Temple Health achieves faster, more accurate onboarding

In the healthcare industry, balancing security needs and data access needs can be a significant challenge. For sick and injured patients, every minute counts – which means doctors and nurses cannot afford to spend their time waiting for their credentials to be validated or their access requests to be approved. At Temple Health, large ticket queues and lengthy turnaround times were causing significant friction, particularly around the onboarding process.The IT team at Temple Health was inundated with the process of manually managing roles and responsibilities for nearly 20,000 employees. A more effective solution was needed.

“We didn’t have an automated onboarding process in place,” explained TJ Mallozzi, Director of Epic Security and Access Management, Temple Health. “Healthcare organizations have a lot of different identity groups: there are clinical and non-clinical identities, nurses, nurse practitioners, doctors, administrative staff, students, interns, and many, many more. The access needs of any given user can be wildly different, depending on which groups they fall into. Manually provisioning and managing thousands of identities just wasn’t a realistic long-term solution.”

Every person who works for Temple Health gets provisioned to something – an email account and set of network credentials at the very least – but their access needs can vary significantly. Healthcare is also a notoriously high-turnover industry, with clinicians, nurses, doctors, administrators, and other employees arriving and departing on a regular basis.Additionally, healthcare professionals often see their roles and responsibilities change, particularly at an academic medical center like Temple Health. Students might become interns or residents, doctors and nurses might work shifts in both the hospital and the clinic, and their roles and permissions need to be updated accordingly to avoid losing precious time to login portals, access requests, and other frustrations. 

“Inefficiency was a serious problem,” said Mallozzi. “It might take a month – or even two months – for a new employee to receive all the access privileges they needed to do their job. Tickets would be pushed around the system, and sometimes the IT team might not even have access to the necessary systems and applications. End users had no way of knowing if or when they would finally get their access, because the ticket might never close. What we needed was a centralized, automated way to manage identity and access privileges.”

Role-based access control streamlines the onboarding process

When Temple Health began working with SailPoint, the first step was to create a more accurate and transparent Role-Based Access Control (RBAC) system that would help streamline the onboarding process by creating clearly defined roles for different types of identities. In the past, it could take upwards of 120 hours to onboard and properly provision a single new identity, which meant bulk onboarding could take months. Implementing an RBAC system allowed Temple Health to automatically assign access privileges based on pre-defined roles, responsibilities, and job descriptions – ultimately resulting in a 99% reduction in the time needed to onboard users.

“We acquired another hospital at one point during our early days with SailPoint,” recalled Chin Osuwa, Lead Engineer (IAM), Temple Health. “We were expecting the process of onboarding their employees into our system to take months. We had already prepared to work long weekends and maybe even bring onadditional contractors to help with the process. But with the SailPoint system in place, I was able to write the logic needed to provisionall 3,000 users with network access and an email inbox in just one hour. When I reported that it was done just three days into the transition process, you could have heard a pin drop in the room. That’s when I said, holy cow, we’re really onto something here.”

Temple Health uses SailPoint IdentityNow with Connectors, creating, provisioning, and managing privileged and non-privileged identity accounts both on-premises and in the cloud. Additionally, IdentityNow is integrated with Epic, Temple Health’s electronic health record (EHR) provider, enabling the organization to provision access through SailPoint to both Epic EMP, which manages employee records, and Epic SER, which manages provider records. SailPoint’s RBAC enforcement of least privilege eliminates privilege creep and significantlyreduces the potential for overprovisioning. Healthcare organizations remain a prime target for cybercriminals, who recognize the value of patient records and personal health information. By ensuring that identities have only the access privileges they need to fulfill their specific roles and responsibilities, Temple Health has significantly reduced the likelihood of an identity-related breach.

The partnership hasn’t just impacted employee onboarding, but the offboarding process as well, ensuring unused or outdated identities are deleted appropriately. This eliminates the possibility of an attacker compromising an outdated identity, but it has also resulted in significant savings from a licensing standpoint. With greater visibility into the organization’s identities, Temple Health was able to eliminate 13,000 user accounts from Active Directory, saving the organization roughly $100,000 per month in licensing fees alone. It was a stark reminder that strong identity management can have a positive impact not just on security, but on the organization’s bottom line.

Epic integration is key to Temple Health’s identity program

The integration between SailPoint IdentityNow and Epic has been at the core of the program’s success. When a new employee is hired, Temple Health’s HR system alerts the IdentityNow system, which creates an account for the network as well as an account within the Epic system.It automatically places a training block on the Epic account, which the onboarding team can remove when the new employee has finished the training process. Within minutes of SailPoint IdentityNow recognizing a new identity, their user template, access privileges, and security needs are all fully provisioned within Epic. As soon as an employee’s training block is released, they have everything they need to fulfill their responsibilities, and Temple Health schedulers can begin scheduling appointments in seconds.

“We used to see a lot of overprovisioning,” said Mallozzi. “When we started the discovery process with SailPoint, the lack of uniformity was something we noticed right away. We would see people in the same role with the same job title in the same position who had wildly different access to systems and data. Now we can standardize access across the many systems and applications we use – which shared folders they can access, which SharePoint sites, which distribution lists, and so on. We don’t need to put in tickets. We don’t need to figure out who owns which list. It happens automatically now. It just works.”

The integration with Epic also made it significantly easier to make changes to entitlements and access rights. If an employee was accidentally assigned to the wrong role or template, a Temple Health employee could simply make the required change in the SailPoint system, where it would be pushed out to Epic through the SailPoint Connection. This has made the process significantly easier than making changes directly within the Epic system, which can be more time-consuming and requires a higher degree of technical expertise. While Temple Health began with Epic EMP integration, the organization quickly recognized the value it presented and implemented Epic SER integration as well.

This has helped provide valuable peace of mind, particularly where compliance is concerned. Uniform job roles and templates ensure that job roles that are not supposed to have access to patient data will be appropriately provisioned. IT personnel no longer need to worry about whether specific identities are overprovisioned or receiving access to data that goes beyond their job scope. SailPoint’s accurate templating ensures that every identity in a given role is granted access in Epic that is in keeping with the responsibilities of that role, reducing the likelihood of a privacy breach or compliance violation.

A mature approach to identity

Temple Health has been working with SailPoint for just three years, but in that time the organization has dramatically matured its approach to identity management and security. Even today, a large share of healthcare organizationslackan identity security product and instead continue to rely on cumbersome manual processes. Many may be unaware that identity security solutions like SailPoint can integrate directly with Epic, allowing them to not just improve identity security but streamline operations and enhance usability, as well. In fact, working with SailPoint has enabled Temple Health to reduce the volume of resources devoted to identity and access management (IAM) by 60%, going from a team of 10 to a team of four and allowing those resources to be reallocated to other, more critical tasks. 

“Certainly, onboarding has been the biggest piece,” said Mallozzi. “We’ve significantly accelerated clinician access so they can more quickly treat patients. Before SailPoint, there was a four-letter word at Temple Health: SARF, or ‘Submission for Access Referral Form.’ That was our old way of requesting access to systems or data, and it was a frustrating and tedious process. Well, SailPoint took that away. Since new users are provisioned automatically according to their specific needs, our providers have access to everything they need to treat patients effectively right away.”

The new system makes it significantly easier for users to verify their identities, which has a trickle-down effect on the help desk. Prior to working with SailPoint, roughly 35% of helpdesk calls at Temple Health were for password resets, each of which might take as long as30 minutes. Thanks to SailPoint, users no longer need to call the help desk. Instead, they can validate their own identity using a token sent to a verified device, resetting passwords in just two minutes – a 93% reduction in time. More importantly, Temple Health estimates that the new process has resulted in at least a 35% workload reduction for help desk employees.

“If you forget the password to your online bank, do you call the bank?” said Osuwa. “Of course not. You click ‘forgot password’ and the bank challenges you by sending a token to your phone. We’re implementing that process at Temple Health, and it’s allowing our support staff to focus on more important and engaging tasks.” 

The robust SailPoint platform has also helped Temple Health de-clutter its human resources system, significantly reducing the number of distinct user templates in use. By aggregating similar user templates and eliminating outdated redundant ones, Temple Health was able to provision users in a more uniform way across multiple systems. This has helped reduce the level of uncertainty around certain roles and their responsibilities. Rather than spending time and resources identifying the differences between similarly named roles across different platforms, SailPoint allows Temple Health to approach identity in a more unified manner.

Temple Health is just getting started

As Temple Health looks to the future, the success of the Epic integration has inspired the organization to take on more Connectors. Ultimately, Temple Health wants to work with SailPoint to provision every possible application within the digital health system. That includes platforms like ServiceNow, which will enable Temple Health to automate the task creation process and enable the IT team to further streamline operations. Rather than relying on human beings to create, assign, and close tickets, the SailPoint Connector will be able to create a chain of events without the need for human interaction.

SailPoint provides Temple Health with the critical functionality the organization needs to more efficiently and effectively manage and provision its identities. By establishing uniform roles and responsibilities, SailPoint has made it possible to streamline and automate the previously cumbersome onboarding process, ensuring new practitioners have access to the information they need to begin treating patients immediately.