Trust the Identity, but Verify the Access

The events of the last few weeks have had me reflecting on my epidemiology courses. As I shuffled through old lecture notes, an item stood out: opportunistic infections (OIs) and mortality. In essence, people with compromised immune systems are more likely to become ill, and seriously ill, compared to individuals who have healthy immune systems. In the margins of my notebook, I wrote a cheeky observation that IT systems were just like epidemics in populations. Aging, disparate health IT systems, with inconsistent identity management policies, present an opportunistic event/ “infection” for a cyberattack. That cheeky note was relevant years ago, and unfortunately, it is more relevant today.

There is no doubt that our current global crisis has similarities that mirror the 1918 Pandemic (H1N1), which resulted in nearly 50 million deaths worldwide, with about 675,000 occurring in the United States. However, almost 100 years ago, we didn’t have healthcare systems that relied on EHRs, apps, cloud technology, and mobile platforms. Nor did we have regulatory pressures to ensure the safety of personal health information (PHI). When known cyber gangs are calling for a moratorium on hospital cyberattacks during this crisis, it becomes clear that data collected and stored by today’s healthcare systems needs to be watched with a level of vigilance that was not previously considered.

The Modern Healthcare System

The IT investments that have been made to improve patient care across the continuum of care means a single individual will have multiple roles, responsibilities, and privileges to collect, store, and access sensitive information. The average healthcare organization has a complex user population, and when coupled with regulatory changes and infrastructure demands, identity security becomes more challenging. Unfortunately, most healthcare systems have disparate systems, which means that provisioning someone requires multiple authoritative sources. For most healthcare organizations, there was a mentality that if it is not broke, why fix it? Although, manually matching identities is often a slow process that requires a significant amount of IT resources and while admittedly not ideal, it was palatable and relatively cost-effective, until it suddenly wasn’t.

The unforeseen events of the last few months has shed light on identity management processes that most healthcare organizations will need to reassess. Under normal circumstances, an existing backlog of 80 identities that needed to be provisioned in five to seven business days, was less than ideal, but an accepted standard. However, when you have over 1600 hundred identities to provision in a matter of days, not weeks, the “accepted” norm is no longer something that can be easily explained away as this is just the process.

For many healthcare organizations, the last few months have highlighted the gaps that exist between operational efficiencies and care coordination. To treat an influx of ill patients with complex symptoms, healthcare decision-makers have been put in an indelible position of adhering to compliance while onboarding hundreds of clinicians, in real-time. If they break the former, they face fines and civil litigation. If they are too slow to respond to the latter, they violate their mission to do no harm.

The Path Forward

One thing is clear, while there is no one-size fits all approach to identity management, there are some best of class processes that will need to be implemented to improve the speed and accuracy of identity provisioning for the next unforeseen event.

Read how SailPoint helped a mid-size hospital provision identities in hours, not days.


Discussion