The Health Information Sharing and Analysis Center (H-ISAC) released a framework for CISOs to manage identity and secure their firm against identity-focused cyberattacks. This new white paper released by H-ISAC comprises the identity-focused plan to security. The former white paper details why an identity-focused solution to cybersecurity is necessary at this time, with the most recent white paper outlining how to execute that strategy.
By using the framework, CISOs could handle the complete identity lifecycle of practitioners, patients, business partners, and employees in a manner that protects against identity cyberattacks, brings down risk and boosts operational efficiencies.
The framework was designed for CISOs at healthcare providers of every size. As a result, it doesn’t give a one-size-fits-all solution. Rather, elements of the framework could be employed in another way depending on varied settings and use cases. CISOs must examine the resources on hand and their distinct risks and choose how best to implement the framework.
The framework features the various factors that are necessary for a contemporary identity-focused strategy to cybersecurity and shows how those parts combine and inter-relate to secure the organization.
The framework’s central principle is straightforward. How to let users gain access to resources with protection against cyberattacks. The main emphasis of the framework is the identity governance and administration program, which functions as the central nervous system that links in all the other parts and makes sure they work perfectly together.
The identity governance and administration system permit institutions to set up set guidelines and processes connected to the formation, deletion, and update of accounts, handle policies and processes of all facets of their identity and access management (IAM) system, take care of privilege escalation requests, do audits for compliance reasons, and remediate any wrong use of the IAM system.
The framework employs identity directories as an authoritative identity database for a company, which clarifies functions, accounts, attributes, and the privileges linked with varied roles and accounts. The white paper specifies three guiding rules for authorization:
Granting privileges – Privileges have to be firmly controlled and designated depending on roles, rights, and accountabilities
Managing privileges – Processes should be determined to manage privileges and update them with switching situations
Reviewing privileges – Reviews need to likewise be carried out to make certain that users were given rights that are best suited to their roles and duties.
Several years ago, gaining access to resources only calls for a password, however, threat actors now are pretty good at the theft of passwords and therefore the safety utility of passwords has waned. H-ISAC subsequently highly suggests the use of multi-factor authentication. The framework enhances MFA and endorses
Device authentication, which makes certain only authorized devices have access to resources
Human authentication, which makes certain that the right individual is utilizing that device
Privileged access management, which is employed for session checking and to use extra tiers of authentication to stop credential compromise and control privilege escalation
Analytics, which is employed to identify issues that might reveal attempts by unauthorized people to gain access to resources, for example utilizing a device to gain access to resources from Florida and then from New Jersey five minutes later
The framework furthermore describes four use scenarios:
- Credentialing new patients
- Credentialing a third-party business partner for restricted systems access
- Managing users and altering privileges if an employee changes his/her role
- On-boarding new employees