The Health Information Sharing and Analysis Center (H-ISAC) issued a framework for CISOs to handle identity and protect their company against identity-centric cyberattacks. This second white paper published by H-ISAC covers the identity-centric solution to security. The first white paper talks about why an identity-centric strategy to cybersecurity is needed today, with the new white paper explaining how to implement that approach.
By implementing the framework, CISOs can manage the entire identity lifecycle of patients, practitioners, employees, and business partners in a way that guards against identity cyberattacks, reduces risk and improves operational efficiencies.
The framework was created for CISOs at healthcare companies of varying sizes. Consequently, it does not provide a one-size-fits-all model. Instead, parts of the framework may be used in a different way according to various conditions and use cases. CISOs have to evaluate the resources available and their special risks and make a decision on how best to utilize the framework.
The framework highlights the diverse elements that are needed in a modern identity-based approach to cybersecurity and shows how those elements incorporate and inter-relate to protect the enterprise.
The framework’s central idea is simple. How to enable users to access resources with security against cyberattacks. The primary focus of the framework is identity governance and administration system, which works as the central nervous system that connects in all the other elements and makes certain they work easily together.
The identity governance and administration system enable organizations to put in place set regulations and processes associated to the development, removal, and update of accounts, take care of policies and processes of all areas of their identity and access management (IAM) system, handle privilege escalation requests, perform audits for compliance purposes, and remediate any improper use of the IAM system.
The framework makes use of identity directories as an authoritative identity store for a firm, which explains roles, accounts, attributes, and the privileges connected with various roles and accounts. The white paper points out three guiding concepts for authorization:
- Granting privileges – Privileges should be securely controlled and assigned according to roles, rights, and duties
- Managing privileges – Processes need to be specified to manage privileges and update them with changing conditions
- Reviewing privileges – Reviews must also be performed to make sure that users were assigned rights that are applicable for their role and accountabilities.
A couple of years ago, access to resources only requires a password, but threat actors today are skilled at stealing passwords and consequently, the security utility of passwords has declined. H-ISAC hence recommends using multi-factor authentication. The framework improves upon MFA and endorses
- Device authentication, which ensures only trusted devices get access to resources
- Human authentication, which makes sure that the authorized person is using that device
- Privileged access management, which is used for session tracking and to employ more levels of authentication to avert credential compromise and restrict privilege escalation
- Analytics, which is used to determine anomalies that can suggest attempts by unauthorized persons to get access resources, for instance using a device to access resources from California and then from New York five minutes later
The framework additionally specifies four use cases:
- Managing users and modifying privileges once an employee switches role
- On-boarding new employees
- Credentialing new patients
- Credentialing a third-party business partner for minimal systems access