Best Practices For Developing An IdM Program For Healthcare

The healthcare industry has been a late adopter of Identity and Access Management (IAM) solutions mainly due to limited IT budgets. Meanwhile, according to a recent Ponemon Institute study, criminal attacks are the leading cause of half of all data breaches in healthcare; with an average cost of more than $2.2 million. With the complex nature of a healthcare business and increasingly stronger regulations, healthcare organizations are finding it challenging to protect access to sensitive applications and data; including patient records, insurance information, and payment details to name a few. The transition to electronic health records adds yet another layer to the situation. Hackers are taking advantage of loose security controls and user access governance to break in and steal this coveted information. It’s vital for healthcare organizations and providers to implement a comprehensive IAM program if they wish to proactively mitigate their risk of exposure as well as ensure the right people have access to the right information or applications at the right time and for the right reasons.

In the last blog, I uncovered some of the most significant challenges of implementing an IAM program within a healthcare organization. Now let’s talk about how to best address those challenges which will help you develop a strong identity governance strategy to protect your patients and your organization.

Fluid nature of the workforce:

One of the most common challenges that healthcare organizations have to deal with is the fluid nature of the workforce. A user in this fluid workforce needs access to information based on their contextual role, or persona. Access to information can reside in a myriad data sources, including EMR systems and home-grown applications. As you develop the requirements for an IAM program it is necessary to identify the various personas each user takes on and establish governance guidelines that stipulate what they can access as their role changes throughout the day or as they move from one department to the other. In other words, your IAM implementation should be able to model personas distantly from the human user. This requires that IAM solutions have adequate identity life-cycle capabilities to adapt to an organization’s approach to personnel management, and make sure access has been granted/revoked as roles change.

Increasing Regulatory Requirements:

Health Insurance Portability and Accountability Act (HIPAA), HITECH or PCI are not new terms for any healthcare provider. The IAM program you establish should take into consideration the need to automate compliance controls, such as access certification processes, based on defined governance policies and also provide real-time policy monitoring which will enforce separation-of-duties (SoD) and detect access policy violations while remediating risks after detection. Automation is also one of the easiest ways to establish repeatable governance practices and makes each more consistent, reliable, and easier-to-manage; allowing for more effective adherence to regulatory requirements.

Heterogeneous application environments:

Since applications are now spread out across on-prem and cloud environments, it is imperative that identity governance be considered across all environments and not just inside an organization’s network. Your IAM program must centralize visibility of enterprise resources regardless of where they exist in the environment. To create an overarching governance framework, start with building a single view of all access across applications, especially critical systems such as the organization’s EMR (e.g., Epic, Cerner or GE) where large amounts of patient data is stored. You should strive for visibility irrespective of whether an application resides on-premises or runs in the cloud. This 360-degree visibility of user access across environments should include every user – internal and external.

Large, diverse user populations:

User populations in healthcare are comprised of employees and contractors (B2E), business partners, vendors and regulators (B2B), end consumers, patients and “friends” or benefactors (B2C). This entire population, with wildly diverse levels of risk depending on their immediate needs, can become a real headache for identity management teams. Your IAM program should address user access across all constituents and consider every user type unique. It should be able to differentiate between user types, and enforce different levels of governance and business process execution. Also, ensuring the user experience is simple, convenient and accessible from any device – laptop, desktop, tablet or mobile, – will help ensure compliance and allow users to focus on patient care.

Your Next Steps:

Developing a solid IAM strategy should also include working with trusted and proven advisors to help shape a plan that will address your security and operational requirements. SailPoint is the recognized leader in Identity Governance and provides a proven end-to-end solution that helps healthcare organizations manage the growing security and operational requirements in a world where complexity and risk are escalating. SailPoint’s Open Identity Platform ensures you can extend access and governance across all systems and applications, including connectivity to 3rd-party ERM systems such as GE, Cerner, and Epic.

This Open Identity Platform also provides you with flexibility on how individual identity management capabilities are consumed by your organization. SailPoint solutions allow you to See Everything, Govern Everything, and Empower Everyone while allowing you to meet the needs of your healthcare organization and patients today and in the future.