CHALLENGES
Brian Miller, CISO at Healthfirst, has no illusions about the cybersecurity threat landscape and where to target the defense. “There are an infinite number of variables when it comes to cyberattacks. Think of an army crossing a desert. To challenge it, we would need a security fence across the desert,” stated Miller. “But with just 300 people in a mountain pass, we can stop the whole army. Identity is the mountain pass of your environment and identity is where Healthfirst is investing heavily, - he added”.
Miller was brought into Healthfirst, the largest not-for-profit health insurer in New York state, because the organization wanted to evolve its cybersecurity operations. Founded nearly 30 years ago, Healthfirst has worked with its network of hospital systems, community providers and partners to steadily improve health outcomes and advance health equity through better access to care — especially for underserved communities.
This success means Healthfirst experienced rapid growth and now serves some 2 million members in New York state. But growth and the increasingly complex needs and demands facing a modern health insurer demand a similarly robust cybersecurity program.
Digitally Enabling Members
Healthfirst has one of the most comprehensive databases of member-related information comprising enrollment and billing, customer care, payments, processing claims and health data. Protecting the highly sensitive healthcare records and identities of 2 million members and 6,000 employees is paramount. For its computing environment, the organization adopted a cloud-first strategy. Approximately 70% of systems and applications are now cloud-based and the organization has 10,000 endpoints —70% remote — requiring sophisticated and robust security. “Healthfirst aims to transform the industry by digitally enabling our members,” said Miller. “Part and parcel with that is providing security and high assurances. We have invested heavily in our digital apps, our virtual community-based offices and lots of mobile solutions. Whether a member comes in on an app, the phone, or walks into a community office, all roads lead to identity.”
– Brian Miller
CISO, Healthfirst
SOLUTIONS
Healthfirst had already deployed a range of Idira products including Idira Privileged Access Manager and Idira Vendor Privileged Access Manager. The insurer trusted Idira, formerly CyberArk, to provide best-of-breed privileged access management and decided to adopt additional technologies from the identity security provider to secure its digital transformation. For example, Healthfirst has also migrated several legacy secrets management apps to Idira Secrets Manager because it integrates seamlessly with developer workflows and can handle a large volume of secrets.
Business Importance of Security
Alongside the Idira Identity Security Platform, Healthfirst ran an education and adoption program to help staff understand the risk and impact that modern cyberattacks, like ransomware, could have on the organization and its members. “After implementing Idira, we went through a period of having to educate the business about privileged access management,” recalled Miller. He added, “But it was really a change management effort to help people understand the value of security. Then there is a tipping point where you stop pushing through resistance and people realize the importance of security for them as a business.”
Having recognized identity as one of the critical elements in building an effective cybersecurity infrastructure, Healthfirst has now turned to the Idira portfolio of workforce identity management solutions. The company recently deployed Idira Identity and Access Management solutions to provide staff with simple yet extremely secure access to business resources using single sign-on and multifactor authentication (MFA). “The objective is to make it as hard as possible to break into systems, software and development chains from inside the system, as it is from outside on the internet. Strong identity control is a part of that Zero Trust idea where it does not matter where the bad guy is; they cannot harm anything,” added Miller.
“One of the things Healthfirst is very excited about as we evolve workforce identity management is the ability to federate,” disclosed Miller. “With other systems we are spending lots of dollars on licenses, for example, to allow call centers to access our systems. With Idira, we will be able to federate with their identities, cut costs and licensing fees, and use Idira desktop soft tokens for MFA. That will give us a very robust and cost-effective solution.”
Because Idira solutions are integrated across several areas of privileged access management and identity protection, Healthfirst can now control security more efficiently and cost effectively than when it had multiple tools performing similar functions, thereby driving significant operational efficiencies in the company.
-
Comprehensive Management
To protect human and machine identities. -
Cost Reduction
With solutions like federated identity control. -
Improved Security
To protect PHI for 2M members. -
Consolidation
Replaced multiple tools with a unified identity security platform.
Zero Trust Controls Identity
Partnership with the Idira team has been one of the key elements in helping Healthfirst build an effective privileged access management and identity security program. “I like to work with vendors that have a culture and vision, and are excited about what they are doing,” concluded Miller. “As a CISO, that is the kind of partner I am going to bet on,” he affirmed.
