Digital Identity in a Zero-Trust Architecture
Imprivata recently hosted a thought leadership roundtable featuring members of the College of Healthcare Information Management Executives (CHIME) to discuss digital identity in a zero-trust architecture. Chief information officers (CIOs), chief information security officers (CISOs) and other digital health leaders discussed challenges in cybersecurity and solutions to protect patient information. CHIME President and CEO Russell Branzell moderated the roundtable, and Imprivata’s CEO Gus Malezis and Chief Technology Officer Wes Wright contributed to the discussion.
CHIME members participating:
- Vikrant Arora, Chief Information Security Officer, Hospital for Special Surgery
- George (Buddy) Hickman, Interim Chief Information Officer, San Ysidro Health
- Montie Hodge, Chief Information Officer, Appalachian Regional Healthcare
- Sri Bharadwaj, Vice President, Digital Applications, Franciscan Health
- Darrell Keeling, Vice President, Chief Information Security Officer, Parkview Health
- Fabricio Gamboa, Epic User Security Coordinator, Southern Illinois Healthcare
The onset of the COVID-19 pandemic became a catalyst for rapid transformation in digital health that had significant consequences for cybersecurity. The pandemic’s massive shift to remote work changed the contours of how healthcare organizations hold and access Protected Health Information (PHI). PHI can now be hosted on-premises, in the cloud, or at a partner organization, as health care can be delivered inside and outside of provider facilities. A distinct perimeter to protect PHI no longer exists. A firewall cannot seal all information within a distinct physical location, and as a result, healthcare organizations are facing complex new challenges in protecting patient privacy.
For maximum security, many healthcare organizations are taking an end-to-end approach to securing enterprise resource data. Effective solutions ensure that access is restricted to those with a legitimate need and privileges are streamlined to an absolute minimum. This principle of design, known as zero trust architecture (ZTA), is receiving national attention as government agencies move toward ZTA for maximum digital security. At this roundtable, participants discussed challenges surrounding digital identity and the opportunities presented by ZTA.
Current state of digital identity in healthcare
The fundamentals of digital identity in health care have not changed, according to roundtable participants.
“At the highest level, digital identity is an authentication that allows an external entity to have access to a resource in our internal digital environment,” said Sri Bharadwaj, VP, Digital Applications, Franciscan Health.
Though the task of authorizing access remains constant, “external” and “internal” no longer apply as geolocated terms, as they did ten to fifteen years ago when central data systems were located in buildings behind a firewall. Instead, organizations must now define “internal” to mean within a digital system that may be accessed from unlimited locations and devices, at any time of day or night.
Digital identity began in its earliest incarnations as a username and password and still frequently incorporates those elements. The multiplication of access points in digital healthcare, however, has encouraged the implementation of additional safeguards such as multifactor authentication, electronic prescribing for controlled substances (EPCS), risk-based and adaptive authentication, facial recognition, and more.
Healthcare IT teams now must strategize for the new layers required in digital identity for people at all points in the healthcare system.
“When we look at identity, we put it into two buckets,” said Vikrant Arora, CISO of the Hospital for Special Surgery. “We define the first as the workforce identity, which is how our employees, contractors, and partners are identifying themselves and accessing our IT resources. The second category is consumer identity, which includes our existing patients or potential patients—any consumer who is seeking access to one of our resources.”
Arora defined three fundamentals for both workforce and consumer identity:
- Compliance: adherence to regulatory requirements
- Security: guarding workforce identity from malicious users or rogue insiders and protecting consumers from fraud
- Convenience: giving consumers a digital experience that engages them and attracts their interest
Zero Trust Architecture
Digital identity is a key component of an influential design principle in security architecture—a principle known as zero trust.
Wes Wright, CTO for Imprivata, pointed out that the buzz words “zero trust” had been in circulation for two or three years before 2021, but then took center stage in national cybersecurity discussion when the Biden Administration’s Office of Management and Budget issued in September 2021 a draft federal strategy for moving the U.S. government towards a zero-trust architecture. The Cybersecurity and Infrastructure Security Agency (CISA) also released their Cloud Security Technical Reference Architecture and Zero Trust Maturity Model to guide and assist federal agencies in their implementation planning.
The National Institute for Standards and Technology (NIST) Special Publication (SP) 800-207 provides the following definition of zero trust:
Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
The new digital environment post-pandemic must be viewed as inherently compromised because of the high-risk presented by proliferating access points and users. Zero-trust architecture can answer the need to protect information in this transformed digital world.
“The first three pillars in zero-trust architecture are identity, credentials, and access management,” said Wright. “An organization needs those three in place to implement ZTA. So digital identity plays a huge part in zero-trust architecture.”
“Zero-trust architecture means you may have a pass to access information, but that pass needs to be renewed and refreshed at times in ways that assure you are who you say you are when you come knocking on that digital door,” said Buddy Hickman, Interim CIO for San Ysidro Health.
Arora agreed. “Zero-trust architecture is a continuous evaluation of where you’re coming from, what IP address you’re coming from, and what resources you’re accessing. It’s a combination of AI and ML that shows information such as whether a user has accessed this information in the past, which allows security teams to make decisions on the fly.”
Balancing better security with efficient workflow and budgets
A persistent challenge for healthcare organizations is that constant required logins and passwords can present significant barriers to smooth workflow in an industry where protected information must be accessed many times per day by frontline providers and staff.
“It can be challenging to implement tools that may add another touchpoint within the workflows of physicians and other care providers,” said Darrell Keeling, CISO for Parkview Health. “But zero trust and a focus on digital identity is going to help us move forward with any type of solution such as Bring Your Own Identity (BYOID), which could help lower risk associated with events such as onboarding and terminations.”
With many priorities always competing in an organization’s budget, digital health teams may encounter resistance to financial investment in security improvements, especially when the status quo seems adequate to those less aware of rising cyberthreats. But organizations are making progress as staff and board members become more informed about new risk in cybersecurity.
“I feel we’ve made strides in the right direction,” said Fabricio Gamboa, Security and Provider Coordinator for Southern Illinois Healthcare. “At this month’s board meeting, a couple of our board members thanked us for keeping the organization safe and secure, and asked, ‘What can we do to help you?’ That opens the door for building a better security foundation.”
For organizations that serve rural areas, digital improvements can involve additional challenges depending on the level of digital access available. But even where there may be considerable geographic distance between connections and less existing technology infrastructure, commitment and investment can produce great progress.
“We’ve invested significant dollars over the last few years in information technology,” said Montie Hodge, CIO at Appalachian Regional Healthcare. “And we’re now ranking in the top quartile of the CHIME Digital Health Most Wired rankings across the healthcare system. So, I don’t think we’re behind at all at this point. I think we’re actually leading in many ways.”
Identity replaces perimeter: lowering risk by limiting access
Organizations have now moved their chief line of defense from a physical perimeter to digital identity to answer the new mobility and fragmentation of the healthcare ecosystem.
As protection of PHI has become increasingly challenging without a perimeter, many organizations have supplemented their digital identity authentication with role-based access to limit the number of people in the workforce who can see protected patient data. Reducing the number of persons with access to PHI is an effective way to reduce the risk of bad actors or information misuse.
“We’ve just implemented a new EMR which in turn has brought true role-based access to us for the first time,” said Hodge. “We are in the process of implementing an identity access management product set right now across the organization, so that we can effectively manage onboarding, role change, and an excellent process.”
“Role definitions are key,” said Keeling. “We have many men and women in healthcare who are retiring, and the younger generations learned some of their IT knowledge in a short-form way that did not always impart the underlying concepts they would need to fully understand the system. So, it’s crucial to help personnel understand what they need access to (or don’t) and provide some training around those roles. They don’t need access to all the data in the business. As we continue to grow and bring in new, smaller health systems where staff has had broader access, we’re now working to educate them on why they can’t have that access that they had in the past.”
Turning zero trust into valid trust
The ongoing tension between security and ease of access during workflow means that many organizations are seeking solutions to ease digital identity while making it more reliable.
“The challenge is always about the balance between measured risk and where the organization is willing to make its investment,” said Hickman. “When it comes to the whole notion of implementing security tools, I’ve often heard it said by those who are responsible for physical security: Security is not convenient. Right now, in our industry, adding security takes additional work for everyone due to the workflow steps that usually are added on.”
The extra inconvenience and barriers to workflow caused by adding some types of security protocols are why some stakeholders in the healthcare industry may now be conditioned to resist the idea of raising security standards for digital identity. With that in mind, roundtable participants raised the question of whether the term “zero trust” perpetuates a similar negative connotation that staff may already be tempted to attach to higher security.
“We need a better term than zero trust,” said Russell Branzell, President and CEO of CHIME. “It’s too negative and emphasizes the dark view of security, when instead, we need to emphasize the positive effort to get the right people to the right data.”
Roundtable participants suggested alternative terms including “implicit trust,” “high trust,” and others, but two concepts rose to the top as most important to create a digital identity solution that would be acceptable across the industry as well as highly effective.
“We need to be looking at password-less solutions that make it extremely convenient for everyone, and yet more secure,” said Arora. “That way, we can assess identity and access continuously, but transparently.”
“You have to make security that is not a nuisance,” said Gus Malezis, CEO of Imprivata. “I don’t think security should be a trade-off with convenience. It should be built in, invisible, and convenient.”
The key to that convenience, Malezis states, is validation. “We need to have layers of trust: something that validates the digital identity to a high level of confidence, so we know who is asking for access and what their purpose is. And when we have that validated trust, we move beyond “zero trust” to a functional, efficient, affordable model, so security does not have to be traded off for convenience. No one needs to compromise productivity and workflow for compliance and cybersecurity: instead, the bar needs to be raised so they can all be at the highest level.”
The digital landscape surrounding protected health information (PHI) has changed radically in the last two years, with remote work and lockdowns causing a massive proliferation of access points, devices and users. Digital identity has replaced firewalls as the chief guarantor of security for PHI. The fundamental strategies for securing that PHI data now rest on digital identity, credentials, and access management. New technologies for validating identity open a promising horizon of possibility for enabling high security without sacrificing productivity and workflow. By replacing a patchwork of incompatible systems with unified security systems woven together through the entire fabric of a healthcare organization, digital health leaders can rise to meet the formidable challenges of today’s cybersecurity. Zero trust architecture principles can be used to realize a more positive vision of security, in which organizations no longer have to make a statement of “zero trust,” but instead can rely on trust validated by advanced technology.
This thought leadership roundtable article was written by Rosslyn Elliott, CHIME Editor, and brought to you by Imprivata.
RETURN TO CHIME MEDIA