More Related Content Similar to Identity, Security and Healthcare (20) Identity, Security and Healthcare2. Identity, Security and Healthcare
Agenda –
How does identity and the changing practice of identity
management address the major challenges facing the
healthcare industry today?
•What
are the challenges and risks?
•How
is complexity having an effect?
•How
does the concept of identity solve these problems?
•Where
2
are we headed?
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
3. Big Challenges Facing Healthcare
• Demand
• Financial
• Role
for healthcare is changing
model is changing
of the patient is changing
• Healthcare
itself is changing
• Competitive
• Role
landscape is changing
of government is also changing
Source: Business Drivers of Technology Decisions for Healthcare Providers – Gartner December 2013
3
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
4. In other words… a lot is changing, fast
4
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
5. Change Increases Risk
These changes increase complexity
as well expectations among users
of systems and patients.
This “consumerization of
expectation” is a significant driver of
risk for organizations handling
sensitive data, such as patient and
employee records.
5
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
6. Healthcare Breaches Overall
Source: A Look Back: U.S. Healthcare Data Breach Trends - Health Information Trust Alliance (HITRUST)
6
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
8. Causes Of Breaches
Source: Third Annual Benchmark Study on Patient Privacy & Data Security – Ponemon Research
8
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
9. Type of Breach
Source: A Look Back: U.S. Healthcare Data Breach Trends - Health Information Trust Alliance (HITRUST)
9
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
11. Market Trends Driving Change
Cloud
Mobility
Information
Social
ENTERPRISE
11
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
12. Mobility On The Move
Source: Third Annual Benchmark Study on Patient Privacy & Data Security – Ponemon Research
12
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
13. Yet Much Remain Unsecured
Source: Third Annual Benchmark Study on Patient Privacy & Data Security – Ponemon Research
13
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
14. Consumer Cloud Poses A Risk
14
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
16. More, More, More
•
More:
–
–
Devices
–
Users and participants
–
Collaboration and sharing
–
Mobility
–
•
Information
Risk and penalties
Less:
–
–
Visibility
–
16
Control
Ability to say “no”
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
17. Complexity
All of the above is driving an
explosion in complexity
17
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
19. Identity Is The Key
•
Identity management is the key to safely unlocking the
power of emergent trends such as:
–
Mobility
–
Cloud
–
Information use
–
Social Media
•
•
19
Good identity management improves outcomes and
reduces risk
And it’s cheaper…
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
21. What Is Identity Management?
•
Rapidly changing discipline that helps us
define:
– Who
people are
– What
– What
resources they should have access to
– What
•
privileges they should have
that access should be
In order to:
– Improve
– Reduce
21
productivity
risk
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
22. The Bottom Line
Identity Management ensures
that the right people have access
to the right resources and
services at the right time, in the
way they need it
22
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
23. Changing Role Of Identity
• Gone
from highly IT-Centric to very
business-centric
• No
longer owned by the IT organization
• Increasingly
reflects the more
consumerized technology landscape
and expectations of users
23
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
24. Identity Ties Together
• Relationships
of people, process and
information
• Regardless
• In
24
of technology
a way that is secure and manageable
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
25. Concrete Challenges
• How
do I get people access quickly?
• How
do I monitor what they are doing?
• How
do I reduce the risk from privileged
users?
• How
do I know when I have been
breached?
• How
do I report on who has access to
what?
25
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
26. The Blind Spot
Employee Lifecycle
Source: http://www.gophoto.us/key/human%20life%20stages
26
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
28. Who Is The Risk?
28
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
31. How Do We Solve These Issues?
• Identity
Context
• Adaptive Access
• Integrated Governance
• Identity-Powered Security
31
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
32. Integrated Identity and Access Lifecycle
Powers the entire user lifecycle
32
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
34. Employees Needs Access…
• Self-service access request to healthcare applications
• Web, cloud and enterprise single sign-on
• Self-service password reset
34
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
35. Managers Need to Manage…
• A complete view of her people and
resources
• Ability to review and approve
requests on-the-go
• Better information to make access
certification decisions, faster
35
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
36. And Auditors Need Visibility
• An Identity and Access Governance Platform
• Record and review policies and policy violations
• Analyze risk from unnecessary access rights
• Limit and monitor the activities of privileged users to reduce
insider risk
36
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
37. Integrated Identity Management
These capabilities derive from
integrated, intelligent identity and
access management that extends up
to the cloud, incorporates mobile
computing, and reflects the
priorities and speed of business of
healthcare professionals
37
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
38. But Wait…
38
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
39. Internet of EVERYTHING
25 billion and 1 trillion items by end of decade
39
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
40. And EVERYTHING is
going to want an Identity
(which is a lot)
40
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
41. Identity Powered Healthcare
•
Identity management will define your interactions
with clinicians, partners, associates and patients
•
More devices, more data and more relationships
that ever
•
More opportunities to personalize and respond
than ever
BUT – the demand for everything to have an
identity will tax traditional thinking and approaches
41
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
43. Recommendations
• Evaluate
how your organization uses identity
• Plan
to integrate identity and access
management into the cloud and from mobile
devices
• Extend
identity intelligence into your security
management plans
• Plan
43
to manage the impact of social identity
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
#HOAHITSEC14
44. Worldwide Headquarters
1233 West Loop South
Suite 810
Houston, TX 77027 USA
+1 713.548.1700 (Worldwide)
888.323.6768 (Toll-free)
info@netiq.com
NetIQ.com
44
© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
www.netiq.com/communities
Editor's Notes Well, the good ones look like everything else!
Not easy to spot: The intent speaks to the "A" in advanced -- the attackers aren't going to announce their intent.
Hack employees – map using LinkedIn and Facebook
You’ll need monitoring, logging, etc.
Transition in to phishing
As I discussed, the trophy is getting in…When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization. You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.
You can almost map the employees in an organization simply by using published information on LinkedIn. Facebook is another good place to find out where you work and when you are on vacation.