs and they are let loose on the public, which occurs more often than we think. We need to do better.

According to Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, more than nine in 10 healthcare organizations have had at least one data breach in the past two years. Nearly half have had more than five data breaches in the same period. Breaches cost organizations more than $2 million on average over a two-year period, and the cost is rising. The potential annual cost is nearly $7 billion.[1]

As privacy and security concerns grow and technology becomes more sophisticated, you’d imagine breach rates would be on the decline. But more healthcare organizations are being victimized more often, according to the study, and most aren’t sure they can prevent or quickly detect all patient data loss or theft.

One contributor: data is simply becoming harder to control.

“Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure,” says the report. “Employee mistakes and negligence also continue to be a significant cause of data breach incidents. Another worry presented in this research is that sophisticated and stealthy attacks by criminals have been steadily increasing since 2010.”

You can’t blame the IT staff. There’s far more going on in the average healthcare organization than staff can reasonably handle.

Change is overwhelming

For years healthcare organizations have looked to traditional identity and access management (IAM) solutions to optimize efficiency and secure access to sensitive data. These IAM implementations typically started with user provisioning, a process that put controls in place to ensure users were given only the access rights they needed to do their job. Then, for governance, the organizations would perform periodic reviews or certifications – say, every three, six, nine, 12 months – to validate that those access rights were in line with policy.

But so much change can occur in the months between provisioning and certification: business changes, infrastructure changes, regulatory changes, new resources coming online, new roles and policies, not to mention hirings, firings and transfers, particularly in the healthcare industry with thousands of employees and many more contractors and affiliates. This creates an overwhelming amount of data detailing who has access to sensitive patient information. We call these intervals between provisioning and certification the “IAM security gap.”

As the Ponemon study says, “Many healthcare organizations struggle with a lack of technologies, resources and trained personnel to deal with privacy and data security risks.”

That’s an understatement.

However you characterize it, the IAM gap leaves an organization’s sensitive company information at risk to a range of threats, both internal and external. It can be months from the time someone gains inappropriate access rights or inadvertently accesses sensitive data to when the organization is able to discover it through periodic certifications. To date, existing IAM approaches have not provided the technology and flexibility to get a real-time view of policy and governance violations to help organizations efficiently manage the risk of improper access to patient data.

Closing the IAM Gap

Bridging the abyss between provisioning and certification requires clear understanding of what is actually happening in those billions of constantly changing access relationships created by changing people, computing resources, rights, duties and company policies. The challenge is somehow processing what human minds, or even relational databases, cannot. What’s missing is a real-time holistic view of access risk. The missing ingredient is access intelligence.

The only way to achieve access intelligence is by aggregating all the IAM data – the identity policy, activity, entitlement and resource data generated via those billions of constantly changing access relationships – into a data warehouse just like the ones you use for business intelligence in other areas of the organization. The data warehouse should embody advanced information security, policy and governance domain expertise. Then you need to constantly apply predictive analytics to that data to analyze access risk throughout your entire organization – literally every two minutes or so. Properly constructed, an access intelligence system like this can uncover deeply embedded policy violations or improper access. It can generate instant alerts on those violations, or produce graphical “heat maps” spotlighting looming risks and security breaches.

A system like this helps you find the needle in the haystack you wouldn’t otherwise discover. For example, a nurse might be authorized to search and retrieve his hospital’s pediatric records, but if he is suddenly retrieving records from oncology, dermatology and urology, well, that’s a potential problem that won’t show up without powerful analytics.

Such an access intelligence system can help healthcare organizations:

• Identify risk in real time.
• See where the greatest vulnerabilities lie.
• See how access risk is changing.
• Understand what is driving the risk.
• Immediately remediate the risk.
• Detect risk trends.
• Predict future areas of risk.
• Implement policies and preventive measures.
• Fix the fundamental business process issue that creates security gaps before they become a problem.

With luck, Ponemon will have less to report in the years to come.

Rachel Weeks is a director at Courion Corp., the leader in risk-driven identity and access management.