(Part I in a multi-part post examining IAM in healthcare)
In most industries today, identity and access management (IAM) is a well-understood and established approach to IT security and data protection. IAM provides the full suite of tools that companies need to manage identities and access points across their workforce and customers, while simultaneously helping to manage risk, avoid fraud, and drive business goals.
For healthcare, IAM is critically important because it supports one of this industry’s incremental and hyper-critical priorities: workflow.
(Gus Malezis, President and Chief Executive Officer, Imprivata)
Optimizing workflows – both clinical application and network access workflow – must be a mandatory requirement for any IT solution, including IAM. It should be in alignment with – and not at the expense of – an organization’s IT security efforts.
With a robust IAM program in place, enterprises can both significantly bolster their workflow efficiency and enhance IT security, systems and data protection, and compliance. They will have the ability to focus on establishing trusted identities, and then maintaining, modifying, and monitoring them as needed, with the consistency, speed, and efficiency. This includes initial onboarding and provisioning, dynamic access management based on changing roles, and attributes and permissions of each trusted identity. It also includes off-boarding and de-provisioning when an identity is no longer part of the organization.
The challenges of IAM implementation
Implementing an effective IAM program presents challenges that are familiar to other industries that have undertaken the digital transformation journey. Newly digital organizations must establish trusted identities across a complex network of people, technology, and information. By focusing on a trusted digital identity, organizations can optimize processes and technologies to solve critical workflow, security, and compliance challenges.
But in healthcare – where the users are different, and diverse, and absolutely focused on healthcare delivery (meaning the well-being of the patient supersedes all other priorities) – these challenges are particularly unique. In addition to a persistent and highly valued on-prem set of applications, there is an ever-expanding number of cloud applications, a diverse set of edge devices, and ever-more connected medical services (MIoT) devices. Also, an increasingly decentralized workforce has eroded the once well-defined network perimeter. In this new digital and hyper-complex life-critical world, hospitals and health systems are turning to trusted identities to manage processes and systems.
To get a sense of the specific challenges faced by healthcare in implementing IAM, let’s take a deeper look at what makes an effective IAM program and why it’s so important to healthcare.
The initial phases of healthcare’s digital transition focused on optimizing clinical application workflows within the traditional hospital setting. IT security was therefore focused on giving clinical users access to thick-client EMR and other clinical applications on shared workstations. Given this contained workflow, organizations were able to employ traditional network security measures to protect PHI and other data.
This approach soon showed its limitations, however, as healthcare organizations evolved. The continued shift to value-based care and the effects of digital transformation soon made healthcare organizations modern digital enterprises delivering care anywhere and anytime. The dramatic change means the care delivery ecosystem is no longer contained only within the four walls of the hospital and now reaches out to patients in all the areas of human presence.
What’s more, the users that must be addressed by an effective IAM program are very different in healthcare than they are in other industries. Our users in healthcare are some of the highest skilled, highest trained, dedicated, passionate, and determined individuals – and they care about the patient well-being first and foremost.
A diverse set of users
Within this modern healthcare ecosystem operates a much more extensive population of users – and they are no longer only employee-clinicians. Instead, they may be affiliate clinicians, interns, as well as administrative and enterprise staff. CIOs and CISOs, for example, now play prominent roles and are tasked with securing the full enterprise. This responsibility particularly emerges as these users increasingly seek access to information from anywhere, not just when they are on premises.
Clinical staffs are also evolving, and are now comprised of many different types of users, each with varying roles and access requirements. Combine with this with an increasingly fluid user base, in which visiting providers, residents, locums, and other part-time clinicians change the composition of the clinical staff in real time. This constant fluidity requires the real-time need to monitor and adjust roles (and role-based access).
Moreover, clinicians are not the only set of users IT must monitor. Business, IT, and other administrative users—as well as contractors and vendors—all have access needs to different applications and information in the modern healthcare enterprise.
In addition to workflow challenges, this presents a formidable IT security hurdle. Healthcare remains one of the most highly targeted industries for cyber-attacks. A recent report from Beazley Breach Insights showed the healthcare sector accounted for 41 percent of all breaches. And, the cost of data breaches are amongst the highest of any industry – according to the IBM and Ponemon Institute 2019 Cost of a Data Breach Report, healthcare data breach costs average $429 per record (the highest of any industry, for the ninth straight year).
Clearly, healthcare has many more challenges to face than do most other industries.
Check in for the next installment of this series, which examines healthcare’s unique IAM challenges and considerations. For more information, browse the infographic.
Gus Malezis is President and Chief Executive Officer of Imprivata.