The Ah-ha Moment in Identity Security for Healthcare

Authored by Matthew Radcliffe

Historically and as early as three years ago, healthcare organizations may have thought having an identity security program was as simple as having single-sign-on (SSO). However, COVID shined a spotlight on a variety of process gaps across healthcare organizations when it came to managing the access of clinical staff including hospitalists, affiliated physicians, and contract nurses. Coming out of the pandemic, healthcare organizations realize the value and positive impact that an Identity Security program can contribute to the organizations.  

IT and security teams are accelerating their alignment towards cybersecurity frameworks like HITRUST and NIST with the goal of achieving a Zero Trust model. Identity plays a critical role across these security frameworks by ensuring implicit trust for clinical staff access to a variety of clinical systems and sensitive PHI data.  The balance, however, is implementing and enforcing these security frameworks while reducing the friction between security and clinical caregivers.

The right Identity Security program enables healthcare organizations to realize both cost benefits and operational efficiency.  Considering the incremental YOY increase costs of cybersecurity insurance and the rate of change across healthcare due to M&S, rapidly expanding clinical services, rapid adoption of remote workforce strategy, and onboarding of IOT devices, the need for adopting an Identity Security program becomes glaringly obvious.  Over the past two years Healthcare IT leadership has had an “ah-ha moment” realizing; ‘if I have an enterprise-wide identity security program, I’m delivering immediate value to our internal customers (clinical teams) while rapidly increasing my overall security posture.’ Of course, the most significant and most valuable benefit is that clinical staff can focus on patient care versus struggling to gain access to the core EHRs they need to do their job.

Data Science and AI Drives Efficiencies with Identities

With a vast amount of identity data required to manage complex user populations (employed, contracted, and affiliated staff) combined with the consistent and rapid change across healthcare organizations, it becomes a challenge to manage identity security programs by simply throwing people at the problem.  In fact, we would argue that it’s impossible to leverage manual processes to manage today’s clinical access requirements considering the rapid operational change along with cloud transformation. By leveraging data science and AI we can enable healthcare organizations to gain visibility and insights to automate access across complex identity populations, applications, and data. AI-based Identity security has the smarts to look at clusters of identities and commonalities to grant access based on peer roles. 

In an everyday use case, for example, today’s Epic security teams are evaluating ways of leveraging AI-based identity security to more effectively evaluate Templates across broad sets of clinical roles while identifying effective ways to reduce Templates creating a more effective EHR access program all the while reducing the chance of inappropriate access across the clinical staff.  By doing so, we effectively provide immediate security value to the organization while reducing friction between security and clinical caregivers.

The value of an AI-driven identity security program can be summarized in three critical areas:

1. We arm the audit teams with the critical information and data they need to create a detailed audit history required as part of security frameworks like NIST and HITRUST as part of the Zero Trust objective.  

2. By leveraging peer group analysis, we arm clinical managers with the intelligent information they need at their fingertips to make more informed access decisions more rapidly.  We are arming clinical managers with the ability to focus on patient care rather than being bogged down with access request approvals and certification reviews/approvals. 

3. We arm IT Security leadership with the ability to dynamically manage their enterprise-wide role models even as new security policies are implemented, new populations of users are onboarded, and new applications are introduced into the environment.  An AI-driven identity program eliminates the need for costly and manual 3rd party role modeling consulting services. Organizations can now continuously monitor the identity program against the environment and enable the identity security program to dynamically “offer up” recommended changes to the role model.

Productivity Begins Within

Collaboration across departments (HR, clinical application teams, learning management, credentialing, physician staff, nursing, etc.) is critical to setting the governance over data, applications, and infrastructure.  Today’s identity security programs are not just IT projects.  Identity security programs are enterprise-wide transformational opportunities that require a design and deployment model that is through the lens of clinical caregivers. Enabling the internal customers (the caregivers) to influence how the technology should support the business is on the critical path to success.  Organizations must launch their identity security program without blinders while being open to workflow transformation opportunities and admitting that there are both process gaps and data quality challenges across the organization that can be improved upon with the right AI-driven identity security solution.

The Next Step in Identity Security for Healthcare

Recently, healthcare security leaders discussed Epic and identity security integrations, exploring a data science-based approach to identity security. The panel discussed how this approach could reduce clinician friction while increasing healthcare organizations’ ability to meet a rapidly changing security landscape and offered actionable recommendations that enable organizations to launch fully integrated Epic-based identity security programs. Learn more here.