Digital identity in healthcare

Digital identities are central to cybersecurity in healthcare to create trust in the healthcare ecosystem where patients and staff will need to access sensitive information, such as prescriptions, laboratory analysis or medical records. The importance of digital identities is critical in all healthcare settings, including, providers, payers, research, pharmaceuticals, biotech and more.

Digital identities enable individuals, including staff and contractors to access data and applications where secure information is held. Within a healthcare setting there are often thousands of users with various access levels to key programs and data. For instance, in a hospital, only a doctor should be able to process data from surgical procedures, whereas administrative staff should not be allowed to access it.

More importantly, these digital identities should be secured, governed, and audited as it can lead to cyber security breaches and data leaks. A compromised account means illegitimate access to personal or sensitive data. These breaches can have catastrophic consequences for data owners, healthcare providers, life sciences companies and patients. In the case of research organizations, it can also lead to the theft of intellectual property, as it has been the case when hackers proceeded to launch a phishing attack on the COVID-19 supply chain to steal vaccine information.

Insider threats

According to the Verizon 2021 Data Breach Investigations Report (DBIR), human errors is one of the main reasons data can be compromised. Insider attacks are also a key concern for cybersecurity in healthcare; configuration errors and insecure passwords create opportunities for malicious attacks, whether from a malicious intent or not . Insider attacks are often harder to identify and resolve without the proper security settings in place.

There are several key technologies that will enhance trust in digital identities, these are explained further below:

Public Key Infrastructure (PKI)

Public key infrastructure is a set of processes and roles that are implemented to manage digital certificates. It can be used to encrypt data so that it can only be read by the intended recipient using the right certificates and cryptographic keys. Digital certificates are issued to users but also to software, connected devices (like medical devices such as insulin pumps) and machines (such as MRI scans).

These digital certificates are issued by trusted and regulated certificate authorities and show that the user, person, or device is genuine. The certificate authorities add a level of trust and user identification to ensure confidence and legitimacy. When a file or email is received digitally, the digital certificate can be checked by the application or machine to verify that the sender is legitimate.

For more sensitive data exchanges, keys are needed for an extra layer of security. Users are given two keys, a public and private key. To encrypt and de-crypt data the keys must be used in combination together to ensure information is not leaked or accessed by unauthorised users. The public key is sharable and accessible by anyone, whereas the private key is hidden and only accessible to the key holder. A combination of these two keys ensures secure transfer of sensitive data.

Identity and Access Management (IAM)

Identity and access management is fundamental for healthcare providers to protect personal and medical data. IAM systems are set up so that each healthcare worker has access to the right level of information quickly and securely, depending upon their role and right. As healthcare establishments often have a high turnover – especially job rotation between interns, placement students, external staff – it is critical to be able to assign the right access to applications quickly and revoke it automatically once the user leaves the facility.

Patients’ data must also be protected from unauthorised and unnecessary access to ensure safety and confidentially of service. Getting the balance right and providing the correct levels of access using technology is a challenge all healthcare settings regularly face.It is critical as vital information must be available for those who need it 24/7.

IAM systems must also provide the right level of compliance and meet industry and data regulations, as it is required by the GDPR in the European Union or by the HIPAA in the United States.

Privileged Access Management (PAM)

Privileged access management is the functionality to allow additional privileges or access to data or systems that are beyond the needs of any standard user. Sometimes this can be referred to as a super user or administrative account. Privileged access management needs extra caution and proper handling: any breach of a privileged account can leave an organisation extremely vulnerable to a cybersecurity attack.

PAM should be considered carefully in a healthcare setting. For instance, access to data or systems and the ability to erase or edit user permissions should be regulated in a strictly and monitored. In the wrong hands this level of access can have very serious implications for lateral movement and privilege escalation attacks.

For more information on digital identity in healthcare settings or to speak to one of the team about how Atos can help advise and provide secure solutions please contact our healthcare team.

Related resources

Case study

Shared Identity Management for Hospital Groups

Simplify IAM deployments and facilitate mobility in all the facilities of hospital groups.

Video

Trusted Identities and Access Security

How can you protect user access and keep control of device identities?

Blog

Why digital identities are vital

Read more on how strong digital identities can support digital services competitiveness and growth.