Dr Vikram Venkateswaran, Partner, Deloitte India highlights that while a lot of the attacks have been attributed to the growing adoption of digital technologies such as cloud, telemedicine, and AI in the industry, there has been a significant rise in data loss due to inadvertent actions by employees of healthcare organisations
The Life Sciences and Healthcare (LSHC) industry in India has witnessed a notable increase in cyber security attacks since the onset of the pandemic. While a lot of the attacks have been attributed to the growing adoption of digital technologies such as cloud, telemedicine, and AI in the industry, there has been a significant rise in data loss due to inadvertent actions by employees of healthcare organisations.
In 2020, human error accounted for 30 per cent of the data losses in the healthcare industry. This percentage is bound to increase as more professionals join the healthcare workforce in India and around the world.
Experts suggest that the most effective way to counter this trend is to adopt concepts such as Zero Trust. According to the 2022 Deloitte-DSCI report[1] titled ‘Indian pharma takes the digital leap: What does it mean for cybersecurity?’, almost 70 per cent of the respondents emphasised zero trust as a key defense against data breaches.
Zero Trust is built on the robust principles of digital identity. It challenges traditional cybersecurity principles by questioning the assumption of trust for all individuals with internal access in an organisation, where many individuals in Life Sciences and Healthcare organisations have access to sensitive data. The key question is whether they truly need this access. Zero Trust operates on the principle that trust is never assumed, and verification is required even for those inside the organisation.
Certain accesses, known as birthright access, are provided to all employees, such as access to email or the HR portal for leave requests. However, it’s important to note that granting admin rights to employees or giving them access to sensitive data when they do not require it to perform their roles exposes them to social engineering attacks. One of the biggest security risks in the cyber landscape involves the potential misuse of privileged accounts2. Recently, several incidents have come to light where nurses with admin rights in the hospital clicked on engineered emails, providing attackers with easy access to sensitive data.
There is a need to adopt an agile and dynamic security foundation that is resilient to organisational change and flexible enough to address the challenges faced by the modern Life Sciences and Healthcare Industry. A zero-trust security model helps establish this security foundation, reducing cyber and data risks, and managing digital identities (both human and non-human).
A robust ‘Digital Identity’ solution safeguards sensitive clinical and personal health records, along with business-critical infrastructure, from unauthorised access. It also shields the organisation against security threats to improve operational efficiency, reduce costs, minimise help desk calls, and automate lifecycle management processes for both the workforce and devices in healthcare organisations.
A robust digital identity program comprises three key components:
- Identity governance and administration: Involves activities such as patient registration, employee onboarding, and conducting periodic access reviews and certifications.
- Access management: Focuses on providing and verifying access to data and applications based on roles within the organisation.
- Privileged access management: Allows managing and tracking of elevated access and usage to sensitive data and applications, such as patient records and clinical information systems.
While the mentioned areas are pivotal, emerging technologies such as automation and AI play a big role in digital identity. Automation helps in managing access for various professionals within the organisation, with a notable example being the automated removal of access on the last working day of the professional. This is particularly critical for certain areas with historically high attrition rates, such as nurses and research personnel. AI plays a crucial role in identifying patterns as part of access management to proactively identify potential threats.
In conclusion, a robust digital identity program is the key to strengthening the cyber security posture for LSHC organisations. While perimeter defenses are crucial in thwarting external threats, a robust digital identity program serves as an internal safeguard, preventing inadvertent breaches from within.
References:
2 https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-privileged-access-management.pdf