Framework for Managing Identity in Healthcare IntroducedH-ISAC Guidance Offers a Step-by-Step Approach
In response to the growing threat of identity-centric cyberattacks in healthcare, the Health Information Sharing and Analysis Center has published a framework for managing identity for the full work lifecycle of employees, practitioners, patients and business partners.
The white paper, H-ISAC Framework for CISOs to Manage Identity, lays out the groundwork for how to guard against common attacks on identity, lower risk and increase operational efficiencies.
Key steps, H-ISAC says, include creating identity directories and figuring out proper levels of authorization, authentication and access.
"The framework we’ve outlined is not a one-size fits-all approach, however,” H-ISAC notes. “Depending on your organization’s particular environment or uses cases, the framework components may be applied differently.”
Keith Fricke, principal consultant at tw-Security, tells Information Security Media Group that an identity framework is a helpful way to teach correct procedures.
"Most organizations use one or more frameworks," Fricke says, although smaller facilities may lack the budget or staffing to implement the guidelines (see: NIST Issues Draft Guidance for Securing PACS).
The H-ISAC framework calls for creating an overarching identity governance and administration system to generate rules for adding, removing and altering identities and their associated accounts.
Such a system should grant and recertify access, manage privilege escalation requests, take on the chore of investigating any issues when a problem arises for compliance purposes and take action to remediate any misuse of identity and access management systems, including blocking or revoking access when potential misuse is detected, the white paper states.
Identity directories are another essential component, H-ISAC states. These should provide details about each identity, including roles, accounts, attributes and privileges.
The white paper also provides three guiding principles for authorization:
- Granting privileges: Users should be tightly governed in what they can access and do, in accordance with their roles, rights or responsibilities.
- Managing privileges: There needs to be a process for permissions or delegations to be granted or revoked as circumstances change.
- Review of privileges: As roles or responsibilities change, user rights should be reviewed to ensure that users are restricted only to the privileges needed.
Beyond Multifactor Authentication
H-ISAC says the framework recommends going far beyond using multifactor authentication. It calls for using a multilayered approach covering users and devices and leveraging analytics and privilege access management that enables continuous, risk-based authentication.
When it comes to device security, Fricke says BYOD is an area of major concern. A personal device must be properly protected with MDM software with a sandbox to hold certain content, such as emails, so the user can be protected while on a public Wi-Fi, he says.
H-ISAC also notes that once a device is authenticated, an organization must verify a user trying to access data is, in fact, the individual to whom that account has been linked.
"Passwords may play a role here, as part of a broader MFA authentication solution that uses a combination of knowledge-based (i.e. passwords), inherence-based (i.e., biometrics) and possession-based (i.e. security keys or certificates on a device using the FIDO standards)," H-ISAC writes.
Role of Analytics
Applying analytics can help ensure nothing is out of the ordinary when a device attempts to connect to a network and access data, the framework notes.
One method involves using geo-location information to make sure the same device does not try to connect from two widely separated places in a short time period. Analytics helps to ensure the credentials being checked by the system are not acting abnormally, H-ISAC says.
Another key element of an ID strategy is privileged access management, the framework says. PAM is designed to help protect an organization's most valuable information by using session monitoring as well as additional layers of authentication to ensure credentials have not been compromised or that a privilege escalation situation is not taking place.