In the first two installments of this multi-part series about Digital Identity and Access Management (IAM) in healthcare, we examined the critical importance of IAM in bolstering IT security, enhancing data protection, and assuring compliance – all of which must be delivered while supporting and enhancing current and future clinical workflows of our providers.
(Part III in a multi-part post examining IAM in healthcare)
In examining why IAM is so important to healthcare, we also took a close look at the four “planes” of the modern healthcare ecosystem – the users, their operational locations, edge devices being used to access clinical networks, and the apps and services they’re using to deliver patient care – to understand the growing workflow and security challenges within today’s digital healthcare world.
(Gus Malezis, President and Chief Executive Officer, Imprivata)
As we come to appreciate the pivotal role that IAM and digital identity will play in this increasingly complex environment, the essential value of trusted identities becomes clearer – as does the need for healthcare to have the right infrastructure in place to support and manage those identities. This post examines those new infrastructure requirements – beginning with the need for efficient and transparent access to cloud applications.
Digital transformation in healthcare
Healthcare organizations are becoming modern sophisticated digital enterprises with a care delivery ecosystem that extends beyond the four walls of the hospital. In this new ecosystem, where providers and employees across the delivery organization access information from inside and outside the hospital, organizations must establish trusted digital identities across a complex network of people, technology and information.
But it doesn’t stop there – healthcare organizations also need enhanced capabilities that improve productivity and address critical identity and access management challenges while supporting and ideally optimizing and enhancing workflows for their clinical and enterprise users.
And these are only a few of the unique challenges that healthcare organizations face as the industry evolves to become more distributed and remote. The proliferation of cloud applications is helping this increasingly decentralized workforce access the information they need to provide patient care, but it is also contributing to the erosion of the once well-defined network perimeter.
To support the adoption of much-needed cloud technology without disrupting user experience or the delivery of patient care, healthcare organizations need technology solutions that deliver secure, frictionless access to all applications. These solutions must be purpose-built to enable anytime, anywhere access to Web and on-premises applications to support healthcare’s hybrid environments.
High trust digital identities
In our new widely dispersed and diverse healthcare delivery environment, the number of devices, logins, and channels that providers use continues to grow rapidly in quantity and diversity. As a result, clinicians often create widely disparate digital identities, many of which may be simple email addresses or user IDs, and all of which need to be managed, tracked and – naturally for the user/provider – need to be committed to memory so they can be available and be applied, quickly, when needed. This process of creating, remembering and keeping secure a large complement of user IDs and passwords introduces a great deal of complexity. What’s more, that is just the beginning: these IDs are not verified or validated, and therefore are not of high trust. To solve this problem, more healthcare organizations are turning to IAM to validate the identity, facilitate access, and protect against cyberattacks.
What do these solutions look like? Many products that exist today are built to address individual challenges, but today’s digital world requires an end-to-end system that is capable of authenticating, managing, and monitoring identities across the board. To survive in the future, healthcare organizations will need to move beyond password management and basic single-sign on (SSO) solutions and deploy more robust, comprehensive systems that can ensure that the right people have access to the right things at the right time.
When done right, an IAM system should enable fast and secure access to on-premises and cloud applications, regardless of where providers are located, or what device they are using to access systems. From private or shared workstations, to mobile devices and notebooks – to be effective, IAM solutions must now support every person and device that exists in healthcare’s hybrid environment. Unfortunately, that is simply not the norm for most solutions available in today’s market.
Healthcare organizations also need an agile IAM solution that can easily integrate with other systems and tools, including EHRs and on-premises clinical applications. Modern solutions, for example, integrate with an array of innovative, convenient, and secure multi-factor authentication modalities, including push tokens, fingerprint biometrics, and hands-free authentication, which also comply with DEA regulations for electronic prescribing of controlled substances (EPCS).
Adaptable technology – to all locations
Many healthcare organizations are just beginning their transition to the cloud. Regardless of where they are on the digital transformation journey, they all still have some systems on-premises – that’s just the nature of healthcare – so they need more adaptable technology that can work in any environment. This technology must support the adoption of cloud technology without disrupting user experience or the delivery of patient care.
The industry is under enormous pressure to innovate – but with the unique goal of streamlining physicians’ work, improving patient outcomes and lowering costs. Digital technologies have huge potential to help achieve these goals and make a positive impact, but security remains a significant battle. A modern IAM solution can alleviate the challenge of balancing security and convenience by not only establishing trust across networks – people, technology, and information – but then sustaining and confirming that trust throughout the patient care lifecycle.
(Part II in a multi-part post examining IAM in healthcare)
In the first installment of this multi-part series about identity and access management (IAM) in healthcare, we examined the critical importance of IAM in bolstering IT security and enhancing data protection. Recognizing the unique challenges that healthcare presents when implementing an IAM program, we discussed what makes an effective IAM program and why it’s so important to healthcare.
Healthcare’s rapid transition to a fully digital environment has benefitted from the introduction of sophisticated IT tools to the hospital ecosystem and bedside workflows, which have greatly helped improve the delivery of care. In the course of improving care delivery, however, healthcare also experienced something else: greater complexity.
(Gus Malezis, President and Chief Executive Officer, Imprivata)
Today’s modern healthcare delivery ecosystem consists of a much more extensive and expansive population of providers and users, all of whom are operating from multiple locations. Often times, these locations are outside the four walls of the hospital, and furthermore the users access systems through an exploding number of devices and an ever-increasing complement of applications that reside on-prem and progressively in the cloud.
In this post, we will look at the four “planes” of the modern healthcare ecosystem to get an appreciation for the ways that improving care delivery is creating more complexity across the industry – and the pivotal role that digital identity and IAM will play in this environment.
The Four Planes
Healthcare delivery now happens around the clock, with a diverse set of healthcare professionals, each of whom is regularly using all kinds of connected and different devices. By taking the IT tools we have and adjusting them to the dimensions of these rapidly evolving planes, we can continue supporting them and enabling improved care in the healthcare continuum.
Plane I – Who are the users?
Now and into the future, the professionals accessing healthcare systems are multiplying exponentially. Instead of just doctors and nurses – as was the case in the recent past – we now have affiliates, administrative staff, and other external users. This easily doubles, and even triples, the number of people we consider to be “users” or, more importantly, healthcare providers; it’s now anybody who is in association with your healthcare ecosystem.
Plane II – Where are they operating?
The physical locus of healthcare delivery is no longer only a hospital. It can be a clinic, a doctor’s office, or a home-care situation. Today’s healthcare providers are no longer just operating in a single location at the hospital or acute-care environment – they’re everywhere.
Plane III – What devices are they using to access the digital networks?
It used to be that providers would access a system through a computer, usually a Windows system, located at a nursing station – but that’s no longer the case. Now, machines are in a patient’s room, or are portable and in the hands of the providers as they make their patient rounds. These machines may be corporate devices, or they could be personal. Some can be also be virtual machines, Android or iOS Smartphones and tablets, or medical devices. Healthcare is experiencing an explosion of connected digital devices, taking us from 1X to numbers that are 4X or even 10X (especially if you include medical devices) in terms of access points.
Plane IV – What are the apps and services they use to deliver healthcare?
Providers are no longer limited to a constrained complement of apps, to the EHR, imaging, scheduling and communications. Now we are seeing many more apps become available to the providers and that includes HR, payroll and office automation apps. These apps run the spectrum of classical fat-client apps, virtual apps, SaaS and cloud apps, along with mobile apps. Here again the population of offerings continue to explode in volume.
IAM considerations in healthcare
This proliferation of…EVERYTHING…has eroded the once well-defined network perimeter and the systems and services delivered within that environment. In this new ecosystem, organizations must architect and build for this scale and establish trusted identities across a complex network of people, technology, and information.
With a focus on trusted digital identity, organizations can optimize processes and technologies to solve the equally critical aspects of (a) workflow, (b) security, and (c) compliance challenges. They can give users secure access to the applications, devices, and information they need, anywhere and anytime they need it.
Healthcare has unique considerations and challenges that directly impact IAM purchasing, deployment, and management decisions. And they’re not limited to the entities (users, devices, applications) that must be addressed by an effective IAM program. Clinical workflows are also complicated by the industry’s complex ecosystem.
Regulatory concerns pose another unique challenge for the industry. Healthcare is a heavily regulated industry, and the information that’s shared is highly sensitive. This requires compliance with unique and specific regulatory requirements, from HIPAA to DEA requirements for electronic prescribing of controlled substances (EPCS).
Addressing the challenges
So, how do we overcome these challenges to give users secure access to the applications, devices, and information they need, anywhere and anytime they need it? This is where a solid identity and access management (IAM) strategy comes into place.
First, IT teams need to grant the right users the right level of access into the right systems. With the right identity management technology in place, healthcare organizations can automate the process of quickly provisioning, updating, and deactivating user access. This has to be accomplished with automation and fast repeatable and consistent process.
Next, give users the “anytime, anywhere” access they need from any device by eliminating the overreliance on usernames and passwords. Single sign-on (SSO), for example, allows users to access their devices, any devices. This is the case whether it’s the shared nursing station desktop, the VDI/thin/zero end-point, their dedicated windows desktop/laptop, or the shared smartphone or tablet. Moreover, it’s all with the simple, well understood and ubiquitous badge tap, and in that same process, they can automatically and appropriately access their applications, be it on-prem, or cloud apps.
To get the security and compliance part right, especially when elevated levels of trust are required or mandated, the next step is layering on an effective and efficient multifactor authentication system. Pick the combination of authentication methods that’s right for your organization. The combination of two or more factors including a push token, fingerprint biometrics, or hands-free authentication, amongst others, makes security transparent so it doesn’t interrupt clinical workflow. Hands-free authentication with invisible/transparent 2nd factor is a particularly usable innovation, as the technology fades to the background, becoming invisible, enabling the provider to focus on what’s important – the patient – and enhancing productivity.
As an industry, healthcare has traditionally focused on locking down everything within our networks. In the new digital world, it’s time to take the same precautions with the new non-perimeter and the broader set of variables – all of which should support the well trusted clinical workflow and enhance care delivery. Protecting against new cyber security risks requires having the right technology in place, starting with an integrated IAM solution. This is the first step for healthcare organizations to strike the necessary, but often elusive, balance between security and clinical workflow efficiency across the evolving healthcare technology landscape.
Digital identity and IAM now play even a more pivotal role. We need trusted identities. We also need the right infrastructure to support and manage those identities – something we will examine in our next post in this series.
Check back in November for the final installment of this series, and for more information, browse the infographic.
(Part I in a multi-part post examining IAM in healthcare)
In most industries today, identity and access management (IAM) is a well-understood and established approach to IT security and data protection. IAM provides the full suite of tools that companies need to manage identities and access points across their workforce and customers, while simultaneously helping to manage risk, avoid fraud, and drive business goals.
For healthcare, IAM is critically important because it supports one of this industry’s incremental and hyper-critical priorities: workflow.
(Gus Malezis, President and Chief Executive Officer, Imprivata)
Optimizing workflows – both clinical application and network access workflow – must be a mandatory requirement for any IT solution, including IAM. It should be in alignment with – and not at the expense of – an organization’s IT security efforts.
With a robust IAM program in place, enterprises can both significantly bolster their workflow efficiency and enhance IT security, systems and data protection, and compliance. They will have the ability to focus on establishing trusted identities, and then maintaining, modifying, and monitoring them as needed, with the consistency, speed, and efficiency. This includes initial onboarding and provisioning, dynamic access management based on changing roles, and attributes and permissions of each trusted identity. It also includes off-boarding and de-provisioning when an identity is no longer part of the organization.
The challenges of IAM implementation
Implementing an effective IAM program presents challenges that are familiar to other industries that have undertaken the digital transformation journey. Newly digital organizations must establish trusted identities across a complex network of people, technology, and information. By focusing on a trusted digital identity, organizations can optimize processes and technologies to solve critical workflow, security, and compliance challenges.
But in healthcare – where the users are different, and diverse, and absolutely focused on healthcare delivery (meaning the well-being of the patient supersedes all other priorities) – these challenges are particularly unique. In addition to a persistent and highly valued on-prem set of applications, there is an ever-expanding number of cloud applications, a diverse set of edge devices, and ever-more connected medical services (MIoT) devices. Also, an increasingly decentralized workforce has eroded the once well-defined network perimeter. In this new digital and hyper-complex life-critical world, hospitals and health systems are turning to trusted identities to manage processes and systems.
To get a sense of the specific challenges faced by healthcare in implementing IAM, let’s take a deeper look at what makes an effective IAM program and why it’s so important to healthcare.
The initial phases of healthcare’s digital transition focused on optimizing clinical application workflows within the traditional hospital setting. IT security was therefore focused on giving clinical users access to thick-client EMR and other clinical applications on shared workstations. Given this contained workflow, organizations were able to employ traditional network security measures to protect PHI and other data.
This approach soon showed its limitations, however, as healthcare organizations evolved. The continued shift to value-based care and the effects of digital transformation soon made healthcare organizations modern digital enterprises delivering care anywhere and anytime. The dramatic change means the care delivery ecosystem is no longer contained only within the four walls of the hospital and now reaches out to patients in all the areas of human presence.
What’s more, the users that must be addressed by an effective IAM program are very different in healthcare than they are in other industries. Our users in healthcare are some of the highest skilled, highest trained, dedicated, passionate, and determined individuals – and they care about the patient well-being first and foremost.
A diverse set of users
Within this modern healthcare ecosystem operates a much more extensive population of users – and they are no longer only employee-clinicians. Instead, they may be affiliate clinicians, interns, as well as administrative and enterprise staff. CIOs and CISOs, for example, now play prominent roles and are tasked with securing the full enterprise. This responsibility particularly emerges as these users increasingly seek access to information from anywhere, not just when they are on premises.
Clinical staffs are also evolving, and are now comprised of many different types of users, each with varying roles and access requirements. Combine with this with an increasingly fluid user base, in which visiting providers, residents, locums, and other part-time clinicians change the composition of the clinical staff in real time. This constant fluidity requires the real-time need to monitor and adjust roles (and role-based access).
Moreover, clinicians are not the only set of users IT must monitor. Business, IT, and other administrative users—as well as contractors and vendors—all have access needs to different applications and information in the modern healthcare enterprise.
In addition to workflow challenges, this presents a formidable IT security hurdle. Healthcare remains one of the most highly targeted industries for cyber-attacks. A recent report from Beazley Breach Insights showed the healthcare sector accounted for 41 percent of all breaches. And, the cost of data breaches are amongst the highest of any industry – according to the IBM and Ponemon Institute 2019 Cost of a Data Breach Report, healthcare data breach costs average $429 per record (the highest of any industry, for the ninth straight year).
Clearly, healthcare has many more challenges to face than do most other industries.
Check in for the next installment of this series, which examines healthcare’s unique IAM challenges and considerations. For more information, browse the infographic.
