Identity and Access Management: An unlikely healthcare hero
April 14, 2015 | By Lisa Dare, TEKsystems Digital Content Strategist
Yale New Haven Health System is known for successful innovation in healthcare delivery. The system stays on the leading edge of innovation, driving new ideas in the field of healthcare, financial management and even its IT initiatives. In fact, Yale New Haven recently took advantage of a major electronic medical records upgrade to integrate patient and financial data—and made progress in improving both.
But Yale New Haven’s successful innovation didn’t come at the expense of investing in the fundamentals.
The healthcare system made a major investment in getting its Identity and Access Management shop in order, improving both its information security risk profile while enhancing the end-user experience.
Identity and Access Management (IAM) is one of the least sexy parts of IT, but it’s critical to ensuring both regulatory compliance and information security. In fact, substandard IAM governance probably played a factor in recent high-profile security hacks.
So what is IAM? IT managers generally think of it as a system for managing passwords for multiple software systems—think Microsoft Active Directory. But a sophisticated IAM program of the type needed for regulation-heavy industries like healthcare encompasses so much more: technology, processes and governance.
Building an IAM roadmap to take your organization into the future
How to best manage IAM depends heavily on the needs of your users. A healthcare organization can contain an especially complex variety of users, including doctors and nurses, billing agents, pharmacists, technicians, non-employees (e.g., nurse temps), and even medical students and volunteers. Each role has different needs for information access; accounts payable clerks certainly shouldn't see medical history details any more than staff doctors should see financial records.
And while mobile devices like iPads contain great promise for speeding up care delivery and data collection, they add a layer of complexity to managing access.
How can you stop employees from introducing security risks?
While complying with the complex—and fast-changing—government regulations governing data access is critical for avoiding legal trouble, the end user of experience for medical staff is at least as important to consider.
And it's not just because patients’ lives can depend on timely access to data. More importantly from an infosec perspective, medical staff are likely to introduce security risks if they can’t easily access applications or data. Sharing passwords is common—and dangerous. Your best defense is a well-oiled IAM program that removes the incentive for workarounds. In other words, you must understand how medical staff use passwords, applications and hardware—and make it easy for them to do so.
Financial and human resources personnel also have a stake in IAM. In Yale New Haven’s case, HR handles a wide variety of personnel, ranging from permanent staff to volunteers and doctors, and they have a part to play in managing roles and access. And, as Yale New Haven’s recent success in cutting costs while improving patient care shows, financial information is often linked to outcomes. In a telling example, Yale New Haven was able to improve financial margins by standardizing care quality for patients, allowing them the leeway to make better decisions that benefited both, such as investing in a team of skilled nurses to intervene in critical ICU cases.
A digital trail
Transparency is a critical component of IAM access. A robust solution allows both simple auditing of access and roles. It also enables automatic alerts for potential issues like unusual behavior, overlapping roles or outdated identities that need to be terminated.
Planning for the future
Death, taxes and evolution in healthcare: now there are three things you can count on. As an intensely regulated industry going through a sea change, healthcare will certainly evolve—and healthcare IT is usually on the front line of these changes. Meaningful use requirements, HIPAA changes, InfoSec breaches, mergers and consolidations: these represent only a few of the challenges HIT organizations face. Investing in a flexible and robust IAM system now will smooth the way for these evolutions.
Do you want to learn more about TEKsystems Healthcare Services? Visit us at booth 4417 during HIMSS.