State of identity security in healthcare: emphasising cybersecurity amid the digital shift in NZ
Tuesday, 24 October 2023
SECTOR UPDATE - Sailpoint The rise of cybersecurity threats targeted at New Zealand’s healthcare sector has only exacerbated with the sector’s digital shift and rise of telehealth services. Recent cyberattacks have underscored the industry’s vulnerabilities, prompting a $75 million government initiative to enhance cybersecurity. Despite existing measures, a SailPoint report revealed that 97% of healthcare entities see room for improvement in data access management. There is a pressing need for a comprehensive identity security strategy which incorporates both AI capabilities and a Zero Trust and least-privilege access framework. Transitioning from legacy systems to a Software-as-a-Service approach can offer better security and operational efficiency, ensuring data protection and an enhanced patient care experience.
The healthcare industry in New Zealand stands as one of the most frequently targeted critical infrastructure sectors by state actors and criminal hackers. The ongoing digital shift, driven by technology innovation and the rise of telehealth culture, has only exacerbated cyber threats due to the increased sharing of sensitive data.
Recent events are an important reminder of the tangible risks cyberattacks pose to the healthcare sector. In October 2022, sensitive patient files and high-level data were stolen in a cyberattack on Pinnacle Midlands Health Network – a major primary health provider in New Zealand – with an estimated 450,000 people’s information accessed. The major Waikato DHB ransomware attack in May 2022 was also a wake-up call, as it caused a full outage of its information services across the region, with patient and staff details stolen and later posted online.
What followed was a call to action with the Government-led National Cyber Security Uplift Programme setting out to significantly increase the security level of New Zealand’s health system, committing up to $75 million over three years to improve the healthcare industry’s cybersecurity posture.
The plan revealed a long-term lack of investment in IT systems and software was one of the key issues making the industry most vulnerable to cyberattacks.
In fact, SailPoint’s “The State of Identity Security 2023: A Spotlight on Healthcare” report, shows nearly all respondents (97%) agreed their organisation’s ability to manage access to sensitive data needs improvement, despite having specific measures in place already, such as data encryption.
Paired with continuing challenges with chronic staff shortages and the growing number of data privacy and information security regulations impacting the industry, the shift to online health services has required healthcare providers to upscale their digital backend systems and prioritise identity security strategies - with a heightened focus on compliance and cybersecurity requirements. What’s promising is that according to the SailPoint report, the healthcare industry almost universally recognises the importance of identity security, with 95% indicating that identity security is either a relatively important, critical, or number one investment priority for the organisation.
Why an Identity Security strategy is the answer As the growth of employee, non-employee and non-human identities continue to proliferate, it is no longer viable to give users broad access to internal healthcare systems as human error and insider threats are the cause of most data breaches, and threat actors are increasingly able to obtain sensitive patient data from both IT databases and medical devices.
In New Zealand, according to an Insights Report by the New Zealand Privacy Commission, 54% of large organisations recorded breaches that were from ‘intentional or malicious activity’.
The healthcare sector cannot therefore afford to ignore identity security. In order to keep up with evolving security risks and prevent financial and reputational losses, healthcare organisations must implement a comprehensive identity program.
The healthcare sector is uniquely challenged with securing identities with one-to-many roles, multiple authoritative sources as well as several non-employees such as contractors, affiliate doctors and temporary healthcare professionals like nurses, imaging technologists and therapists.
Having an identity security strategy in place enforced by a Zero Trust and least-privileged access which harnesses Artificial Intelligence (AI), provides healthcare firms with complete visibility over all the direct and related access each user has – including all permissions, entitlements, and roles.
Identity management is key to ensuring a secure, compliant, and efficient infrastructure as it enables organisations to understand and manage who has access to which resources, and how exactly that access is being used to reduce, adjust or remove privileges as needed. By providing all internal and external users the minimum amount of access to resources required to perform their job, healthcare organisations can mitigate the risk of compromised credentials.
From legacy to a SaaS-first approach Healthcare organisations are typically built on legacy systems which are more vulnerable to cyberattack exposure. Their infrastructure not only poses a risk to their security due to their human and manual centred processes, but also affects their operational efficiency due to inflexibility in integrating with innovative solutions to automate all identity decisions.
Implementing a true native Software-as-a-Service (SaaS) approach with identity security which is interoperable with a mix of on-premise and cloud environments, can provide IT teams with continuous and accurate visibility into their entire SaaS environment. This visibility reduces the strain on IT teams by allowing controls to be set up to govern all SaaS access, control software spend, and secure identities to combat cyber threats, whilst delivering enhanced data security, telehealth, and improved patient engagement.
In the recent report by SailPoint, 38% of healthcare firms said that managing access is time-consuming, with a typical healthcare IT professional spending more than a third of their week managing access and permission for identities. An automated identity approach can easily define user roles and create policies for access, giving healthcare workers fast, simple and error-free access to the data and critical resources they require to care for patients. With an AI-driven process to review, refine and evaluate roles, healthcare organisations can improve compliance, meet regulatory requirements, and deliver successful audit outcomes.
With an integrated, intelligent and automated identity security strategy that provides visibility and insights to extend access at the right time by monitoring behaviour patterns and allowing IT managers to spot risky access faster, healthcare firms will not only benefit from enhanced security to protect patient data but also improve operational efficiency to deliver a seamless patient experience.
By Raymond Dickinson, Business Leader, New Zealand, SailPoint Picture: Raymond Dickinson, Business Leader, New Zealand, SailPoint
Source: Sailpoint media release Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.
Do you have an item to add to sector updates?
Email your information to us at updates@hinz.org.nz Return to eHealthNews.nz home page
|