Review Article | DOI: https://doi.org/10.31579/2690-4861/353
1 Institute for IT innovation and Smart Health, Mississippi, USA.
2 Institute for Systems Engineering Research, Mississippi State University, Mississippi, USA.
*Corresponding Author: Cheryl Ann Alexander, Institute for IT innovation and Smart Health, Mississippi, USA.
Citation: Cheryl A. Alexander, Wang L., (2024), The Development of an Identity and Access Management Plan for a Medical Center, International Journal of Clinical Case Reports and Reviews, 16(1); DOI:10.31579/2690-4861/353
Copyright: © 2024, Cheryl Ann Alexander. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Received: 17 November 2023 | Accepted: 22 December 2023 | Published: 02 January 2024
Keywords: identity and access management; authenticator; attacks; mitigation; access review; healthcare; public health
Over the last decade many changes have occurred to Healthcare Information Technology (HIT). IT professionals must find new ways to manage the massive amounts of healthcare data. The correct information to the right patient is the most critical factor in identity and access management. IT professionals can set Authenticator traps for preventing cyberattacks and mitigating cybercrimes. Preventing attacks is an enormous undertaking for IT professionals. Access review determines what IT professionals need to do to prevent cyberattacks in the enterprise. This could include many activities. Labeling and identification are essential to preventing attacks. This paper explores access management and review, authenticator, attacks, mitigation, and access review and implementation in healthcare. All this is essential to a successful endeavor at preventing attacks on healthcare information.
Health Information Technology (HIT) has rapidly developed over the last decade and has contributed to many advances in the confidentiality of patient data and the management of patient health records. Health Information workers are members of the allied health team and have greatly impacted the protection of health data to secure the privacy, confidentiality, and integrity of the patient’s electronic health record (EHR) and electronic medical record (EMR). When the EMR went digital, many new responsibilities fell to the IT professionals. Once digital records accumulated over the last few years, IT professionals began to look for ways to manage the massive amounts of patient data and the means to keep them safe. New laws were passed and blockchain and big data analytics became popular methods of repelling cybercriminals. Advancements in data storage and data analytics enabled IT professionals to utilize advanced algorithms such as Artificial Intelligence (AI) and machine learning (Stanfill & Marc, 2019). The most popular AI algorithms are currently being used in the Picturing and Communications System (PACS) and other radiological applications. However, many factors are driving the use and development of AI in healthcare including financial pressures and keeping up with competitors the most common. The growing elderly population is putting a strain on healthcare as well as simply the huge amounts of healthcare data. Data that requires ever more sophisticated interpretation is continually driving data for the provider. The right information to the right individual is a major concern for the IT professional. The increased use of AI and ever more sophisticated practices of access point care such as practical entry point testing, medical coding appropriately, and the ability for Health Information Management (HIM) to manage Health Information and Management (Stanfill & Marc, 2019).
With the modernization of healthcare imaging data, the amount of data is expanding exponentially. Most HIM and IT professionals are using advanced tools to manage the privacy and confidentiality issues associated with the use of medical imaging tools. Patient imaging data contains sensitive information, and most programs contain large amounts of patient data such as computer imaging technology (CT), magnetic resonance imaging (MRI), ultrasound, etc. Transmission of patient imaging data is highly at risk for cybercriminals and interception of the transmission of any imaging data is a security challenge. A catastrophic event can occur when there is an interception of imaging by any malicious actors or there is tampering with the images or privacy disclosures. Effective services, then, can only be provided when medical data is secure (Zhang et al., 2020). The responsibility for medical data security lies with medical personnel. Medical data is susceptible to hackers looking to make money on the information related to the patient (Madhusudhan & Sakthivel, 2021). Patient data is more valuable to hackers than a person’s social security number because third-party businesses can use medical data to deny or modify insurance. For example, with a person’s medical data in possession, an insurance company has access to all of their history. The patient may then be flagged, and their insurance claims or application denied.
With telemedicine becoming widely available in multiple care areas, data security becomes an issue for maintaining confidentiality, integrity, and availability. Some medical images need to be transmitted over an insecure public network so that treating hospitals and medical providers can interact. Maintaining confidentiality then becomes the problem. Studies have been published but are not widely available. There are no systematic literature reviews related to patient data security for telemedicine. Therefore, the available options for data transmission need to be studied (Zhang et al., 2020). Big data analytics can store vast amounts of data and can provide patient data with a secure and private access model. To branch off this cloud networking plays an integral part in saving data. Traditional EMRs pose a real challenge to the access of patient data. Despite the ease of medical records programs, they still present some challenges, both for integrity and confidentiality. Because the EMR contains many sensitive and confidential information about the patient, it is a very likely target of malicious actors (Mani et al., 2021). A centralized database of patient data can expose the data to cyberattacks and malicious actors. However, stakeholders and providers can have further challenges when trying to access patient data and the EMR. Patient data can be permanently lost when it is deleted from the hospital database, thereby making it more difficult for stakeholders and providers to access patient data in the mobile setting. Patients also have limitations when accessing mobile apps that give them a wide variety of their patient data including labs, imaging, provider notes, and scheduling doctors’ appointments (Mani et al., 2021).
Hospitals and other healthcare facilities still maintain stewardship over patient data despite patients having the increased freedom to modify their patient data, view their data, and share their data with other stakeholders and providers. By sharing patient data, the healthcare data management system becomes more secure and effective (Ismail & Materwala, 2020). The qualities of healthcare data have a propitious future for protecting data characteristics such as confidentiality, integrity, and availability. With issues such as integrity taking the spotlight in protecting patient data, the need for solutions is increasing. There is an increasing need for the healthcare industry to work on such critical issues and produce a proposed model for protecting healthcare data. The introduction of smart controls such as cybernetics for the protection of data against cyberattacks should produce a model with strong performance against malicious actors (Ismail & Materwala, 2020).
4. Integrity and Availability
The unprecedented number of cyberattacks has led to a challenging task for protecting health data. Healthcare data has been targeted more often and by cyber-invasions. The management and direction of smart healthcare facilities have become directly dependent upon digital cyberstructure. Hence, there is a need for healthcare workers to define their facilities and the digital interactions that are currently being used from a new perspective. In addition, the COVID-19 pandemic defined fault lines across the smart healthcare infrastructure that need to be defined and protected maintaining a new perspective (Alhakami et al., 2020). Healthcare data management must be improved while ensuring trust within the healthcare community. The exponential growth of healthcare data and the overall improved healthy living situations of seniors, the disabled, etc., at home, in residency, and in hospitals, demand a stronger, more propitious healthcare data protection program. Currently, healthcare data is protected in a secure centralized data management plan. However, a decentralized program could provide a more secure and improved plan. Blockchain has been examined by scholars for protecting healthcare data (Naresh et al., 2021).
Nurses, providers, staff, etc. providing patient care and responsible for documenting patient care may be responsible for transporting a tablet or cell phone outside of patient care areas although it has patient data on it. These cell phones and tablets must have cybersecurity protection. The vulnerability of patient data is the highest priority for all staff and providers of patient care. All smart devices have made healthcare data transmissible, portable, and more likely for a cyberattack. Confidentiality is typically a passcode known only to the user or biometrics, barcodes, or other biometric entries to protect healthcare data. Confidentiality is preserving authorized restrictions on information access.
Integrity means guarding against unsuitable information destruction or modification. Availability means guaranteeing reliable and timely access to and utilization of information by authorized users. If data have not been adequately backed up, an integrity problem due to attacks can happen (Warsinske et al., 2019). Other actors who play a role in the security of healthcare data may be external stakeholders or services such as dining servers who provide food for the patient or patient and family. There also may be Durable Medical Equipment suppliers and other suppliers of equipment, medications, or dialysis machines. The security of healthcare data must be vigorous and detailed.
5. Security and Resilience of Systems and Assets
It is vital to improve the resilience of information systems in the Medical Center to ensure the security and resilience of systems and assets. Multi-factor authentication (MFA) is performed. Only authorized employees have access to sensitive resources and employees’ online activities are properly monitored and audited. Important assets are tracked, and asset data are captured and reported in time. Annual training regarding identity and access management as well as data security protection is offered to all employees in the Medical Center.
6. People, Devices, and Services in Identity and Access Provisioning
Access control and identity settings should be maintained up to date (Warsinske et al., 2019). It is necessary to update the identity and access status of people who leave the Medical Center or change departments or jobs within the center. An internal employee’s tasks, access, and trustworthiness are evaluated frequently to decide if his/her access matches the tasks. An employee has the minimum access right needed for assigned tasks (Warsinske et al., 2019).
There are many devices (such as computers, laptops, tablets, and biometric devices) in the Medical Center. If an employee does not work in the center anymore, the employee will be asked to return devices that had been issued to him/her for work. Authentication services such as biometric services are constantly advancing. A service or server with a centralized credentials aggregation is a major attacking target (Warsinske et al., 2019). In the Medical Center, only authorized professionals have access to important resources to provide medical services.
External people including providers from other hospitals may be seeking a high level of care for patients. They use a higher level of resources such as trauma care (including access to expert providers) and specialized testing devices and services. They are only authorized a short lime of access depending upon their requirements.
Table 1 lists authenticator threats/attack mitigations (Grassi et al., 2020) in the Medical Center.
| Authenticator Threats/Attacks | Description | Examples | Mitigation Strategies |
| Duplication | Subscribers’ authenticators have been copied with or without their knowledge. | Passwords (stored in an electronic file or written on paper), biometrics (such as fingerprint), and passcodes to rooms (such as medication rooms) with patient data are copied without owners’ knowledge. | Using an authenticator with long-term authentication secrets (difficult to extract and duplicate), and changing passcodes on a staggered timeline (every week, once a month, or every three months). |
Theft | An authenticator is stolen. | A cellphone (with patient data), badge (allowing access to protected health data), or tablet (including medical charting) is stolen. | Using multi-factor authenticators (activated through a biometric or memorized secret) or two-step authenticators. |
| Social engineering | An attacker creates trust with a subscriber by convincing the subscriber to expose the authenticator output/secret. | A password is exposed by a subscriber during a telephone inquiry from an attacker who masquerades as a coworker or the administrator of the system. | Avoid using an authenticator with a risk of social engineering of a third party (e.g., a customer service agent). |
| Phishing | An authenticator output is obtained by fooling a subscriber into believing an attacker is a verifier or reliable party. | An online attacker acts like a verifier, steals a password, and receives entry to patient data. | Using an authenticator that provides verifier impersonation resistance. |
| Online guessing | An attacker connects to a verifier online and tries to guess a valid authenticator output in the context of the verifier. | An online dictionary attacker tries to guess a memorized secret. | Using an authenticator that locks up after a few repeated failures in activation attempts or generates high entropy output. |
| Eavesdropping | An authenticator secret or authenticator output is exposed to an attacker as a subscriber is authenticating. | An attacker listens for codes to enter patient care areas or overhears an authenticator's secret and patient information in the medical ward near the nurses’ station or in a patient’s room. | Avoiding non-trusted wireless networks as unencrypted secondary out-of-band authentication channels; ensuring the security of the endpoint, especially regarding freedom from malware. |
Table 1: Authenticator Threats/Attacks and Mitigations in the Medical Center
8. An Access Review Schedule with Provisioning and De-provisioning, Auditing, and Enforcement.
For user access review, access privileges must be periodically reviewed (once a year in the Medical Center) according to each user. The review process includes all the accounts, databases, computers, applications, data that a user can see or change, and websites controlled by the Medical Center. As for system account access review, the process is fulfilled (once a year) system by system, for every security device and computer on the network, every database, and every technical entity—to see which systems and software can do any of the things such as connection, reading or changing access settings, and performing privileged actions, or acting as a system administrator (Warsinske et al., 2019).
Provisioning is the act by which an identity is made available for use. It is what the Information Security Department of the Medical Center does when creating an account on the center’s computer for an employee. De-provisioning is the act of deactivating an identity and associated access. If a person is not an employee in the Medical Center anymore, his/her account will be deactivated. Additional aspects of de-provisioning include removing the employee from the list of authorized computer users and any role-related access control lists, disabling his/her email, etc. (Warsinske et al., 2019).
It is necessary to perform auditing and enforcement to avoid or reduce mistakes and oversights in identity and access management. Internal auditing is conducted once a year in the Medical Center. The center makes rules as appropriate, provides training, measures performance (auditing is part of this), and then enforces consequences for failure. The failure can be problems in policies or actions of human resources, the poor execution of technical steps by the Information Security Department, oversight by a manager or team member, etc. (Warsinske et al., 2019). Auditing and enforcement work together in the Medical Center.
Medical centers are highly vulnerable to malicious actors. These attacks can disable medical care and resources. The medical center must be protected against these types of attacks. By identifying these malicious acts, IT professionals can intercept the attacks and mitigate damage. Identity and access management is a key issue in mitigating many risks. Access review, auditing, and enforcement are necessary steps to protect security and make the medical center safer.
Conflict of Interest
The author declares no competing financial interests.
Dear Grace Pierce, Editorial Coordinator of Journal of Clinical Research and Reports, Thank you for the speedy and efficient peer review process. I appreciate the fact that your peer reviewers do not take months to respond like with some other journals. I would also like to thank the editorial office for responding quickly to my questions. It is an excellent journal. I plan to submit more manuscripts in the future. Best wishes from, Robert W. McGee
Dear Grace Pierce, Editorial Coordinator of Journal of Clinical Research and Reports, Working with you and your team on our recent publication in JCRR has been a truly wonderful and enjoyable experience. The responses were prompt, and the reviewers were patient, constructive, and highly professional. One reviewer in particular gave me the feeling that a professor was carefully reading and commenting on my coursework, which was deeply touching. The entire process was straightforward and hassle‑free, with no tedious online forms to complete. I highly recommend this journal. Best wishes from, DR Aibing Rao, Head of R&D
I Appreciate the Opportunity to Share my Experience with the Journal of Clinical Research and Reports. The peer review process was timely and constructive, and the feedback provided helped improve the quality of our manuscript. The editorial office was professional, responsive, and supportive throughout the process, ensuring smooth communication and efficient handling of the submission. Overall, it was a positive experience collaborating with your team.
Dear Mercy Grace, Editorial Coordinator of Obstetrics Gynecology and Reproductive Sciences, We would like to express our gratitude for your help at all stages of publishing and editing the article. The editors of the magazine answer all the necessary questions and help at every stage. We will definitely continue to cooperate and publish other works in the Obstetrics Gynecology and Reproductive Sciences! Best wishes from, Alla Konstantinovna Politova,
Dear Maria Emerson, Editorial Coordinator of International Journal of Clinical Case Reports and Reviews, What distinguishes International Journal of Clinical Case Report and Review is not only the scientific rigor of its publications, but the intellectual climate in which research is evaluated. The submission process is refreshingly free of unnecessary formal barriers and bureaucratic rituals that often complicate academic publishing without adding real value. The peer-review system is demanding yet constructive, guided by genuine scientific dialogue rather than hierarchical or authoritarian attitudes. Reviewers act as collaborators in improving the manuscript, not as gatekeepers imposing arbitrary standards. This journal offers a rare balance: high methodological standards combined with a respectful, transparent, and supportive editorial approach. In an era where publishing can feel more burdensome than research itself, this platform restores the original purpose of peer review — to refine ideas, not to obstruct them Prof. Perlat Kapisyzi, FCCP PULMONOLOGIST AND THORACIC IMAGING.
Dear Reader: We have published several articles in the Auctores Publishing, LLC, journal, Clinical Medical Reviews and Reports in recent years (CMRR). This is an ‘open access’ journal and the following are our observations. From the initial invitation to submit an article, to the final edits of galley proofs, we have found CMRR personnel to be professional, responsive, rapid and thorough. This entire process begins with Catherine Mitchell, Editorial Coordinator. She is simply outstanding, and, I believe, unparalleled in her capacity. I cannot imagine a more responsive and dedicated Editorial Coordinator. As I read the dates and timing of her correspondence with us, it seems that she never sleeps. I hope Auctores Publishing, LLC, appreciates her efforts as much as these authors do. Thank you to Auctores Publishing, LLC, to the Editorial Staff/Board, and to Catherine Mitchell from a grateful author(s).
