Securing Identities for Data Access in Healthcare

It is no secret that healthcare organizations are pressed when it comes to securing the data and privacy of patients. Ransomware attacks are not going away and are on the increase. Combating the threats posed by hackers, bad actors and rogue nation-state community is nothing short of an arms race. Securing and managing user identities is key to protecting users and patient data. Most malware attacks start with compromising user and/or admin accounts to gain access to data and systems. In this post, we will discuss combining Single Sign-On (SSO), conditional access, and Multi-Factor Authentication (MFA) as a strategy to protect identities and accounts. 

Zero Trust 

Identity is the new perimeter and the first line of defense in a Zero Trust security strategy. Zero Trust is a security model that assumes that no user or device is inherently trusted, even if they are inside the network. Microsoft Azure Active Directory can be a valuable tool in implementing a Zero Trust security model while simplifying the sign-in experience with features such as Single sign-on (SSO).  

Single Sign-On 

Single sign-on at its core allows users to sign in once and gain access to all their data, applications, and web applications without the need to sign in again. Think about the ease of use of logging on in the morning to your PC configured with SSO and having access to all your websites, cloud storage, and apps without having to manage all the passwords that are required to access them all for the rest of the day. That is the magic of SSO. Benefits of SSO include: 

• Single password to log on to all apps. 
• No need for users to manage multiple accounts and their complex passwords.
• Reduces provisioning and administration of accounts by system admins. 
• One-stop shop to manage user ID’s. 
• Easy to de-provision a user and all their accounts when they leave the company. 
• Increased user satisfaction due to productivity gains and no need to manage all those passwords. 
• Includes monitoring of user activities and data access via built-in auditing features. 
• Scales up easily no matter the number of users or logon accounts. 

Multi-Factor Authentication 

Adding Multi-Factor Authentication (MFA) makes it much more difficult for an attacker to gain access to an account. MFA utilizes the concept of something you know, your login and password, with something you have, a key code that shows up on your smartphone during the logon request. This means that if a user’s credentials are compromised, the identity is still safe as the attacker needs the key code which only the user possesses to complete the chain of authentication to the account. 

Conditional Access 

Conditional Access sets the conditions or rules that a user or device must meet before being granted access to accounts, data, or applications. An example of a conditional access rule would be the requirement that MFA be used to gain access to apps and data. Another example would be that the device you are using to access Office 365 is required in the US. You can enforce single conditional access rules or stack multiple rules. For instance; require MFA and that the device you are accessing data from be marked as compliant and is following the organizational security policies. Commonly applied policies include: 

• Requiring MFA for users with administrative roles. 
• Requiring MFA for Azure management tasks. 
• Blocking sign-ins from users attempting to use legacy authentication protocols. 
• Requiring trusted locations for Azure AD MFA registration. 
• Blocking or granting access from specific locations. 
• Blocking risky sign-in behaviors. 
• Requiring organization-managed devices for specific applications. 

Licensing

Med Tech Solutions utilizes Microsoft Azure Active Directory to manage identities, as well as SSO, MFA, and Conditional access. This requires the Azure AD Premium P1 license. This license is included in the following Microsoft plans: 

• Microsoft 365 Business Premium 
• Microsoft 365 Frontline F1 
• Microsoft 365 Frontline F3 
• Microsoft 365 Enterprise E3 
• Microsoft 365 Enterprise E5 

Azure AD P2 can be added as a stand-alone license to any Microsoft plan. It provides the most security features. Microsoft 365 Enterprise E5 includes Azure P2. All other plans would require the stand-alone Azure AD P2 license. Additional features of Azure AD P2 include:

• Risky Accounts Detection. 
• Risky sign-in log-in reports for up to 90 days (about 3 months). 
• Privileged Identity Management – this helps manage privileged accounts with features such as role-based access control, just-in-time access, and privileged account auditing.  
• Security information and event management (SIEM) log connectivity to improve overall cybersecurity posture.  

In summary, pairing SSO with Conditional Access and MFA provides the convenience of a single password for log on to secure accounts with ease of use and strong security. It also supports a Zero Trust Security Strategy. This combination should be considered the minimum standard for managing user identities and access for healthcare organizations. 

MTS is constantly working to ensure the safety and security of your data. Learn more about our security and compliance solutions.