Overcoming Identity and Access Challenges in HealthcareErik Decker, CISO of Intermountain Health, on the Importance of IAM Fundamentals
Before healthcare entities can promise advanced identity and access management technologies and practices, their IAM programs need to address important fundamentals, which many entities still struggle with due to the complexity of healthcare itself, says Erik Decker, CISO of Intermountain Health.
"At a traditional organization, you might have an employer record, an HR system that accounts for all the employee data. You might have contractors and contingent labor processes inside that same system. And that's it. There's no extra complexity," he says. "Generally speaking, things flow through that system and then into your identity systems to serve as a 'source of truth,'" he says.
But healthcare is more fragmented, complicated and transient, Decker says in a video interview with Information Security Media Group.
"What we do in healthcare is … we have multiple 'sources of truth.' You might be an academic medical center that works with the university. How you work within the organization might be in a student context versus in an employee context. … You might be a contractor [or an] affiliated physician," adding to the complexity, he says.
"You need a really solid process that accounts for an entry point into your system, so you need to figure that out," says Decker, who is also co-chair of a cybersecurity task group that advises the U.S Department of Health and Human Services.
In the video interview, Decker also discusses:
- Identity and access issues in healthcare related to cloud services and hybrid environments;
- Risk-based authentication, zero trust and other more advanced approaches for improving IAM programs;
- Overcoming IAM challenges in healthcare.
Decker is the CISO for Intermountain Health, a multistate integrated delivery network based in Salt Lake City, Utah. He is currently co-leader of an HHS task group of more than 250 industry and government experts across the country for implementing the Cybersecurity Act of 2015, 405D legislation within the healthcare sector. Decker was previously CISO and chief privacy officer at the University of Chicago Medicine.