How Change Healthcare Reimagined Compliance with Identity Governance

Change Healthcare provides revenue and payment cycle management and clinical information exchange solutions that connect payers, providers, and patients in the U.S. healthcare system. The company enables hospitals, doctors and other healthcare affiliates to provide patients a more efficient billing experience.

From Complex Legacy to an Innovative Future

Change Healthcare has seen extensive growth that was often fueled by mergers and acquisitions that brought various technology stacks with them. Employee access was managed to select applications that cooperated with their legacy tool, but governance over the identities was missing. “We were lacking wide integration of our systems and a clear audit of the access in place and being issued,” Andrew Dwight, Senior Director, Identity and Access Management, Change Healthcare shared. “The legacy tool became unmanageable, creating a bigger gap in our identity management processes.”

Change Healthcare needed a platform that could not only drive the process and oversight for provisioning and de-provisioning access but expand that view so governance could be applied. This expanded view would allow them to seamlessly comply with regulations such as System and Organization Controls (SOC), Payment Card Industry (PCI) and the Federal Information Systems Act (FISMA). Dwight and his team took on the job of building an identity governance program to overcome their provisioning and compliance deficits with their identity program and meet their security goals.

Addressing the Compliance Gap

The largest gap in the health of Change Healthcare’s identity management was the lack of automation and technology to back their compliance practice. Dwight and his team worked to bring their certification campaigns under SailPoint’s purview to liberate the company from this manual effort. “Certification campaigns were a manual endeavor, creating pressure and stress on all involved. A major goal for our identity governance program was to integrate, automate and standardize certification campaigns for internal and external audit,” Dwight said. The campaigns are run on employees, as well as contractors. Dwight’s team dissected each app under audit and defined each entitlement that users could use as a key when requesting access to applications. This also gave managers an understanding of what they are approving, further enabling them to make informed decisions. By going through this process and automating certification campaigns, Change Healthcare was able to reduce the number of entitlements being certified from 285,000 to 135,000, contributing to a reduction in work for managers reviewing access.

Improving the end user’s experience was also a priority for this re-haul. Gaining access to systems and data, historically, was a time-consuming process that lacked visibility along the way. Users are now able to request access to applications through SailPoint, without opening a ticket and waiting a lengthy amount of time. “We often had new employees waiting up to 3 weeks to get network access, as well as basic items like their laptop. By improving the IT side of onboarding an employee, new hires now have access on their first day. This change has created a better hiring experience and has jumpstarted new hire productivity,” Dwight shared. Off-boarding has also drastically improved with access being revoked as soon as an employee is terminated, reducing any risk associated with lingering access.

Another pillar of identity governance that Change Healthcare is addressing is managing the data in their environment. With proper controls in place, they can mitigate potential risk by understanding what sensitive data is out there and putting governance around it. “Managing data in our environment will bring our identity governance program full circle. We are excited to test the security use cases with IdentityIQ File Access Manager. The reporting we’ll have access to will help our security team make more informed decisions for events they are seeing in the environment.”

“Employees are the first line of defense for any company. It’s critical to know who is accessing your infrastructure and data to ensure the safety and security of your employees and customers. On the flip side, identity can be a true enabler. SailPoint has created a bright new future for the company,” Dwight said.

Discussion