RisknCompliance Blog

Thoughts On Delivering Meaningful Outcomes in Security and Privacy

Category: Identity & Access Management

Docs turn up the heat on ONC! – Security Commentary

HealthcareITNews reported yesterday on this letter that was written by several physician organizations to the ONC.

I wanted to write a couple of quick thoughts on the security aspects raised in the letter. I highlighted relevant parts on pages 1 and 2 of the letter with annotations #1, #2 and #3.

Here then are my thoughts on the three items…

#1

#1

We agree with this point. We have talked about our security related concerns around the EHR Certification process and the Meaningful Use program previously. Here and here are a couple of posts for example.

The first link has our commentary we published on the OIG report being referred to in the letter.

The second linked post on Patient Portals has specific details of our thoughts on the security criteria in the MU and Certification programs. We also discussed specific due diligence recommendations for providers. These recommendations should also apply to Electronic Health Records (EHRs) for the most part.

 

#2 and #3

#2

#3

These two paragraphs in the letter speak to the Identity and Access Management (IAM) related concerns, in particular around stronger authentication and usability.

We couldn’t agree more on these points. I am also glad the letter highlights the need for strong authentication.

It is no secret that IAM programs in general haven’t lived up to the promise and expectations. Healthcare provider settings in particular provide specific challenges, primarily because of the need for IAM to really be “transparent” and support clinical workflows seamlessly. We know this continues to be a challenge at most healthcare provider organizations. The point being made in the letter should come as no surprise to anyone.

In our view, an effective solution to this problem requires the IAM/HealthIT product vendors as well as IAM/Security consultants to “up” the game.

And then,  healthcare providers (especially the larger ones who have the power and influence to move their vendors to act) have an important role to play in bringing the IAM and HealthIT vendors to the table so we have viable technology options available to us. We first talked about it  at this webinar back in 2013, but I don’t think we are anywhere close to seeing viable technology options yet in leading vendor solutions.

 

In summary, I think these security related arguments being made in the letter are very valid. However, I am not sure how much ONC can do to move us forward. At best, I think the ONC can only “take the horse to the water” as it were. I really think we need both the IAM and HealthIT vendors to step up and collaborate actively to deliver viable solutions. And the healthcare providers need to push the vendors to do it.

I hope this has been a helpful read. Please don’t hesitate to leave your thoughts below, good or bad.

Wise Words To Avoid Horror Stories in Identity and Access Management

It is no secret that Identity and Access Management (IAM) continues to be a challenge for many organizations. As a witness and practitioner in the space for over 10 years now, it is not clear to me that we are getting any better at delivering to expectations and needs. What makes it more painful is the fact that IAM is often the most expensive component of a security program which means that failures of IAM initiatives come at a heavy cost to these programs.

IAMJ

If you were at the Gartner IAM Summit in Las Vegas last week, you probably got a closer look at the current state of IAM.  I wasn’t there myself but I did get an opportunity to review some of the sessions on demand at http://www.gartnereventsondemand.com. There were several good sessions but I thought two sessions in particular provided a good insight into the challenges from planning, governance and execution perspectives. They were “Horror Stories: Why IAM Programs Fail” and “Stop the Finger Pointing: The IAM Role Ecosystem”.

I tweeted some quotes from these sessions as well as some of my own thoughts last weekend. I thought a compilation of those tweets might be a quick and useful read for managers and executives responsible for delivering IAM initiatives everywhere. The tweets are presented below. The tweets with the #GartnerIAM hastag are quotes from the analyst presentations (I also added my own comments to add/clarify a few) and the ones without the hashtag are my own thoughts. Also, please note that these tweets are not in any particular order.

I hope you find these useful.  Getting IAM right is not only a security imperative, it is also fast becoming an even bigger business imperative than it ever was in certain industries, thanks to the uptick in use of mobile and rapid consumerization among other things.

I think healthcare provider space is a very good example of such a rather abrupt change. For an industry that has historically not done very well with security in general and IAM in particular, getting your IAM program to be a business enabler in support of your clinician and patient engagement will be critical to how competitive your organization is in the marketplace. We’ll probably have more to say in terms of details in a later post.

So, yes … getting our IAM strategies right and executing them well should no doubt be a top priority for many of us.

I welcome your thoughts and feedback. Thank you!

I’ll have what she is having. Not a good way to select a IAM product or a vendor #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

They are in the Leaders Quadrant. Not yet a good reason to select a IAM product or vendor. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

We have someone else to blame if the project goes sidewards. Not a good IAM strategy. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

More the customization you need to do to meet your requirements, the lesser of a fit it is. That of course assumes you have detailed use cases of your current and future requirements #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Designing your #IAM strategy or program around a product.  Not a good idea #HorrorStories

Not understanding and documenting your business, operational, security/privacy risk or compliance use cases. The first step of an expensive misadventure in #IAM. #HorrorStories

Assuming HR data is accurate and automating life-cycle processes based on the data without appropriate validation  #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Trying to “boil the ocean” and not focusing adequately on your most important requirements #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Treating automation as your top priority is another step on your way to a certain failure #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Trying to get ideas from your SIs on what may have worked elsewhere and “hoping” they will work for you. Not a good idea.  #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

“If we build it,  they will come” approach by the technical IAM folks. Not a good idea. Business folks don’t care. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Beware! Using ROI for a IAM business case could be a slippery slope in some instances #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

“What (Process) Re-engineering? We don’t need no Re-engineering.” You just took a big step towards failure. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

DIY only if you know what you are doing,  have learned your lessons and are capable enough not to repeat the key mistakes #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

The right sequence is Principles, Policies, Practices, Processes, People and Products.  #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

If you are thinking products before you have figured out people and processes, you have it wrong #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

An exclusive group of technical #IAM folks developing your strategy? They are likely thinking products ahead of people and processes #HorrorStories

Beware of hiring your SI to develop your strategy as well. There may be a conflict of interest not to mention that they may just not be qualified enough to develop your strategy #IAM #HorrorStories

“Through 2016, enterprises without formal IAM programs will spend 40% more and experience twice as many failures than those with formal programs” #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

What constitutes a #IAM strategy? Vision, program objectives and a two or three year roadmap that satisfies stakeholder expectations #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Remember detection and containment are at least just as important as prevention in #security today. Does your #IAM #Strategy meet the test? #HorrorStories

Effective #IAM strategy today needs active collaboration between traditional security silos #DLP #SIEM #operations #HorrorStories

#IAM stakeholders must include leaders from:
Business
Technologies
Risk
Privacy
Compliance/Audit
Leads from other security verticals
HR
Vendor Management
Help Desk
#Strategy

Top #IAM #Strategy priorities today :
Business Enablement
User Experience
Security/Privacy Risk Management
Compliance
… in that order.

Your new application is designed to use its own access credentials? You may need to get back to the drawing board #Federation #StrongAuthentication #SSO #OpenIDConnect

Trying to enforce your password policy on your customer facing application? That is yesterday’s #IAM #Strategy. #OpenIDConnect

Your #DLP #SIEM leads don’t know what your #IAM plan is? May be time for #security #leadership to show up. #HorrorStories

Trying to solve #IAM problems solely with IAM solutions? That is yesterday’s IAM #Strategy. #HorrorStories

#GartnerIAM says “There will always be shared passwords & that’s okay. You just have to have the proper controls around them.” Agreed, but does your #IAM team understand all viable workarounds? #Strategy

#Mobile and #Consumer not key components of your #strategy? That is yesterday’s #IAM

Remember #consumer includes internal users in addition to customers #IAM #Strategy

Shying away from #BYOI for customer access? You may still be on yesterday’s #IAM #Strategy. #OpenIDConnect #SocialMedia

Not educating your customers about using #StrongAuthentication on their #SocialMedia ids when accessing sensitive data? You may like to. #BYOI #OpenIDConnect #IAM #Strategy