By Ruby Raley, Director of Healthcare Solutions, Axway
Let’s imagine two scenarios:
- 1. Expecting company while you’re in your backyard one afternoon, out of earshot of your doorbell, you decided to leave your front door open for a few hours, only to discover later that some property is missing.
- 2. Someone rings your doorbell one evening, and you assume it’s your neighbor who visits at this time each week, but before you open the door, you still feel the need to ask, “Who is it?”
A health IT network has equivalents to these scenarios. Its front door may be left wide open, letting anyone come and go at will. Or the credentials of a person attempting to access the network may be checked routinely, no matter how many times that person has been granted access in the past.
But with today’s pressure to interoperate, enable mobile devices, collaborate with cloud apps, move data to the cloud, and tighten our relationships with our community trading partners, these scenarios simply won’t do. We have to own the edge of the enterprise without leaving the front door open, and without asking for ID every time.
This calls for governance — appropriately and securely connecting business and clinical users, as well as community, patient, and member partners — over the connections and services we offer (e.g., cloud and mobile applications), all while:
- • Ensuring only authorized personnel use these connections and services
- • Preserving our ability to monitor their traffic
- • Defining channels, patterns, and standard capability sets and matching them with the demand
We should strive to build a bridge between our current identity management solutions and the new world of cloud and mobile by:
- • Using identity management solutions that prevent us from disclosing user IDs and passwords when the connection is inefficient or insecure (e.g., Attribute Based Access Control [ABAC], SAML, and OAuth)
- • Ensuring that we provide enough information to an authorized user — that we don’t disclose too much or too little — and that we monitor to ensure that traffic is flowing correctly
- • Verifying that we’re not being attacked or hacked in any way, producing audit reports, and proving that our actions reflect our policies
With these simple methods for securing the front door, we can rest assured that we won’t have to leave it wide open for users to come and go at will, without our knowledge, nor will we have to drop what we’re doing and answer it every time the doorbell rings.
Do these predicaments sound familiar to you? Do you feel you have strong governance over the connections and services you offer? I’d love to hear your comments!
