Cloud Identity management for e-Healthcare

Cloud Identity and Security Best Practices

Cloud Identity and Security Best Practices

Right now the Canadian government is working on creating a strategy for cloud adoption within various government agencies.

There are a lot of great benefits to centralizing and updating public services, but the minute you move to a distributed type of environment, there are suddenly many more security factors that must be taken into account.

Several government agencies around the world have already started the move to transitioning to new models that allow for greater access to information, better portals for the public to access information all while bringing better internal IT structure with more flexible infrastructure, streamlined applications and cost savings. But several factors that are affected with this type of restructuring is how outlying services are affected and must be kept in mind with the shift in any strategy. Let me explain.

As part of the move towards more centralized services, a lot of the responsibility of security is being pushed to the individual agencies, particularly in the healthcare industry. While governments are building new portals to make it easy for single access to a wide variety of services, it is the end users, (doctors offices, hospitals, health agencies) that are tasked with securing the access to these repositories. The key problem with this is that it is (in my opinion) the wrong group to leave the responsibility for security to.

Think about the end users, what is their main focus? Usually it is tied to serving customers, either as a healthcare practitioner, records administrator, etc. There is a good chance that these folks (with the exception of the IT staff in larger agencies such as hospitals) didn’t go to school to study IT or even more importantly, security. Yet they are a often tasked with helping maintain a security posture for a large network and rarely receive any training. Think about the security risks that this brings.

Think about this for a second. When you visit your healthcare practitioner, often you wait in an examination room where their computer is sitting unattended. Imagine just the risks associated with this. Firstly, there is a good chance that the doctor remains logged in at all times, so you have access to any systems attached to his computer (including portals, local information, etc). Imagine the types of patient information immediately accessible just through that.

Secondly, attached to the computer is often a prescription printer (which was part of the updating of patient prescription processing), which means that theoretically you can print out all kinds of prescriptions. It doesn’t sound like a big deal, but think of the high number of deaths associated with negative drug interactions that occur every year. What about in the US where you can obtain marijuana with a prescription. This just invites all kinds of organized crime into the equation.

I could go on quite a bit about other risks, but a lot of them can really be tied to identity management. Without the proper controls in place, it is almost impossible to track at every level who is accessing the systems, and ensuring that accessibility is kept up to date (such as currently employed vs no longer employed, etc). Leaving the responsibility at the healthcare practitioner level is not the answer to this, better system integration and unified access management (and user identity) is going to be the cornerstone to fully secure and accessible systems.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: