U.S. healthcare faces an historic challenge. In an era of unprecedented digitalization, which takes on even more relevance during public health crises and other disruptive events, the sector has more personal data breaches than any other industry. Public distrust in healthcare institutions’ ability to secure personal information is growing. And, the challenge is evolving: Although the number of healthcare data breaches has soared over the last 10 years, losses and thefts attributed to those breaches have actually diminished due to improved policies and procedures. The increase in overall breaches is now due to instances of unauthorized access along with hacking and IT incidents.
Why is this happening? It’s not for lack of regulation. Congress created the Health Insurance Portability and Accountability Act (HIPAA) nearly a quarter-century ago to shield the confidentiality, integrity and availability of personal health information, or PHI. Since then, federal regulators issued the HIPAA Security Rule to provide protection standards for electronic PHI.
The consequences of noncompliance are potentially severe. In late 2019, the U.S Department of Health and Human Services (HHS) raised the annual penalty for HIPAA violations to as much as $1,754,698. In addition, if a data breach affecting 500 or more individuals occurs at a healthcare provider or other covered entity, HHS will make the entity’s name, location and other information public.
Read on to learn how healthcare providers can gain control over Identity Governance. We’ll start by addressing the unique challenges of Identity Governance in healthcare. After that, we’ll outline the capabilities that organizations should look for in an effective Identity Governance platform. And we’ll close with what providers should look for in an Identity Governance platform provider.
1. Organizational Barriers to Identity Governance
At the same time that healthcare providers have been consolidating into vertically integrated systems, they’ve also been expanding into nontraditional settings such as urgent care clinics, hospices, outpatient facilities and rehabilitation centers Then there’s the rise of remote work across the labor spectrum, from clinicians (as with telemedicine) to researchers to home health aides. All the while, healthcare professionals are accessing critical applications in the cloud and sending data over communications networks to a variety of electronic devices that are needed to improve care coordination.
This confluence of trends has created a number of unique Identity Governance challenges for healthcare organizations.
Healthcare staff has become more mobile. Contractors, business partners and vendors move in and out of the organization. Team members change assignments and locations. In addition, clinicians are adopting more point-of-care solutions that make patient data available through their mobile devices. In all these scenarios, professionals need immediate access to the applications that are critical to their workflow.
Access tracking is often siloed by function or business unit, with one repository for human resources, another for clinicians using electronic medical records (EMR) yet a third for learning management systems and so forth. Some repositories are rudimentary, typically based on manual, error-prone spreadsheets. Credentialing systems may be entirely separate from access repositories. All this makes crossreferencing and data analysis, reporting and auditing difficult, if not impossible.
Healthcare organizations are onboarding software applications at a rapid clip. Some are clinical and some are operational, but what many have in common is a cloudbased platform or software as a service (SaaS) distribution model. For example, an accountable care organization (ACO) might execute dozens of new contracts with software vendors over the course of a year, with limited insight at an organizational level into who has access to each.
In a healthcare setting, internal stakeholders tend to prioritize initiatives that directly impact patient care. Beyond that, many healthcare professionals lack insight into the risks that arise when people have access to the wrong data. All this can put IT investments at a disadvantage when it comes to securing resources for identity solutions and platforms.
A significant amount of hospital data may not be in any of the organization’s actively managed systems. For example, people may cut information from a medical record and paste it into a document outside of the intended application. Other times, the data never makes it into an approved application, as sometimes happens with medical transcriptions or continuity of care documents. Whatever their origin, such files can be hard for organizations to detect and control.
2. Six Capabilities of an Effective Identity Governance Platform
According to HHS, effective Identity Governance provides “access to reliable information on the identity of individuals, the association of health information with the correct individual, the association of providers with the consumers they serve and the organizational affiliations of individual providers.” In other words, it’s about visibility into who users are and what permissions they have.
That’s Identity Governance at its most basic level. In a healthcare setting, however, the demands are more complex. Healthcare organization use Identity Governance to keep sensitive clinical data safe by ensuring that users only have access to what they need. At the same time, it has to facilitate the appropriate access so that staff can carry out their work without delay, especially as they await provisioning, or ongoing interruption such as when their roles change or end. Six essential capabilities to look for should include:
Self-service access request so that users can apply for access themselves. The access request system provides a single interface for requesting and approving access, while automated policy management boosts security through consistent policy enforcement.
Access certification with artificial intelligence (AI) algorithms to ascertain what kind of access users need. Built-in reporting reduces the cost of compliance by automatically generating audit trails and access reports on all key applications and data.
Connectivity among applications and data sources. It’s not uncommon for a larger health system to have hundreds of applications in use. An Identity Governance platform should integrate them all, be they homegrown or commercial, to accomplish identity-related tasks.
Automated provisioning to applications based on users’ roles. Users can be productive from day one, with access changing appropriately as their role evolves. Automated removal of access and accounts, as needed, helps to manage risk.
A subscription model in which the software provider hosts the Identity Governance platform and makes it available to the organization over the internet. This relieves acute and post-acute care organizations of the need to invest in costly IT equipment or labor to manage maintenance and upgrades.
Scalability to accommodate an expanding organization. User experience and processing time remain unaffected with the addition of identities, accounts, assigned entitlements and applications. The operational health and status of the system is visible, while the system itself is engineered to optimize complicated tasks.
The gold standard in Identity Governance is an AI-driven platform that offers clarity on access recommendations and automates much of the decision-making process. Returns on investment will show up in the form of fewer errors, faster turnaround times and lower security costs in line with internal policies and broader regulatory requirements.
3. The Brave New World of Identity Governance
The era of Identity Governance as a perfunctory exercise has drawn to a close. In today’s healthcare environment, it’s become a strategic enabler—one that helps the organization get the most from its people, processes and data. That means a new set of considerations for hospital systems as they weigh their options for an Identity Governance platform. Healthcare decision makers should aim for an Identity vendor that has:
- Tenure of experience. Innovative technology is necessary but insufficient. A platform provider should have deep familiarity with the unique challenges of acute and post-acute care organizations. Don’t think vendor, think business partner.
- A path to the cloud. The organization may or may not be ready for an on-demand computing service. But when the time comes, the organization should be able to shift to the cloud without having to scrap the old IT investments.
- An ability to work with many types of people. Identity Governance platforms exist to serve healthcare professionals, not the other way around. A provider should take a collaborative approach with users—from affiliated physicians to temporary nurses, contractors and others—in shaping solutions to their needs
If there’s one way to sum up the underlying philosophy of Identity Governance in healthcare, it’s this: By putting technological advancements to work on Identity Governance, an effective platform can remove obstacles within the organization so that people can get down to the critical business of improving the patient experience of care, improving the health of populations, and reducing the per capita cost of healthcare.
To learn more about Identity Governance and SailPoint’s identity solutions for healthcare, please visit our Identity for Healthcare page.
You might also be interested in:
Find out how SailPoint can help your organization.