By Zach DeMeyer Posted August 10, 2019
Identity management is a practice that permeates through many industries. After all, in our technological age, an average employee at almost any organization needs to access a computer using a set of personal credentials. Healthcare identity management, for example, is extremely critical, and for good reason. Let’s see why.
Healthcare: Under Constant Attack
Identity management, when performed at the highest standard, is a considerable preventative measure for keeping an organization’s critical data, be it their own or that of their customers, safe. Healthcare organizations are among the top stores of critical personal information, with everything from medical records (obviously) to insurance, credit cards, and social security information on hand as well. So, it’s no surprise that healthcare organizations are also among the top targets for hackers, and are almost constantly under attack by bad actors. Here’s a brief overview on recent healthcare identity security breaches.
Recent Healthcare Breaches
These are the top 10 healthcare breaches of 2019, as of the beginning of August, reported by Health IT Security:
- American Medical Collection Agency, 25M Patients
- Dominion National, 2.96M Patients
- Inmediata Health Group, 1.5M Patients
- University of Washington Medicine, 973K Patients
- Oregon Department of Human Services, 645K Patients
- Wolverine Solutions Group, 600K Patients
- Columbia Surgical Specialist of Spokane, 400K Patients
- UConn Health, 326K Patients
- Navicent Health, 278K Patients
- ZOLL Services, 277K Patients
Health IT Security also found that, over the same period that the incidents above occurred, there were a total of 285 healthcare breaches, resulting in the compromise of over 31M people’s critical information. While the attack vectors of said breaches varied, 88% were attributed to some form of hacking, while 88 instances were directly caused by phishing. There’s no doubt that many were the result of laptop theft as well.
The Identity Management Cure
Identity management is an excellent safeguard against the onslaught of attacks against healthcare. In fact, one of the core healthcare compliance regulations, HIPAA, requires identity management as one of its main standards.
While there are many facets to identity management, there are several key steps organizations can take towards protecting their identities.
A core part of managing identities is managing and securing the credentials those identities leverage. For instance, by enforcing password complexity requirements, IT admins can make their end users’ passwords considerably less likely to be compromised in a brute force attack.
Multi-Factor Authentication (MFA)
Passwords can only protect an identity to an extent. Symantec found that 80% of breaches that occurred worldwide over the past few years could have been prevented by the introduction of an additional factor in the authentication process. Using MFA, such as time-based one time password (TOTP) tokens generated by a smartphone, a physical auth key (i.e. Yubikey, Google Titan), or even biometrics, hackers have a much harder time leveraging a set of compromised credentials to exploit a network.
If a bad actor finds a way to compromise a set of credentials, or even attacks from within the organization, then IT admins need to control what those credentials have access to. By authorizing end user access based off of role/privilege, including segmenting the network via VLAN tagging, admins can safeguard their more critical data, such as electronic protected health information (ePHI) data centers.
Full Disk Encryption (FDE)
Of course, a cybercriminal doesn’t even need to compromise a set of credentials to access ePHI. Simply by stealing a laptop of a healthcare employee, a hacker can transfer the system’s hard drive into another machine and harvest the data inside. Enforcing FDE on systems ensures that at rest data remains encrypted, keeping ePHI stored on the system safe from prying eyes. Although FDE generally falls under system management, it is intertwined with identity management as system access and ultimately data access is tied to the user’s identity.
A Comprehensive Solution
Password management, MFA, access control, and FDE are all excellent steps toward strong healthcare identity management and HIPAA compliance. Unfortunately, traditional identity management solutions are not optimized for all of these functionalities, requiring layers of added-on tooling in order to accomplish them all.
JumpCloud and Healthcare Identity Management
JumpCloud Directory-as-a-Service enables IT admins to manage their end user identities, as well as their access to systems, networks, applications, infrastructure, file servers, and more. IT organizations can use JumpCloud to enforce secure password management policies; MFA across Mac®, Linux®, applications and more; privileged access control; and FDE with BitLocker for Windows® and FileVault 2 for Macs, all with just a few clicks in a single cloud admin console.
You can explore these and the rest of JumpCloud’s features by scheduling a free personalized demo of the product today. If you’re the type that prefers getting your hands dirty, you can try JumpCloud risk-free for as long as you want, with ten free users that you can use forever. If you would like to learn more, please contact us; we would love to help.