Why is Identity Governance Important in Healthcare?

Harry ZolidesWW Sales Leader - Identity Governance and Intelligence

Christopher DawsonSenior CTP – Identity Governance and Intelligence

December 5, 2016

2 IBM Security

Agenda

• Identities in Health Care

• What’s at stake?

• Mitigating the Risk with Governance

• Governance Case Study

• IBM’s Methodology

• IBM Solution (Demo)

• Q&A

Identities in HealthcareEmployees are not only Health Care ProvidersPatients are not only customers

4 IBM Security

Health Care Providers are not only Employees

• EmployeesDoctors, Nurses, and Staff

• Visiting ProvidersDoctors with privilegesTraveling Nurses

• Admitting ProvidersDoctorsNursing Homes

• Medical StudentsDoctors Nurses

Static Access

Dynamic Access

On Demand Access

Recurring Access

5 IBM Security

Patients are not Customers

• Patients

• Patients (Minor)Custodial ParentsNon Custodial Parents

• Patients (Surrogate Decision Makers)ChildrenSpouse

• Tele-patients

Static Access

Dynamic Access

Temporal Access

Federated Access

What is at stake?

7 IBM Security

• Personally identifiable information (PII), or Sensitive Personal Information (SPI)

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Payment Card Industry Data Security Standard (PCI DSS)

• National Drug Control Policy (NDCP)

8 IBM Security

The Risk

• Fines

• Judgments

• Loss of Customer

• Loss of Trust

• Loss of Accreditation

• Loss of Revenue

Mitigating the Risk with Identity Governance

10 IBM Security

Identity Governance

• Understand the Access a given Identity (User) has

• Evaluate if the Access is appropriate and required

• Recertify Access on a regular basis

• Identify Toxic Combinations

• Enforce Segregation of Duties

• Revoke Access as soon as possible

Granting Access is always easy as all work together!

Removing Access is hard!

Automation

Case Studies

12 IBM Security

Children's Hospital Patient Portal

• Large Children's Hospital with multiple locations

• Patient Self Registration Portal for:̶G Appointment Scheduling̶G Test Result Lookup̶G Continued Care Support̶G Remote Care Capabilities̶G Palliative Care

• Medical Records Software Used:̶G MyChart From EPIC

Governance Opportunity:EPIC Does not address the changing relationship between a patient and parent (guardian)Access to patient records change over time with the child's age:- 13 Years (Child can create own account)- 16 Years (Child can control parts of their medical treatment)- 18 Years (Parents require approval for access)

13 IBM Security

IGI - Lifecycle

Self Care

PatientsParents

Administrator

Medical Access

Identity ManagementAccount and Access

Management

AutomaticGovernance

ManualAdministration

14 IBM Security

Teaching and Research Hospital

• Teaching Hospital with large bio medical research department

• Medical Student Access Governance:̶G Medical Student Access control during semester start/end̶G Medical Students are assigned to various research projects̶G Research projects are governed decentralized but access is centralized managed̶G Medical Students switch between projects on a regular basis

• Medical Records Software Used:̶G EPIC Personnel Management

Governance Opportunity:Research Project Administrators do not have access to EPIC Administration portal, but need to govern student access.Governance via a Business Friendly view, not IT based.

15 IBM Security

IGI - Governance

Research

MedicalStudent

ProjectAdministrator

Access Controls

Account and Access Management

Account and Access Governance

Access RecertificationSegregation of DutiesToxic CombinationsAccess Validation

IBM Security Identity Governance & Intelligencefor HealthCare Providers…and specifically - for EPIC Clients.

Demo

23 IBM Security

IBM is a Leader in the 2016 Gartner Magic Quadrant for Identity Governance and Administration

Source: Gartner (February 2016)This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from 2016 Gartner IGA Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Inc. Positions IBM as a LEADER in Identity Governance and Administration (IGA)

"An increased focus on threat protection, including insider threats, is driving integration of IGA products with overall threat detection and analysis tools, specifically with SIEM and user and entity behavioral analytics (UEBA) products. IGA can provide identity context to SIEM and UEBA tools, and, in the opposite direction, UEBA can provide risk scores and activity data to IGA”

Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Perry Carpenter, February 2016 Report #G00274258

24 IBM Security

For more information . . . download this whitepaper

http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=WGW03220USEN

Keith Sams +1-512-426-8109 (Mobile)ksams@us.ibm.com

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU