In healthcare, IT adoption has been on a slow but steady trajectory. Much of the effort to go digital over the past 10 years has targeted specific business processes such as practice management, business intelligence, and patient access to health information. Adoption of electronic health records and investments in mobility solutions have been key elements of those modernization initiatives.
So has the move to cloud technologies: healthcare organizations have embraced cloud to improve data sharing, reduce preventable errors, and lower overall infrastructure costs. All this has made management of digital identities more complex, yet systems used to verify identities didn’t necessarily evolve with the new healthcare technologies being deployed.
Changes have been happening on the clinical side too. Stand-alone health systems began to see value in managing the continuum of care in order to reduce readmissions and address health challenges at their source. Soon they were establishing business relationships with organizations like primary care clinics and long-term care facilities that were essential to their overall delivery services. To boost collaboration, health systems had to transform their digital technologies in ways that were easily adaptable but secure.
Then the external shock of global pandemic hit. All of a sudden, hospitals had to pivot their operations to remote work while ramping up for acute care in the clinical setting. Years of tinkering at the edges of the care delivery model suddenly shifted into overdrive, accelerating trends in mobile work that paved the way for future resilience.
In the discussion that follows, we’ll take a closer look at three emerging scenarios and what they mean for identity management in healthcare. Along the way, we’ll show how a cloud-based identity management platform, delivered through a software as a service (SaaS) model, can further the goals of healthcare organizations as they navigate a course to the future. Browse the sections in the order they appear or skip directly to the one that’s of greatest interest.
Use Case 1:
Transforming the Organization
It’s no secret that health systems are under significant operational pressures. Across every activity, the quest for greater efficiency and effectiveness is ongoing. For example:
- The typical hospital environment includes applications for electronic health records (EHRs), practice management, patient portals, and more. These applications can be housed on premises or in the cloud at various locations. The data they contain may be structured or unstructured, but all of it must be secured and governed across the entire workforce.
- Health systems have long known that a clinician shortage was imminent; the pandemic has accelerated those projections.1 As such, hospitals cannot afford to have personnel waiting for days to receive their credentials to access clinical systems. For example, during Covid-19, fourth-year medical students and residents have been deemed essential personnel to prevent delays in patient care, and hospitals had to find ways to reduce access bottlenecks.2
- A surge in mergers and acquisitions has created unforeseen security challenges, specifically relating to consolidation of disparate IT resources and creation of new identities. The more seamlessly healthcare organizations can accomplish identity access management, the closer they can get to realizing the benefits of using their existing data resources to drive—population health management and care coordination.
- Technology can be a catalyst in these and other areas, creating new value propositions by laying the blueprint for modernization. Such opportunities crop up at the intersection of emerging technologies—such as using artificial intelligence (AI) and machine learning to analyze identity data stored in the cloud, then making the insights available to inform decision-making in other departments or partner organizations.
The takeaway: SaaS-based identity management facilitates organizational transformation by enabling system access without the need for in-house expertise or additional capital spend. Going forward, it also helps healthcare organizations maintain a delivery model that’s consistent with adjacent cloud-based solutions, such as single sign-on, privileged access management, and IT service desk ticketing.
Supercharging SaaS-Based Identity Security
SailPoint IdentityNow delivers identity management and governance from the cloud. This SaaS identity platform uses policies, access controls, and advanced technologies to make sure healthcare personnel see and touch only what data and applications they need to do their job. With integrated AI and machine learning capabilities to identify identity management tasks, organizations can reduce the likelihood of a data breach from 30% to 5%.3 These predictive identity capabilities include:
- Access Insights. Each identity has a history, and data analytics provide richer context around it. When was an identity onboarded? Who approved it? What has changed about their role and access over the years? Insights like these can reveal potential risks like abnormal entitlements and dormant or orphaned accounts. They also help the organization respond to compliance and audit mandates.
- Access Modeling. As healthcare continues to transform, the user population has become more cross-functional and fluid. One implication is that the old ways of maintaining access permissions in a spreadsheet and reviewing them periodically are no longer scalable for modern hospitals. To reduce human error, automatic access modeling lets the identity management platform suggest what the appropriate access currently should be, based on what users in similar roles have.
- Recommendations. Access approvals and certifications need to keep pace with internal compliance shifts as well as external policy changes. A recommendation engine speeds up the process by automatically provisioning low-risk access. Meanwhile, decisions around higher-risk access become easier with AI-generated recommendations based on peer group analysis, identity attributes, and historical access activity.
- Cloud Governance. Healthcare has moved to the cloud as organizations seek more cost-effective ways to store and retrieve exponentially expanding data, especially as onsite data storage becomes increasingly expensive and vulnerable to cyberattacks. Using cognitive processing, the identity management platform can discover and protect access to all the other cloud platforms and resources in use across the organization. Hospitals can see who has access across their multi-cloud infrastructure, enforce access policies, and monitor accounts for suspicious activity in real time.
Use Case 2:
Enabling the Healthcare Business Model
A long-term trend among healthcare providers is to build partner networks—for example, physician practices and post-acute care facilities—to improve the care continuum, drive patient transparency, and improve population health. The expanded footprint and closer collaboration of a healthcare ecosystem can also improve care collaboration, reduce overarching operational spend, and help participants achieve the triple aim.
One outgrowth of this trend is that many large health systems are stepping up to provide clinical infrastructure on behalf of the overall ecosystem. To enable more robust clinical and provider decision support and ROI for IT investments, healthcare organizations have begun to adopt the best practices of interoperability, but this adoption has the potential of creating security challenges and gaps, specifically relating to who has access to what and how they are using that access.
Make no mistake, the digital transformation trend is here to stay. However, the manner by which healthcare organizations contain and manage the solutions they use to reach better patient outcomes will have larger business implications for the security of electronic protected health information (ePHI).
The takeaway: A strong, secure cloud strategy accelerates the business model strategy by helping health systems expand the breadth and depth of their clinical services. Sharing a subscription-based identity management platform also helps smaller ecosystem partners by enabling their own IT environments so they can compete in the market.
Use Case 3:
Supporting Complex User Populations
Now more than ever, healthcare organizations depend on contingent workers, including contract nurses, affiliated physicians, and volunteers, to address the needs of their patient populations. More than one in three of the over 6 million contingent workers in the U.S. are in health and education services.4 Add researchers, business partners, and suppliers to the mix, and it becomes clear that making sure individuals have access to hospital resources that are appropriate to their work is no small endeavor.
During the pandemic, many contingent healthcare workers have had to use their personal devices to efficiently provide patient care. With a large influx of new employees in such a short amount of time, many hospitals were simply not equipped to provision identities for their existing, newly remote staff—much less the volume of new contingent employees. Moreover, the growing number of personal devices used has inadvertently created a security Achilles heel for organizations that need to protect ePHI.
What’s more, these user populations are in a constant state of flux. Users can be temporary or full-time, office-bound or on the move. They may be dedicated to a single department or split their time among multiple ones. All this complicates a hospital’s efforts to enable system access at the right times and for the right reasons.
The global pandemic has shown healthcare organizations the importance of breaking the tradeoff between proximity and productivity. By calling for rapid provisioning to support surge capacity for acute care while deprovisioning in response to a temporary drop in elective and semi-elective procedures, the pandemic has also shown that any disruption to ordinary patient loads can bring the challenges of supporting complex user populations into sharp relief. As remote access becomes a fixture of the healthcare identity landscape, organizations will need to document how they have handled identity access activities, including who requested access, what was being requested, if access was approved and when.
The takeaway: Identity services that are delivered through the cloud allow users to quickly acquire their system credentials and work wherever they may happen to be. At the same time, an identity management SaaS solution protects sensitive data by following the latest protocols and certifications for cloud security without slowing down the business of care delivery.
Forging Ahead to the Cloud
Identity management as a subscription-based service may seem futuristic, but the solution itself resulted from years of supporting use cases on premises with healthcare providers. Provisioning and other core governance pieces came first. Subsequent versions saw the addition of more advanced features like access request and automated access reviews and certifications. By then, forward-thinking healthcare organizations were already looking at how they could improve efficiency, evolve the business, and shore up their resilience as an organization. Their input is reflected in key innovations like:
- Identity management for complex access models
- Automated certification as suspicious access activity is detected
- Separation-of-duties controls to prevent conflicts of interest
The result is an intelligent SaaS solution that applies the lessons learned from extensive field experience to help healthcare organizations continue governing wisely and well.
To learn more about identity security and the solutions SailPoint can deliver, please visit Identity for Healthcare.
- 1 “U.S. physician shortage growing,” Patrick Boyle, AAMC, June 26, 2020, https://www.aamc.org/news-insights/us-physician-shortage-growing#:~:text=Even%20as%20the%20nation’s%20health,and%20139%2C000%20physicians%20by%202033.
- Gabrielle Redford, “’Itching to get back in’: Medical students graduate early to join the fight,” Association of American Medical Colleges, April 3, 2020,https://www.aamc.org/news-insights/itching-get-back-medical-students-graduate-early-join-fight.
- Andras Cser and Merritt Maxim, “Making The Business Case For Identity And Access Management,” Forrester, October 7, 2019.
- “A Look at Contingent Workers,” Karen Kosanovich, U.S. Bureau of Labor Statistics, September 2018, https://www.bls.gov/spotlight/2018/contingent-workers/home.htm.
You might also be interested in:
Find out how SailPoint can help your organization.