Understanding Why Most IAM Programs in Healthcare Fail
Today, more and more healthcare providers are accelerating their digital transformation initiatives, which not only means building modern systems and architectures, but also creating and storing medical information like patient health records and billing information in an electronic format. Protecting the privacy, security, and integrity of this sensitive data must be one of the highest priorities for healthcare providers if they are to avoid security breaches and the resulting financial and reputational damage.
Understanding who has access to sensitive data stored in files and applications, and assessing whether their access is appropriate given their job role is a critical step in meeting the security and regulatory requirements in a healthcare provider organization. Interaction between individuals and the large volume of sensitive data they touch every day, makes securing access the most challenging component in healthcare. However, many healthcare providers are struggling to bring their identity and access management processes and tools into the 21st century.
IAM plays a key role in healthcare security, but it certainly doesn’t come without its own challenges. This blog exposes some of the most significant IAM challenges in healthcare that you should consider while carving your identity governance strategy.
- Fluid nature of the workforce:
One of the most common challenges that healthcare providers have to deal with is the fluid nature of the workforce. Doctors, nurses, physician assistants, specialists and many others take on different roles from time to time. From clinical specialist, researcher, medical scribe to a student, every role needs to be considered. Furthermore, the staff moves among multiple departments and facilities, and the responsibilities require access to different information systems. In this complex scenario, how do you ensure the right people have the right access during the times they need it? How do you ensure that access has been revoked when roles change? Implementing a successful identity management strategy is further complicated as the appropriate security levels for the workforce can change dramatically and quickly as part of delivering care to patients.
- Increasing Regulatory Requirements:
The healthcare industry is one of the most regulated industries with ever-increasing compliance requirements. For instance, Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled or shared.
This unique requirement for the healthcare industry adds to the regulatory burden that healthcare providers share with other industries such as the Payment Card Industry Data Security Standard (PCI DSS) for protecting credit card holder data and Sarbanes-Oxley (SOX) for attesting to the validity of corporate financial statements. Violating any of these regulations, such as disclosing, sharing or stealing Protected Health Information results in heavy financial penalties or irreparable damage to the organization’s reputation. In order to comply with the current regulatory environment, healthcare providers are required to put in specific controls that actively track the processes by which access is granted to users throughout their relationship lifecycle with the organization. Unfortunately, this is a complex process given the number of users and applications that must be managed. It’s not something that can be left to manual or partially automated processes.
- Heterogeneous application environments:
The complexity faced by healthcare provider IT risk and security teams is growing rapidly. This is especially true when it comes to protecting access to organization’s sensitive applications and data. What used to be a relatively simple task – managing applications inside an organization’s network – has become increasingly complex as the applications are now spread out across on-prem and cloud environments. EMR solutions provided by vendors like McKesson, Cerner and Epic are at the foundation of provider IT environments. While traditionally these solutions have been delivered on-premises, many of these vendors are embracing the rapidly changing IT landscape by providing solutions that can be deployed as public or private cloud. The complexity of healthcare systems in general combined with a heterogeneous IT environment made up of on-premises and cloud-based applications and data storage solutions can quickly overwhelm legacy approaches to identity management.
- Large, diverse user populations:
As healthcare providers continue to evolve their business to provide integrated medical services, they face an increasing need to grant and manage access to internal systems for new types of users. This dispersed population not only includes employees and contractors (B2E); but also business partners, vendors, regulators (B2B) and end consumers, patients and “friends” or benefactors (B2C). The unique relationship of each type of user defines the specific level of access needed to support the relationship. For instance, a physician who is not directly employed by a hospital requires access to certain applications to perform surgery. However, since the doctor has a third-party relationship with the organization, his or her access is inherently riskier and must be managed appropriately. Without addressing the full scope of user access across all constituents, providers can impact delivery of patient services, or worse, expose the organization to significant security and regulatory risks.
Leading healthcare providers have tackled these challenges head on and have been extremely successful in using identity management to automate, strengthen and track access at enterprise end points. As a result, these healthcare providers have been able to focus on improving the quality of patient care and productivity of caregivers by easily managing risk and data protection. In my next blog, I’ll explore the best practices in healthcare IAM, including how to take an integrated approach to securing access to all sensitive applications and data using a single approach.