In the digital era, the digitisation of healthcare systems is a national priority. The ultimate objective is to pool resources in order to become more efficient, thus offering patients a better quality of care. This aim is based in particular on modernisation of the IT infrastructure. As such, the HOP’EN programme, run by the French General Directorate for Healthcare Services (DGOS), represents the national roadmap for hospital information systems over 5 years.
Within this context, the implementation of an identity and access management strategy by the establishments and companies of the healthcare domain is a decisive factor. The aim of this is two-fold: to guarantee compliance with the security rules, and also to open up their IS to allow a united and smooth digital care path, both for patients and for healthcare professionals.
How to meet the 3 major challenges
for identity and access management
in the Healthcare & Social sector?
1
Ensure the protection of sensitive and confidential medical data
The priority in the healthcare sector is to guarantee the confidentiality of patient data. Securing of the applications has, therefore, always been a major challenge for CISOs. Ensuring that only authorised professionals have access to the right information, regardless of their access points, is vital when it comes to medical data. Access to sensitive applications on shared workstations – kiosk workstations – or terminals at patients’ beds, for example, must be secured using adaptive authentication means.
There is a wide and complex range of different types of personnel and usage scenarios in the healthcare domain. Administrative personnel will not have the same requirements, and therefore the same rights, as care personnel, themselves comprising various profiles (doctors, nurses, practitioners, etc.). Command of the user life cycle management based on a healthcare establishment directory is essential in order to reduce the operational risk of security flaws.
Our identity and access management platform provides a complete and modular response to the specific problems of healthcare organisations. It provides a response to the security and confidentiality requirements, ensuring compliance with legislation while using ergonomic solutions adapted to the specific requirements of the profession.
2
Open the IS for sharing and secure exchanges
The underlying trend in the healthcare sector is for the removal of barriers, pooling and sharing. France’s regional hospital groups (GHT), created in 2016, are an illustration of this trend. However, although the benefits of pooling no longer need to be proven, the challenge nonetheless remains considerable. It involves converging HISs which are not just complex, but also vary widely in their degree of maturity. Each establishment has its own processes, range of applications and security solutions.
Identity and access management is an essential component in the implementation of a secure space for medical communication. It will allow the IS to be opened up securely to an extended ecosystem (patients, hospitals, community physicians, insurance companies, etc.), based on a reference security foundation which will guarantee both respect for the security policy and interoperability with the external digital world.
Furthermore, the web SSO or identity federation processes will provide healthcare professionals with a smooth and seamless authentication path within this extended digital ecosystem. Simple navigation between the various application services, without cutting back on security, is essential in a sector where access to information needs to be quick and faultless.
3
Surveillance and traceability
Lastly, the healthcare domain is subject to a very strict regulatory framework and demanding requirements in terms of compliance. The many operators of critical infrastructure (OCI) or operators of essential services (OES) in the domain show how the cybersecurity issues faced are on a national scale.
IT departments are therefore subject to numerous audits with a view to limiting the risks and their consequences for economic activity in general.
Segregation of rights, traceability of access or the review of authorisations are all essential features in identity and access management. Such features allow you to assure auditors of the control and legitimacy of the rights granted to users, as well as the procedures and actions put in place to reduce the operational risk in the event of an error.