Why Identity and Access Management Is Weak in Healthcare
Third Party Risk Management, Business Continuity Management/Disaster Recovery, Critical Infrastructure Security
HIMSS cybersecurity and privacy expert Lee Kim discusses key industry challenges
Marianne Kolbasuk McGee (HealthInfoSec) •
March 11, 2022
Despite the drumbeat that began about a decade ago for healthcare entities to strengthen their identity and access managementit’s still an “incredibly weak” area for far too many people, says Lee Kim, senior director of cybersecurity and privacy at the Healthcare Information and Management Systems Society.
See also: The Ransomware Files, Episode 3: Critical Infrastructure
“It is incumbent on all healthcare organizations of all sizes and types to have really strong identity and access management,” she said in a video interview with Information Security Media Group ahead of the conference. HIMSS 2022 to be held in Orlando, Florida from March 14-18.
“If there’s anything that needs to be assessed and addressed further, it’s increased assurance that the individual or entity accessing systems or networks is really who they claim to be,” she says. .
For example, “account tight provisioning may seem trivial, but many healthcare entities have contractors, employees, and others constantly moving in and out of the organization as they may be visiting and /or their roles may change,” she says.
recent from HIMSS 2021 Annual Cybersecurity Survey found that many healthcare organizations across its businesses do not implement strong identity and access management, which Kim says is “troublesome.”
In the video interview, Kim also discusses:
- Other security weaknesses common among healthcare organizations that need more attention;
- Trends in cyberattacks affecting organizations in the healthcare sector;
- Why many health care organizations were “on edge” during the Ukraine-Russia War.
Kim, a lawyer, is the senior director of cybersecurity and privacy at HIMSS. She was also a Team Leader of the US Department of Homeland Security’s Analytic Exchange Program and a member of the National Visiting Committee of the National Cybersecurity Training and Education Center. Prior to joining HIMSS, Kim practiced law in the areas of IT, health technology, intellectual property, privacy and security. She also previously worked in the field of health technologies.
