GUEST ESSAY: Securely managing access controls is vital to preserving the privacy of healthcare data

By Balraj Dhillon

There’s no doubt, the increasing use of telemedicine, the explosion of health-based cloud apps, and innovative medical IoT devices are improving the patient care experience.

Related: Hackers relentlessly target healthcare providers

However, healthcare data ranks at the top of the list for needing improvements in security and privacy protections. This data is managed by different entities, such as primary care facilities, acute care facilities and within associated applications that collect, store and track health data, creating numerous exposure vulnerabilities.

There are many reasons for the vulnerable state of healthcare data. One significant factor is the merger and acquisition renaissancethat the healthcare industry is undergoing, which according to a new report from Moody’s Investors Service is expected to continue.

Healthcare organizations pursue merger and acquisitions for many reasons, including improving the ability to meet patient consumerization requirements, providing more personalized care, increasing capacity, and lowering costs through economies of scale.

However, M&A is a complex undertaking, and integrating and consolidating IT, cybersecurity and data privacy infrastructure only adds to the challenge. M&A invariably creates technology gaps that bad actor’s prey upon.

Patient data exposures

Healthcare data security and privacy is a problem that continues to grow. According to a report from Protenus and, over 41 million patient records were breached in 2019, almost tripling healthcare industry breaches from the prior year. The largest privacy incident was reported in 2019 at American Medical Collection Agency (AMCA), a third-party billing and collections company.

Four clinical labs were impacted by the breach that exposed the sensitive data of 21 million patients, including birth dates, social security numbers and physical addresses. The data was found for sale on the dark web.

The vast majority of breaches are the result of poorly managed access controls. All healthcare facilities, and their clients and patients, must have better protection of their digital assets, whether it is patient records, archived digital images, or telemedicine conversations.

Healthcare organizations are taking advantage of the many benefits of cloud and SaaS, accessing apps and data over the Internet. With the benefits of the cloud comes the heavy responsibility of securing sensitive data. Not only is providing secure and reliable access of critical importance, it is a HIPAA requirement.

Dealing with policy-based access

The network security perimeter is dynamically created and policy-based, and must be guarded by secure and highly managed access controls. Access controls are the nexus of security and the expanding perimeter, and zero trust is the architecture that encompasses it. Zero trust demands that no person or device is trusted, and therefore, must be verified first, and then granted access and authorization according to business and regulatory policies. Access controls are part of a zero-trust methodology and strategy.

Zero trust is an all-inclusive security and privacy architecture. It encompasses identity access and management, privileged access management, password-less management controls, detection and response technology, encryption from the endpoint, through the network and into cloud and on-premises hosting environments.

The zero-trust ecosystem protects against malware, ransomware, rogue security software, brute-force attacks, DOS and DDOS attacks, phishing, and rootkit attacks.

I recently worked with a healthcare customer, to implement a new service on top of their API gateway. The previous system allowed users within clinics to have point-to-point connections into the back-end system, which put the healthcare provider at risk. We implemented a new system with access controls that limits credentials, and uses tokens to restrict machine-to-machine access.

Security-privacy teamwork

When a clinical user wants access to data, their credentials are limited to extremely specific databases and files. Because the new system uses machine-to-machine tokens, that individual’s session is limited to a specific period of time. The access rights are driven and enforced by pre-determined policies that associate authentication based upon healthcare facility type, practitioner, patient, data, and regulatory policy criteria like HIPPA, GDPR, CCPA, and others.


Cybersecurity and privacy leaders can quickly become overwhelmed with myriad regulatory requirements, numerous security and privacy technologies, budgetary constraints, and a highly constricted skilled technology workforce. In many cases, these leaders have more questions than answers. Moving forward, it is imperative that security and privacy teams understand how to leverage AI and machine learning to control and predict risks.

A comprehensive strategy, utilizing best of class technologies for zero trust access controls, will ensure IoT sensors and small devices in healthcare facilities and on or inside patients, are protected. Furthermore, clinical workflows will be far more efficient with controlled access to digital tools and records.

With attack vectors expanding and cyber breaches increasing, the reliance upon technology service providers becomes increasingly important. These industry experts are working on solutions daily, and are available to provide thought leadership and best practice guidance. Technology solution providers are the necessary partners that cybersecurity and privacy leaders work need to implement, manage, and maintain the zero trust access controls for healthcare providers, clinicians, and clinical support teams.

About the essayist: Balraj Dhillon is Director, Engagement & Delivery at Simeio, a supplier of advanced Identity and Access Management (IAM) solutions.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone