An Article from ACA’s Pulse Newsletter by Lori Bowes

In a recent Becker’s Hospital Review webinar, sponsored by Imprivata, Wes Wright, chief technology officer at Imprivata, hosted a discussion on digital identities and cybersecurity with Cara Babachicos, senior vice president and chief information officer at South Shore Health, and Arthur Harvey, senior vice president, and chief information officer at Boston Medical Center.

Imprivata is a digital identity company for “health care and beyond,” with solutions focused on clinician productivity, patient experience, cybersecurity, and compliance. Imprivata currently has 3,000 global health care customers and 8 million care providers across 45 countries.

South Shore Health (SSH) and Boston Medical Center (BMC) are large-scale health systems located south of Boston. SSH focuses on mobile integrated health and provides a number of urgent care centers, while BMC is one of the largest safety-net hospitals and Level I trauma centers in New England.

Given the vast network of physicians, patients, and employees across both health systems, the need for a fully merged, congruent digital identity is a must. Prior to becoming the chief technology officer at Imprivata, Wright worked at Microsoft, where the adage “identity is the new perimeter” was used quite frequently. Considering the ever-changing notion of digital identity systems, Wright posited a new way of thinking about digital identities within  the sphere of large-scale networks, saying that he now believes “identity is the new control plane.”

“There is no perimeter anymore…it’s not like we have a single organization,” Harvey said. “The expectation of our providers, as well as our staff and patients, is that they can do what they need to do from where they happen to be, wherever they happen to do it.”

Babachicos added, “If you look at it from the cybersecurity perspective along the lines of digital identity if we know who you are, what your preferences are and how those go together, we can have a lot of power in protecting the systems and giving you more of the experience that you’re looking for. If your identities are incorrect, then your authentication and all those pieces and parts can be really hard to manage as well, so all of these pieces need to play well together.”

Moving toward a more defined digital identity is integral to seamless health systems. The current state of electronic health systems follows a fragmented system from 20 years ago, Wright said. With a new age of integrated health systems that have a larger network of needs, the goal is to take all the digital identity frameworks and coalesce them into one single, consistent framework.

To break down this complicated process, Wright shared a flowchart from Imprivata that detailed the different subsections of a digital identity framework that make the entire health system run smoothly.

A key feature of this integration is ensuring that consistency is present across all devices, including personal mobile devices of staff members.

“It’s really important how [the digital identity] extends outside of the environment onto mobile devices and a lot of the tools that we’re using, even in what we’re bringing to work in our BYOD [bring your own devices] strategies,” Babachicos said.

Staff members and employees could be more prone to phishing attempts on their devices, which could damage the entire system.

Wright shared a quote from Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency (CISA), who said, “Our takeaway from this [SolarWinds] attack is that identity is everything now.” Gazlay was referring to the major cybersecurity attack on U.S. information technology firm SolarWinds in early 2020, which left over 18,000 of its customers vulnerable to hackers, including U.S. agencies like the Pentagon and Department of Homeland Security, detailed here in an article from Business Insider.

Additionally, Wright shared the “core four” elements for securing digital identities and preventing cybersecurity attacks, which include:

  • Identity governance
  • Single sign-on
  • Multifactor authentication
  • Privileged access management

“We forced MFA [multifactored authentication] on things that casually weren’t being utilized before,” Babachicos said. “We really need to double down on that because that is one of the top ways that ransomware comes about.”

Additionally, she shared the importance of protecting your data from potential breaches in the cloud.

“For business continuity purposes, replication is important. If you have all your identities in the cloud, and you ever lost that connectivity to the cloud, you’ve got to have some ways of replicating so there’s still some kind of managing on-premise as well,” Babachicos said.

For more health care tips from industry professionals, visit Becker’s Hospital Review webinar series webpage.

Lori Bowes is ACA International’s communications specialist.