Months after a ransomware attack hit parts of the NHS, the effects are still being felt – how can better identity security improve safety?
Gregg Hardie, Public Sector Director at SailPoint, explores the importance of identity security to protect vital healthcare data.
As the newspaper reported of the August 2022 attack, “patients’ records are missing, safety has been compromised, and medication doses are at risk of being missed amid ongoing chaos”.
Strikingly, new research suggests that 93% of healthcare organisations have experienced an identity-related breach within the past two years, leading to operational downtime, compromised accounts, revenue loss, stolen data, and reputational damage. Many of these attacks are rooted in a compromised identity, with user access points often successfully targeted by malicious actors.
93% of healthcare organisations have experienced an identity-related breach within the past two years
The threat to healthcare from poor identity security is real and constant, and the effects of a breach can be devastating. Alongside the rise in targeted cyberattacks, the NHS is also dealing with widespread staffing and budgetary crises, rising patient numbers and ever-increasing patient expectations. The pressures are immense, but underpinning a ready and resilient NHS is a secure digital infrastructure – this is crucial to helping the sector navigate these challenging times.
Identity security is a priority problem
Frontline healthcare institutions are now founded upon a complex network of technology, applications, and users. Identity security is a multi-faceted aspect of securing that network and ensuring prompt and correct access to the right applications and data at the right time.
For example, data kept within Electronic Patient Records (EPRs) requires a vast undertaking to securely manage access in a complex system. While a doctor needs access to a patient’s medical record, they don’t need to know their address. On the flip side, administrative staff might need access to a patient’s insurance information or address but not their medical history. It’s critical to ensure the right identities have the right access at the right time.
Only 45% of healthcare IT leaders are confident in their ability to comply with GDPR
Alongside the management of complex access needs, the growth of data regulations places further challenges on identity security, requiring organisations to evidence compliance successfully. However, only 45% of healthcare IT leaders are confident in their ability to comply with GDPR, sinking to just 37% for ISO/IEC 27001. Last year the Tavistock & Portman NHS Foundation Trust was fined over £78k for a breach of GDPR, demonstrating the impact non-compliance can have on already cash-strapped services.
In addition to data governance and compliance concerns, the sheer amount of data and identities that today’s organisations need to manage and secure has gone beyond human capacity. Right now, IT teams can spend 15 hours a week on average (over a third of their time) managing access and permissions for all the identities in their organisation. No matter how large or talented an IT team is, it’s impossible to keep up with manually implementing all the necessary entitlements and permissions.
At a time when digital transformation efforts are key to managing soaring expectations and workloads across healthcare, time spent on such manual tasks is the time taken away from projects that can result in better patient care. At the same time, this is not a task that can be ignored. As such, healthcare organisations increasingly turn to technologies such as artificial intelligence and robust third-party identity security programmes to deliver an intelligent, autonomous identity foundation that securely supports their services. Automating the process of governing access can significantly ease the burden on organisations worried about investing time and resources by simplifying the process and improving accuracy.
Universal recognition of identity security improvements
The importance of solid identity security is almost universally recognised. 95% of healthcare IT leaders indicate that identity security is an investment priority. However, almost a quarter (23%) admit that their ability to manage data securely requires a complete overhaul. Nearly three in ten reported that it is their organisation’s first investment priority amid growing cloud adoption and digital transformation. Almost all (97%) say it requires improvement to meet all the needs of users, regulations and threat mitigation.
Unfortunately, there are still roadblocks to improving identity security, with nine in ten survey respondents saying they have experienced challenges ranging from inflexible solutions to a need for more skilled personnel. Other factors, such as a lack of senior buy-in and high initial investment, highlight that organisational adoption remains a problem for many.
However, implementing a strong identity security solution has been shown to deliver a number of benefits to organisations. While ease of integration, added control and visibility are important, respondents in our survey indicated financial and reputational benefits associated with implementing an identity solution, including total cost of ownership (38%) and cost and time savings within their IT and security teams (38%).
While it is heartening that healthcare organisations recognise the importance of strong identity security, many implementations are either in their infancy, stalled or ongoing, leaving organisations vulnerable to attack. And while many are enjoying the benefits that identity security brings, many are being held back from being truly successful with their programmes.
Hospitals and healthcare organisations may be at different maturity levels on their identity security journey. Still, there is a critical need for modernised identity security, especially the elimination of manual processes which are time-consuming and can result in delays in patient care. Poorly governed access can also have a profound effect on finances. Data breaches can result in compliance fines, reputation damage, and legal and operational costs.
Identity security is business essential
Modernised identity security programmes secure digital identities, granting clinician access to the appropriate applications, systems, and data they need on day one. With AI and machine learning at the foundation, healthcare-focused identity security automates the discovery, management, and control of all user access, leaving IT teams free to focus on innovation, collaboration, and productivity.
To reduce the risk of attacks on the NHS and its healthcare partners, leveraging AI-enabled identity security will be critical, allowing organisations to see, understand and manage who has access to what and why. By harnessing the latest identification technologies, the NHS can not only mitigate threats but also free precious resources to be used elsewhere, supporting the continued digitalisation of the UK’s most critical and vulnerable public service.