Healthcare , Identity & Access Management , Industry Specific

Overcoming Identity and Access Challenges in Healthcare

Erik Decker, CISO of Intermountain Health, on the Importance of IAM Fundamentals
Erik Decker, vice president and CISO, Intermountain Health

Before healthcare entities can promise advanced identity and access management technologies and practices, their IAM programs need to address important fundamentals, which many entities still struggle with due to the complexity of healthcare itself, says Erik Decker, CISO of Intermountain Health.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

"At a traditional organization, you might have an employer record, an HR system that accounts for all the employee data. You might have contractors and contingent labor processes inside that same system. And that's it. There's no extra complexity," he says. "Generally speaking, things flow through that system and then into your identity systems to serve as a 'source of truth,'" he says.

But healthcare is more fragmented, complicated and transient, Decker says in a video interview with Information Security Media Group.

"What we do in healthcare is … we have multiple 'sources of truth.' You might be an academic medical center that works with the university. How you work within the organization might be in a student context versus in an employee context. … You might be a contractor [or an] affiliated physician," adding to the complexity, he says.

"You need a really solid process that accounts for an entry point into your system, so you need to figure that out," says Decker, who is also co-chair of a cybersecurity task group that advises the U.S Department of Health and Human Services.

In the video interview, Decker also discusses:

  • Identity and access issues in healthcare related to cloud services and hybrid environments;
  • Risk-based authentication, zero trust and other more advanced approaches for improving IAM programs;
  • Overcoming IAM challenges in healthcare.

Decker is the CISO for Intermountain Health, a multistate integrated delivery network based in Salt Lake City, Utah. He is currently co-leader of an HHS task group of more than 250 industry and government experts across the country for implementing the Cybersecurity Act of 2015, 405D legislation within the healthcare sector. Decker was previously CISO and chief privacy officer at the University of Chicago Medicine.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.