What to know about implementing single-sign-on and multifactor authentication
Photo: Imprivata
Striking the right balance between complex passwords, security and workflow efficiency is a big challenge for healthcare CISOs and CIOs. The rising number of publicly reported breaches shows the need to balance all three.
Healthcare security leaders no longer can rely upon just firewalls to protect the four walls of their organizations. For example, they need to control access to customer data, systems and other information at each point of entry – each device and each user – with complex passwords that are much harder to hack.
Healthcare IT News interviewed Wes Wright, CTO at Imprivata, a digital identity company, to dig into eliminating security friction, integrating compliance and security steps into end-user workflows, augmenting complex password policies with multifactor authentication (MFA), and making security "invisible" to the end user.
Q. How can healthcare chief information security officers and CIOs eliminate the friction in the security process that users often dislike?
A. In the past, healthcare IT professionals were guilty of making clinical teams jump through cybersecurity hoops. CISOs and CIOs always are thinking about and implementing security measures across their organizations because it is integral to their responsibility to defend the network.
Clinicians are not in this mindset, however; so, to them, security measures are something to work around and find shortcuts for if they stand in their way. It's in a clinician's nature to find the quickest way to deliver care to a patient, especially in an urgent setting like the emergency room.
If you talk to any healthcare organization, you will most likely find this "security friction" where cybersecurity measures are viewed as obstacles to patient care. It's up to CISOs and CIOs to align their clinical and IT teams to see eye to eye; after all, any team can agree they don't want their hospital to undergo a cybersecurity incident or diminish patient care.
Some of this friction can be overcome by educating teams about the true cost of ransomware to healthcare provider organizations. According to IBM, the average cost of a healthcare data breach is $9.24 million.
And while the financial sticker price would take a toll on any organization, it doesn't even scratch the surface of reputational damages that result from a data breach. And no price can be put on lost, stolen and compromised patient records.
Having conversations around patient safety also is key to eliminating security friction. IT systems in a hospital need to be up and running for clinicians to be able to access patient information when they need it. When they come together, IT and clinical teams can combine their expertise and agree on innovative, efficient and safe ways to promote network security and patient safety.
Q. How can health IT security leaders integrate compliance and security steps into end-user workflows?
A. Implementing a digital-identity framework that caters to the uniqueness of the healthcare industry is critical to integrating compliance and security into end-user workflows.
Just some of the nuances that need to be taken into account include protecting sensitive patient electronic health records, accounting for mobile devices to be used by multiple clinicians throughout shift changes, and implementing telehealth and digital health services. Choosing a technology vendor that understands these challenges will only help maintain security and compliance.
Security also needs to be built into the technology a hospital uses – otherwise, security features that are add-ons can lack the seamless functionality required for tight cybersecurity defenses. Devices and workstations that have technology such as single-sign-on [SSO] and multifactor authentication will help clinicians adopt security practices as part of their daily activities.
SSO helps dispense manual password input and leaves the remembering of complex passwords to the technology. And MFA helps to ensure users are who they say they are – in a natural and seamless fashion – before giving them access to sensitive information.
Both of these security measures are secure, compliant and efficient, which is most critical to clinicians taking care of patients. SSO and MFA allow clinicians to access applications and devices with a badge tap, fingerprint or other biometric, avoiding a long and tedious process that takes away from clinicians' time to give patients care.
Any security and compliance steps that will be used by end users need to be specific to the healthcare industry, show intrinsic value and balance efficiency.
Q. You suggest augmenting complex password policies with multifactor authentication. What are the pros and cons here?
A. Even with strong passwords, hackers primarily use passwords to get access to sensitive information. That's why it's important to pair the password-management functions of SSO with MFA to give healthcare organizations an extra layer of security as end users access the system. With a broad range of innovative methods, such as finger biometrics or hands-free authentication, this extra step combines security with convenience.
While MFA is a strong tool for enterprises, it also brings some unique challenges that healthcare organizations need to consider to make sure workflows aren't disrupted. That means using MFA across the entire enterprise, including for remote access, EPCS [electronic prescription for controlled substances] and key clinical workflows.
Ultimately, MFA is part of what provides that secure, auditable chain of trust wherever, whenever and however users interact with systems, such as EHRs, that involve patient records within the healthcare organization.
Q. CISOs and CIOs know their organizations want less complexity, not more; so, balancing security and convenience is paramount. How can healthcare organizations make security "invisible" to the end user?
A. The key is making technology seamless. What makes the combination of SSO and MFA great is that it keeps things less complex but still delivers cyber protection. It's a win-win for healthcare organizations as they balance security and workflow efficiency.
While CISOs and CIOs need to protect their organizations, they also need to make sure security measures don't frustrate clinicians. So, users need to have the flexibility with authentication methods to find the one that's the best fit for their workflow.
Many organizations have multiple authentication technologies for different workflows, but what they need is a single platform for enterprise-wide identity and authentication management. That way, you're improving efficiency and keeping clinicians happy while streamlining authentication management and security-policy enforcement for IT.
Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.