Data is the lifeblood of every company, regardless of industry, sector or vertical. It is information about your customers, your employees and virtually everything that keeps your business running. So why are so many companies so loose with it? It comes down to management and communication between HR and IT departments, implementing the right technology, and using it properly. More importantly, it’s a change in the way companies do business.
In my experience, I find that most companies are very good at onboarding new employees, providing proper access to the information and systems that they require to do their jobs. But where many companies falter is later on: when employees change roles or departments, or leave company altogether. This becomes even more complicated when a company’s environment contains a complex mix of full time, part time and contract employees.
Why? Because many companies look at Identity and Access Management as a tactical effort versus a strategic approach, which can result in lack of automation and governance. They consider technology to be the silver bullet, without considering the business change that needs to surround the tools that they’re implementing. This includes discussing and pinpointing what parts of systems are sensitive, identifying policies that need to be implemented, and really understanding how data protection works. And with the proliferation of cloud-based applications and a diverse and disparate assortment of mobile devices being used within any one organization, it’s more important than ever to consider an Identity and Access Management strategy based on people, processes and technology.
But before we dig too far into the solutions, let’s take a look at what’s at risk.
Diagnosing Identity and Access Management Gaps in Healthcare
The healthcare industry is one of the most complex when it comes to protecting data. It’s no longer as simple as locking a patient’s chart in a filing cabinet and monitoring who has the keys. With an intricate web of physicians who work for a hospital, doctors who are contracted for their services, nurses and nurse practitioners, students, affiliated healthcare providers, researchers, administrators, accounts receivable staff, and many other types of employees, there are countless opportunities for information to fall into the wrong hands, especially since roles and permissions change frequently and quickly.
In my career, I’ve seen dozens of examples of breaches in healthcare environments that could have been avoided if an Identity and Access Management strategy had been in place. For example, I’ve seen cases of doctors who are hospital employees one day becoming contracted physicians the next, and needing to cancel surgeries because they’re not able to access their patients’ charts. I’ve also seen nurses who transfer from one ward to another, yet continue to have unfettered access to their previous ward’s charts even though they’re no longer applicable to their jobs. I’ve witnessed cases of hospital employees who unwittingly taint research by opening the wrong files, costing an institution years of work and potentially millions in research grants. And of hospitals facing fines for failing to meet HIPAA compliance standards by not offboarding contractors quickly enough. When you consider that each file that had the potential to be inappropriately accessed is assigned a fine whether it was breached or not, hospitals can quickly find themselves facing seven-figure dollar fines and potential for litigation.
With so much valuable and sensitive information stored within each healthcare provider, there’s a lot to lose when the gates to their data are left unlocked. In 2015 alone it is estimated that over 112 million healthcare records were involved in data breaches in the U.S. More than a third of those breaches (38%) were attributed to unauthorized access/disclosure.
The risks other verticals face
Similar concerns can be cited for other verticals, including financial services. Most, if not all, North Americans deal with at least one financial institution, and these organizations hold some of our most vital personal data, not to mention our assets. Our social security numbers, credit card information, loan details and credit ratings, among other pieces of critical data, are entrusted to these companies, and while this industry, like healthcare, is heavily regulated, gaps still occur; identities are stolen, brands are damaged and trust is broken.
Retailers face different kinds of risks when protocols are breached. With high turnover and multiple users per device, there’s a real concern for the wrong information surfacing onto a store kiosk at the wrong time, which can be tantamount to leaving a stack of employee pay slips sitting on an unattended table. Other industries, like professional services, which includes legal professionals and consultants, often work remotely and send critical documents over email, via thumb drives and on customer sites, leaving plenty of opportunity for issues around access.
Closing the gaps
So, what’s the fix? It’s not as simple as locking people out — it’s ensuring that you’re letting the right people in. With so many breaches occurring because of internal mismanagement, a solid strategy around Identity and Access Management isn’t a nice-to-have; it’s a must-have. In fact, a recent report by Accenture, The State of Cybersecurity and Digital Trust 2016, found that two-thirds of those surveyed experienced data theft or corruption from within their organizations in this past year. Businesses need to know who’s accessing their data, when, and why.
Perhaps the easiest part of closing the gap is on the technology side. Products like Microsoft Identity Manager (MIM 2016) can synchronize identities between directories, databases and applications, which means that employees’ identities are managed wherever they might be working from. It also provides increased admin security with policies, privileged access management and roles. This, combined with Microsoft’s Azure Active Directory (AAD) technology, provides additional cloud based self-service capabilities, secure remote access, single sign on, and multi-factor authentication.
Additionally, Rights Management and Data Loss Prevention (DLP) allow for documents and emails to be scanned for specific phrases, content or string patterns and automatically protected or quarantined. It can also allow users to protect documents on their own. For example, a manager may want to put an expiration date on an email or limit the ability for someone to forward or print an email. This can all be done with Messaging Transport Rules, Rights Management and DLP solutions using Microsoft Office 365 and Azure Information Protection Services.
But what I’ve seen as the bigger challenge for most companies is from a business operations perspective. Employees used to typing in the same password at work that they use for their banking and their Netflix account may find the shift to two-factor authentication (such as biometrics or a PIN) something to get used to. Considering that most of the high-profile data breaches in recent memory weren’t the result of high-level hacks, but rather persistence in figuring out passwords, two-factor authentication in a corporate environment is critical. This is where that communication between IT and HR really needs to flow. Training from the moment an employee enters an organization has to occur, combined with an understanding of the guardrails put in place. For current employees, an education needs to happen including an explanation of what’s at risk and support for when they need it.
While the process can have its challenges — as many change management endeavours often do — the benefits of reining in your company’s Identity and Access Management issues will emerge quickly. By reducing the risk of exposing sensitive information to the wrong people, non-compliance, and damaging your brand, your data will do what it’s intended to do: keep your business running, your customers satisfied, and your employees working as they should for the entire lifecycle of their careers within your organization.
This is the first in a series of blogs I’ll be posting about Identity and Access Management. Next time I’ll focus on the logical view of Identity and Access Management and how to best approach the security of sensitive data. After that I’ll cover Identity and Access Management and how Microsoft technologies can help; reasons to invest in Identity and Access Management; and how to get started. If you’d like to learn more about the MIM hybrid experience, please join our webinar on August 10th from 10:00 – 11:00 ET for more great insights from the experts at New Signature.