Solving the Secure Remote Access Dilemma in the Era of Health System Mergers

M&A activity across healthcare enterprises continues to speed up as they seek to lower costs and increase profitability in a competitive healthcare landscape. That’s reflected in the 27 health system mergers in Q1 2019 according to the latest M&A Activity Report from Kauffman Hall. One of the chief challenges in these new organizations are data security and access.

Each merger may result in hundreds of “new” support personnel accessing networks, countless health information systems (HIS), and medical devices across disparate healthcare locations. This leaves System admins and security/IT teams in a constant state of catch-up as they seek a unified and transparent approach to access authorization and security through advanced multi-factor authentication solutions.

Overcoming Access Challenges with Multi-factor Authentication Solutions

Overcoming the challenge of identifying users in real time and providing anywhere, anytime access based on roles will set the stage for success or failure of a health system merger.
The root of the problem lies in how M&A creates challenges for creating an accurate, responsive, and centralized user profile system across a changing active directory. Things only get more complicated with electronic protected health information (ePHI) data scattered across a healthcare enterprise’s cloud applications and information systems.

Passwords can be an easy target for hackers that can become even more vulnerable post-merger by allowing them to exploit loopholes in security systems. The problem of insufficient password protocols can be seen in a recent Health Informatics Research (HIS) Brief.

HIS assembled the brief from over 200 medical professional respondents that showed 74 percent of them admitting to sharing EHR access credentials with others. This statistic is one of many that reveals the need for advanced multi-factor authentication products and the challenge of making access authorization simple for users.

Overcoming Access Authorization Complexity

Enterprise EHRs may have dozens of clinical workflows requiring authentication, which is just one example where user convenience can conflict with secure access. The varied access endpoints increase the conflict even more. In the age of mobility and BYOD, this can include:

• Desktops, tablets and smartphones for network and cloud application access to point-of-care (POC) medical devices
• Medical carts
• Drug dispensary systems
  Telemedicine access points
  Other vital care management and monitoring points.

Medical devices either at the POC or patient-imbedded devices will require simple but stringent data access security methods so that authorized health professionals can monitor and adjust the device parameters. This may require a mix of professionals that need both POC and remote access via wireless and cloud connectivity.

Embedded medical device security has been traditionally lacking where they connect to sensors, monitors and the hospital network. Multi-factor authentication methods for access to these systems are crucial to decreasing both PHI data theft and hacks that can cause patient harm.

Third-party vendors are another source of access authorization security and convenience pre- and post-healthcare system merger. Access to physical spaces and systems by contractors requires a scalable and flexible solution.

The right solution must have form factors that can adapt to needs from ranging from various mobile devices to virtual desktop infrastructure (VDI) endpoint access. Efficiently and securely navigating the access needs of vendors requires a solution that also delivers consistent access standards enforcement that is simple to monitor and manage.

The Ideal Multi-Factor Authentication Products Profile

Just a single hospital represents a complex web of networks, technologies, systems and regulations. But the merged healthcare system ups the ante by leaving complex systems integration, new technology, and new users with disparate access authorization protocols and methods in its wake. That’s why multi-factor authentication products must provide the following:

• A choice of form factors to accommodate the different access methods and endpoints
• Unified approach to monitoring, managing, and authorizing via a single-point repository
• Accommodation for a highly scalable admin approach that also ensures ePHI never leaves the network or resides on a mobile endpoint access device such as tablets, laptops or smartphones

These new healthcare entities need a system and methodology that can meet all present and future authentication needs, inside and outside the hospital. A unified multi-factor authentication solutions approach is vital to success of the new entity. The goal is to balance uncompromising security with convenient use, management, monitoring and scalability to reduce security vulnerabilities while not impeding patient care.