A Health-ISAC Framework for CISOs to Manage Identity 2.0

An update on the original 2020 framework, to include non-human identities and emerging technologies

Scope Statement

Health-ISAC has published ten white papers over the past six years on various components of Identity and Access Management (IAM). The second white paper, published in 2020, provided a comprehensive framework to help health sector CISOs architect, build, and deploy a modern identity system that can protect against attacks and support business drivers. Health sector organizations are already using these tools. Multifactor authentication, privileged access management, and other identity tools are being utilized every day in health systems spanning the globe. The framework has also not stood still. Since its initial publication in 2020, it has been updated twice, first in the 2022 zero-trust paper and then again for privileged access management in 2024. However, as with all technologies, the identity landscape is constantly evolving. The Identity Framework that follows details the various components needed for a modern identity-centric approach to cybersecurity and outlines how these different components should integrate and interrelate to secure the enterprise. Health sector organizations must look at this as a holistic framework that manages the full identity lifecycle of employees, practitioners, patients, partners, and now non-human identities in a way that guards against common attacks on identity, materially lowers risk, and increases operational efficiencies. Central to this approach in health is identity governance and administration (IGA) as the number of identities, roles, and resources expand. It’s not just about enabling access for employees, patients, and third parties anymore. Non-human identities—such as artificial intelligence agents, APIs, and devices—all require identities that must be secured alongside human identities.

This paper revises and expands the scope of the 2020 framework to include additional categories of identities and components that are necessary amidst an explosion of non-human identities across enterprises. This paper looks at the roles of IGA—particularly as diverse types of identities are added to systems—and the critical role of monitoring and auditing to ensure that these new identities do not perform unauthorized actions. This paper also examines other important technologies that health organizations should consider when evaluating the future of their identity stacks, including quantum encryption, smart contracts, and other technologies. Lastly, and perhaps more importantly, this paper paints an ideal picture of what an IAM framework should look like within a health sector organization, something that may not be achievable for all. Organizations may not have the resources to accommodate all the new systems and components. This paper also proposes an IAM Maturity Model for health organizations so that they can make incremental progress in improving their identity security.

This paper will:

• Define the necessary components for a modern IAM technology stack and how they may interact with nonhuman identities.
• Introduce a maturity model for health sector organizations to follow to improve their digital identity posture.
• Update the types of identities that need to be accounted for in IAM directories.
• Identify new and emerging technologies that health sector organizations need to consider.
• Create use cases to show how these components, technologies, and systems are used in the health sector.

Download the Framework 2.0 Powerpoint.

Other white papers in this series for CISOs. Click Here

• Related Resources & News