Cybersecurity Practice #3: Identity and Access Management Identity and access management (IAM) is a program that encompasses the processes, people, technologies, and practices relating to granting, revoking, and managing user access. Given the complexities associated with health care environments, IAM models are critical for limiting the security vulnerabilities that can expose organizations. A common phrase used to describe these programs is “enabling the right individuals to access the right resources at the right time.”
Cybersecurity Practice 3: Identity and Access Management Data that may be affected Medium SubPractices Large SubPractices Key Mitigated Risks
Passwords 3.M.A 3.M.B
Identity Provisioning, Transfers, and Deprovisioning Procedures 3.M.C Authentication 3.M.D Multi-Factor Authentication for Remote Access 3.L.A Federated Identity Management 3.L.B Authorization Access Governance 3.L.C Single Sign On Ransomware Attacks Insider, Accidental or Intentional Data Loss Attacks Against Connected Medical Devices that May Affect Patient Safety
Most access authentication methods rely on usernames and passwords, a model proven by the success of phishing and hacking attacks to be weak. Establishing IAM controls requires a distinct and dedicated program to accommodate its high level of complexity and numerous points of integration. You can find a toolkit for establishing an IAM program on the EDUCAUSE website.14 This section will focus on the critical elements of an IAM program required to manage threats relevant to the HPH sector.
Sub-Practices for Medium-Sized Organizations 3.M.A
Identity
NIST FRAMEWKORK REF: PR.AC-1
As defined in NIST Special Publication 800-63-3, “Digital identity is the unique representation of a subject engaged in an online transaction.”15 A common principle to follow is “One person, one identity, multiple contexts/” In health care, a person can have the context of a patient, payor, or even employee of the health system. For clinical staff, one person can have one identity, but that person’s ability to
14. David Sherry et al/, “Toolkit for Developing and Identity and Access Management (IAM) Program,” EDUCAUSE, last modified May 7, 2013, https://library.educause.edu/resources/2013/5/toolkit-fordeveloping-an-identity-and-access-management-iam-program. 15. Paul A. Grassi, Michael E. Garcia, and James L. Fenton, Digital Identity Guidelines (NIST Special Publication 800-63, June 2017, Gaithersburg, MD), https://pages.nist.gov/800-63-3/sp800-63-3.html. 31
