Cybersecurity in Healthcare: The Value of Leveraging Identity Security to Manage EHR Access
Authored by Matthew Radcliffe, Area Vice President of Sales, US and Canada
Healthcare organizations are challenged with knowing how to reduce clinician friction while increasing healthcare organizations’ ability to meet a rapidly changing security landscape. Often losing great clinical staff because they don’t have the right access when they need it most to care for patients.
We sat down with Matt to ask a few questions about his perspectives on Identity Security practices where EHRs are a big part of healthcare organizations’ tech stacks.
What makes identity security particularly challenging for healthcare providers?
Healthcare organizations have several challenges that increase the inherent risk associated with identities and the access those identities have across the organization. First, consider the user population. Healthcare organizations have complex and dynamic identity populations, including employed clinical staff, contracted staff, affiliated physicians, medical/nursing students, volunteers, and other identity types.
The hybrid nature of provider organizations’ infrastructure increases an additional level of cybersecurity risk. Lastly, continuous financial pressures on health systems prioritizing patient care are faced with an ongoing challenge of balancing cybersecurity and clinical care. Provider organizations must always consider the potential friction between security and clinicians.
Lastly, let’s layer the outcomes of the pandemic which took root back in 2020. Healthcare organizations were front and center of the pandemic as they rapidly adjusted business models to include elements of remote workforce strategies while being faced with treating the most critically ill patients. Healthcare organizations were onboarding and transferring thousands of clinicians on a weekly basis to address the high influx of critical patient needs frequently without the security tools and processes to manage this securely and effectively. The adoption of remote workforce strategies combined with the need to “break the glass” to address critical patient care needs created significant vulnerabilities across healthcare. We are seeing the evidence of this today. Consider the most recent Becker’s Health IT report that identified over 80 health systems hit by cybersecurity breaches in August alone with the sole goal of obtaining unauthorized access to patient data. One thing is clear; no healthcare organization can afford to exclude identity security as their #1 priority. Identity Security strategies that transcend applications, data, and infrastructure permissions are business essential.
Why is integrating an organization’s identity security program with their core EHR, like Epic, Cerner, MEDITECH, so critical?
To realize the value of integrating an identity security program with sophisticated EHR applications like Epic, Cerner, or MEDITECH, we must first understand the complexities associated with enabling user access within a core clinical application. Clinical applications have multi-level security permissions models that drive what any single user can do within that application. Think of the permissions model as a file cabinet containing layers of folders. Each folder contains another layer of access, “fine grain” permissions, which are more sensitive than the last.
To obtain the appropriate level of permissions, let’s consider the life cycle of a clinical user from the day they join the organization until the day they leave that same organization. Clinical identities join the organization through one-to-many authoritative feeds; consider HR, contractor or non-employee feeds, or flat file feeds commonly leveraged to onboard medical and nursing students and other traditional sources. The average health system has no less than three (3) authoritative feeds, with extensive academic medical systems having 10+ authoritative feeds. The onboarding team then needs to determine the type of identity this individual is (their role in the organization), the type of clinical application access required across the organization, and what validations need to be completed before that user is fully onboarded to core clinical applications (Epic, Cerner, MEDITECH or other). Consider an affiliated physician. The security team must first receive that feed from the authoritative source, create that base account within the core clinical application, and put the account in a block state until credentialing and required learning validation have been completed. Only once those validation checks are completed does a clinician have the access they need to treat patients. In today’s highly manual environments, these processes can take days and weeks to complete.
Multiple layers of personnel or teams are involved in onboarding an affiliated physician, from HR to Credentialing to Learning Management to the Clinical Application team. These various levels of approvals and security checks create unintentional opportunities for errors while increasing the chances of the wrong access security decision being made. The physician (or nurse) wants the right access to patient care (on day 1). SailPoint can fully automate these complex clinical onboarding processes, including the required credentialing and learning management checks, while also ensuring that the appropriate access is being granted rapidly and securely, all the while reducing the burden on the individuals and teams who, today, are managing much of these processes manually.
What considerations should provider organizations consider as they launch an identity security program?
Consider an identity security program designed to support Epic’s clinical onboarding. Here at SailPoint, we continuously encourage our customers to consider several areas across clinician satisfaction, operational outcomes, security posture, entitlement management, identifying opportunities for business process transformation & improvement, and lastly, how an identity security program can accelerate alignment to security frameworks like Zero Trust (NIST/HITRUST).
Specifically, consider the following:
- Is the identity security platform leveraging a standards-based approach built upon the APIs published and approved by the clinical application. Not all, but most of the core clinical application providers have formal vendor developer programs that have some level of formal review and approval processes. SailPoint advises our customers to avoid custom integrations that are not based on a standards-based approach.
- Include the HR, Learning Management, Credentialling, Clinical Care Leadership, and clinical application team(s) as part of the design and deployment of your identity program.
- Identify an identity security platform that is based on the concepts of dynamic role modeling that leverages data science versus static “moment in time” role modeling. The static role modeling approach can no longer keep pace with the change in business across the healthcare market.
What is new about SailPoint’s latest clinical application integration release, and what value does this bring to healthcare provider organizations?
SailPoint has focused on solving the core identity security complexities of managing clinical permissions across the enterprise for over a decade. SailPoint has invested over a decade of development efforts focused on how we can help our healthcare customers obtain a role-based and automated process to onboard clinical staff, including verification checks across credentialing and learning management systems while also automatically and securely provision permissions across the full levels of required clinical application integration based on a standards-based approach. Historically, only an API-driven approach was supported at the base account level; insufficient to fully grant a clinician with the full access they require to treat patients on day one. Until recently, identity providers would have been limited to proprietary methods combined with imports and extracts of clinical application reports to fully provide an account with the complete access a clinician requires to treat patients. However, SailPoint’s latest clinical integration release now applies the foundation of a standards-based API-driven approach to not only the account level, but we now have the ability to apply the fine grain permissions required to rapidly, securely, and effectively treat patients on day 1. This now means that SailPoint customers can more confidently and rapidly deploy a next-generation identity platform based on standards and approaches recommended through clinical application developer programs. SailPoint can help clinical managers make access decisions more confidently and quickly while keeping their focus on patient care.
To learn more about SailPoint’s latest in clinical application integrations.