Written by Nam Lam, Country Manager, ANZ, SailPoint.
The healthcare industry continues to be the most targeted industry by cybercriminals in Australia, with the sector reporting the highest number of notified breaches in Australia – 14% of 497 data breaches – to the privacy regulator in the second half of 2022, according to the OAIC report.
The major scale of the Medicare breach recorded in October last year was one of the last to shake up the industry to its core, with the exposure of 9.7 million current and former customers’ sensitive data. It is not surprising then that 85% of Australians see data privacy as a major concern, displaying a lack of trust and confidence in sharing their personal health information digitally.
Paired with continuing challenges with chronic staff shortages and the growing number of data privacy and information security regulations impacting the industry, the healthcare sector stands at a crucial point in finding the right balance between privacy and security when it comes to accessing Australians’ sensitive data.
For example, whilst My Health Record has been available to Australians for over 10 years, the uptick in adoption only picked up its pace during COVID with more Australians and healthcare providers accessing and adding to the existing data. The accelerated demand of digital integration and deployment of data has been a catalyst to reviewing how medical data is shared and accessed safely across complex and highly connected ecosystems. And that is the next challenge for the healthcare sector.
What’s promising is that according to SailPoint’s “The State of Identity Security 2023: A Spotlight on Healthcare” report, the healthcare industry almost universally recognises the importance of identity security, with 95% indicating that identity security is either a relatively important, critical, or number one investment priority for the organisation.
Whilst 29% of organisations recognise it’s their number one investment priority amid growing cloud adoption, digital transformation, and mergers and acquisitions within the industry, most organisations are still in the early stages of identity maturity as only a third have had an identity and access management program in place for more than two years.
The sector’s vulnerability is therefore still high and as the growth of employee, non-employee and non-human identities continue to proliferate, it is no longer viable to give users broad access to internal healthcare systems as human error and insider threats are the cause of most data breaches.
Why an Identity Security strategy is a must
As 93% of healthcare organisations experienced an identity-related breach in the last two years, the healthcare sector cannot afford to ignore identity security. In order to keep up with evolving security risks and prevent financial and reputational losses, healthcare organisations must implement a comprehensive identity program.
The healthcare sector is uniquely challenged with securing identities with one-to-many roles, multiple authoritative sources as well as several non-employees such as contractors, affiliate doctors and temporary healthcare professionals like nurses, imaging technologists and therapists.
Having an identity security strategy in place enforced by a Zero Trust and least-privileged access which harnesses AI, provides healthcare firms with complete visibility over all the direct and related access each user has – including all permissions, entitlements, and roles.
Identity management is key to ensuring a secure, compliant, and efficient infrastructure as it enables organisations to understand and manage who has access to which resources, and how exactly that access is being used to reduce, adjust or remove privileges as needed. By providing all internal and external users the minimum amount of access to resources required to perform their job, healthcare organisations can mitigate the risk of compromised credentials.
With tighter security controls in place, Australians would also feel more assured to share their private health information.
Adopting a SaaS-first approach
Healthcare organisations are typically built on legacy systems which are more vulnerable to cyberattack exposure. Their infrastructure not only poses a risk to their security due to their human and manual centred processes, but also affects their operational efficiency due to inflexibility in integrating with innovative solutions to automate all identity decisions.
Implementing a true native Software-as-a-Service (SaaS) approach with identity security which is interoperable with a mix of on-premise and cloud environments, can provide IT teams with continuous and accurate visibility into their entire SaaS environment. This visibility reduces the strain on IT teams by allowing controls to be set up to govern all SaaS access, control software spend, and secure identities to combat cyber threats, whilst delivering enhanced data security, telehealth, and improved patient engagement.
In the recent report by SailPoint, 38% of healthcare firms said that managing access is time-consuming, with a typical healthcare IT professional spending more than a third of their week managing access and permission for identities. An automated identity approach can easily define user roles and create policies for access, giving healthcare workers fast, simple and error-free access to the data and critical resources they require to care for patients. With an AI-driven process to review, refine and evaluate roles, healthcare organisations can improve compliance, meet regulatory requirements, and deliver successful audit outcomes.
With an integrated, intelligent and automated identity security strategy that provides visibility and insights to extend access at the right time by monitoring behaviour patterns and allowing IT managers to spot risky access faster, healthcare firms will not only benefit from enhanced security to protect patient data but also improve operational efficiency to deliver a seamless patient experience.