Written by: Marianne Kolbasuk McGee

As cyberattacks continue to surge, federal regulators are reminding healthcare organizations of the importance of implementing strong identity and access management practices, policies and controls.

The Department of Health and Human Services’ Office for Civil Rights, in a cybersecurity e-newsletter issued this week, advises HIPAA-covered entities and business associates to carefully examine their policies, practices and controls for accessing electronic protected health information.

Critical Issue

“OCR is correct in highlighting access as the key,” says LBMC Information Security representative. “OCR is also focusing on … identity … as the new perimeter. As providers move into the cloud, this will result in even bigger problems unless this is proactively addressed.”

Unfortunately, investing in secure IAM hasn’t been as big a priority in healthcare as it is in other sectors. But that’s changing because threat actors are increasingly targeting healthcare organizations and because new regulations, including those tied to the 21st Century Cures Act, are requiring providers and payers to create new APIs to share patient data. 

“Roles and role-based access control have unique challenges for healthcare providers.”
—LBMC Information Security representative

LBMC cautions, however, against relying on IAM technology to “solve a broken process.”

Healthcare organizations must “understand their current state of IAM, formulate their future state and define the use cases, processes and governance structures that the IAM program will manage. This is all before a technology is evaluated.”

To read the full article, visit the Healthcare Info Security site at https://www.healthcareinfosecurity.com/its-time-to-reassess-iam-in-healthcare-a-17081.