In part one of our protected health information (PHI) series, we described why a hacker is interested in PHI and how they get it. In part two, we will cover ways to defend PHI data and best practices for mitigating attacks.
Single Sign-On and Federated Identity
Healthcare organizations can manage access and privileges with single sign-on (SSO). SSO lets users log into multiple systems with a single set of credentials. Users gain freedom from the frustration of forgotten passwords, and security is strengthened because users don’t need to write down their passwords or share them with colleagues. A password self-service portal unburdens the helpdesk from these calls. In turn, the IT department is relieved of the time-consuming task of endlessly resetting passwords, which yields cost-savings for the organization and allow your staff to concentrate on other, high priority tasks.
Vendors and business associates also need access to a healthcare organization’s systems. The challenge of provisioning and de-provisioning access across organizations is solved by the use of federated identity and a secure federation broker.
Federated identity lets a user use the same set of credentials to log into systems across multiple enterprises. Administrators can efficiently log user activities and monitor accounts with a custom entitlements engine and self-service administration capabilities. The OptimalCloud™ from Optimal IdM does this and also supports multi-factor authentication and authorization in the cloud, on-premise, or in a hybrid environment. Anything less than multi-factor authentication and authorization is considered deficient to HIPAA auditors.
Virtual Identity Server
Migrating from one LDAP directory to another is a challenge so complicated that many healthcare organizations prefer to limp along with their legacy systems rather than risk the move. That problem is solved with Optimal IdM’s Virtual Identity Server (VIS), which emulates the existing LDAP platform while proxying requests to the new LDAP environment. You can leverage VIS to setup a workflow to consolidate forests or provide a workflow to populate (migrate) the users into a new A.D. forest. Healthcare organizations can make decisions based on what’s best for their business, no longer limited by the capabilities of their old systems.
VIS simplifies identity management and gives greater control over which accounts can connect, bind, and search the LDAP directory of a healthcare organization.
VIS was developed in .NET to easily integrate with SharePoint and MIIS/MLM. The result is enhanced functionality and scalability, so healthcare organizations can capture a greater ROI on their existing Microsoft investment.
VIS also provides an enhanced application environment that lets healthcare organizations rapidly and easily deploy applications to existing multiple Active Directory forests or directories without extending the AD schema from third-party applications. VIS presents thousands of Active Directory forests in a single, managed view. Further, it gives organizations real-time view of identity data from any data store.
Best Practices for Protecting PHI
Think of security in terms layers. The best firewalls, AV and AI for defense likely won’t defend against social engineering and insider threats.
Evaluate your resources in terms of risk. While it may seem a good idea to put every resource behind multiple layers of physical, network, application and identity layers, it just isn’t feasible. Identify high-risk targets and secure them immediately — e.g. any identity accounts with administrative abilities (including service accounts), reservoirs of patient data PHI, orphaned/unused accounts, specialty accounts of CxOs, etc. Require MFA for administrative functions, and to confidential patient data.
Communicate with end-users. Collectively, we need to change our attitude toward end-user pushback when security barriers are put up. Collaborate with executive stakeholders and come up with an approved communication strategy to educate end users. Accept that this is not a one-time stopgap measure. Communication is a choice and a lifestyle. Embrace the fact that you are going to be a lifelong educator to your end user population.
Implement an Integrated Identity Cyber-Defense Platform
- Choose a vendor-agnostic, heterogenous Identity platform to avoid expensive vendor lock-in. Some vendors make their cloud services extremely proprietary and difficult to get out of. Optimal IdM gives you great flexibility in deployment and architectural options and our solution doesn’t use proprietary software agents deployed on your domain controllers or servers to deliver an integrated solution.
- Single Plane of Identity Access Management – Optimal IdM’s SSO Federation broker allows for a single place for you to implement your identity security policy. You can do so globally (for all users and/or applications) or as granular as a single user, if desired.
- Audit identity transactions from a single source. Our Federation Broker allows for a single point of auditing and reporting, since users will first authenticate against our proxy (however, our solution allows for architecture as a secondary point, if desired) .
- Encryption in transit and at rest — Optimal IdM’s fully-managed SSO Federated (IDaaS, SaaS) solution is one of very few vendors that provides support for both encryption in transit and encryption at rest.
- Protection from Phishing attacks against fake SSO applications – A Federated SSO platform, like Optimal IdM’s OptimalCloud, can protect unsuspecting users from trying to login to fake SaaS applications.
Limit access to identity information by default
- Unfortunately, the default nature of most directory services is to allow too broad of access to users, services and applications. Often access is granted at the root of directories with users, services and applications able to browse the entire directory service (e.g. A.D. forest). With Optimal IdM, we can narrow the directory identity access down to a single OU, or simply sets of objects. We can do this within a few minutes, without touching any backend application and without installing any software agents or breaking compatibility with applications.
- Implement a least privilege model for web apps and SaaS apps trying to browse your directory services with Optimal IdM’s Virtual Directory Server and/or Federation Broker to do this at a global level without changing anything on your application side. We’ll simply quickly configure an application to only allow it to browse a certain OU, for example.
Create Access Policies based on least privilege in a couple clicks
- RBAC – RBAC (role based access control) is a static, coarse grained access control that is fairly simplistic, in that, you only get access to an application if you are a member of a role (think Active Directory group). Optimal IdM can do this based on a number of factors, including ‘hidden’ roles/groups.
- Fine Grain Access Control – (also known as Attribute-based Access Control, or ABAC for short) is a dynamic access control that evaluates multiple criteria before making access decisions. The evaluation process can also require a step-up authentication method, such as MFA, for certain applications. Again, the decision evaluation is based on real-time data for each access decision.
- Create Access Policies at the Broker Level – Optimal IdM allows for the creation of these policies at the broker level, thus not requiring any change to backend applications.
Reduce insider threats
- Identify high risk identities – want to know which users haven’t logged on in “x” amount of days? …or haven’t changed their passwords? …or accounts that are locked out? …or are members of administrative groups? Optimal IdM can show you in a couple clicks. Or better yet, we can run the report in the background and just email you the results at a frequency of your choice.
- Require Step-up Authentication (MFA) for higher risk applications and data sources of PHI
- Require MFA for all administrators, privileged accounts and executives
- Disable user access to applications and directory services by terminated employees immediately and in real-time. Our Federated SSO solution provides a single point of initial authentication and can immediately disable access — without deletion and without the need for synchronization. These scenarios are typically referred to as hire/fire or onboarding/off-boarding.
- Isolate and/or disable retired identities – Optimal IdM can
- Inform your team to take action – Use a solution, like Optimal IdM’s, to send weekly or bi-weekly emails out about what’s changed in your directory during that window.
- Extend your team’s security expertise – by utilizing Optimal IdM’s identity and federation expertise
Automate Security Practices
- Automation of security best practices protects you from human misconfigurations – up to 75% of security threats are from misconfigurations
- Automation provides transactional consistency and reliability, unlike humans
- Provide Automated Reporting through email reports of changes in A.D., for example, every two weeks
- Automate alerts for high risk transactions or out of the ordinary behavior.
- Automate self-service functions like resetting passwords, device registration, etc., thereby offloading the load, and cost, of helpdesk calls transactions
- Provide self-registration – enable self-registration for doctor’s, contractors and provider networks as well
Why Choose Optimal IdM to Help Protect Your Organization
Optimal IdM’s staff of experts can become an extension of your internal teams. Allow your team to do what it does best and allow us to run your identity and authentication infrastructure. Optimal IdM offers a full-managed service. What that means to you is that your team can identify the policies and business needs, hand them to us and we’ll customize the software, usually within a few hours, to your needs. This is all part of our managed service SSO Federation solution utilizing our policy management engine and virtual directory.
Optimal IdM can also provide immediate mitigation with our Cloud Federation Broker and on-premise Virtual Directory Server. Our solution is often implemented in just a few hours. Request a free demo of our services by contacting us today.