Choose your language:
TEKsystems provided a strategy to mature identity and access management for a major healthcare provider, Yale New Haven Health System.
Yale New Haven Health System (YNHHS) operates three hospitals, including Yale New Haven Hospital, several specialty networks and a non-profit medical foundation. YNHHS serves patients in Connecticut, Rhode Island and New York. The network has a strong reputation for innovation in healthcare delivery. TEKsystems has been a trusted partner of YNHHS since 2000.
Major advances in technology, as well as seismic shifts in government regulation, have propelled the healthcare industry into a period of disruption. Healthcare IT leaders must navigate a shifting terrain of possibility and risk.
While technological advances offer opportunities to improve healthcare delivery, the technical and regulatory landscape poses several challenges. Healthcare IT leaders must manage a multitude of applications and technologies, including electronic medical records (EMRs), billing, customer communications and more. Most critically, they must ensure sensitive health data is readily available to the right people but protected from unauthorized access.
While maintaining the privacy of protected health information is the foremost priority, IT teams also need to manage the user experience carefully. Medical staff must be able to quickly and easily use the technologies while maintaining their focus on care delivery.
Finally, IT leaders know the rapid changes in healthcare IT will continue well into the future. As IT departments try to reach a steady state, finding ways to balance a host of applications and data systems with the need to control access, they must use technology platforms that provide flexibility, performance and security.
YNHHS is a multifaceted healthcare system that employs thousands of employees. The system includes several hospitals, a pharmacy, a provider network and community-based practitioners. Like other healthcare organizations, YNHHS uses an array of linked applications and data types.
The health system operates under a strict regulatory environment for healthcare IT. The Health Insurance Portability and Accountability Act (HIPAA) places stringent conditions on access to patient data, while recent legislation like the HITECH Act, which mandates meaningful adoption of health information technology, has created an environment of extraordinary complexity.
In addition, YNHHS faces a challenging staffing environment. The health system employs and interacts with a complex mix of personnel that includes permanent and contingent medical staff, support personnel, vendors, volunteers and other nonemployee subtypes. The system’s flagship hospital serves as Yale University’s primary teaching facility, so university staff and students also participate in patient care. These personnel have different levels of access to various types of data or portions of patient records, and that access must be carefully managed to protect sensitive information. For example, accounts payable clerks should be able to see the parts of patient records they need for billing but not details about patients’ medical histories. It is a critical responsibility of the health organization to ensure patient information is protected, controlled and only accessible to the required users.
Looking to manage this complexity—and also maximize technology’s promise of better care delivery—YNHHS recently executed a major transformation of its EMR system to unify patient data into a portable record. While such system upgrades ultimately aid in streamlining operations, the initial investment in IT resources and staff learning time significantly disrupts normal business operations.
When the EMR upgrade concluded, the information security team turned their attention to IAM processes to enhance their ease of use. They noticed a heavy volume of help desk requests for password resets, particularly from doctors, and were concerned about the implications. To obtain guidance on this issue, YNHHS sought a strategic partner with expertise in information security and IAM.
TEKsystems had a long-term relationship providing YNHHS with workers with hard-to-find security skill sets. Based on the strength of that partnership, YNHHS requested a meeting with our Identity and Access Management practice director to discuss general user provisioning and software guidance for their IAM program. During the course of this conversation, YNHHS realized they needed help overhauling the entire IAM program, including processes, governance and technology. YNHHS’s information security team asked us to conduct an analysis of their current IAM program and create a roadmap for maturing it.
We proposed designing an IAM solution that would incorporate sophisticated principles around compliance while providing a structure for strong data access governance. The goal would be a scalable IAM program capable of adapting to changing regulatory conditions.
As part of our solution, we would analyze and suggest potential updates to YNHHS’s practices for onboarding and managing users. Standardizing these processes would require understanding the business requirements of stakeholders across the organization, including Human Resources, Finance and medical staff among others.
Finally, the IAM roadmap would introduce new compliance-related functionality to aid in the proper management of health information. Critically important to maintaining compliance with evolving regulations, our plan would bring a high degree of transparency into which applications and data users could access. The strategy would provide the tools to consolidate reporting across all systems, making it easier to understand and plan for the implications of incorporating new applications and user types.
Using insight gained from our analysis of YNHHS’s IAM practices and business processes, we delivered a customized strategy to lead them to a robust, scalable IAM foundation. YNHHS gained a deep understanding of their current IAM situation with 55 specific findings, and a roadmap of 14 unique projects needed to modernize the IAM program.
Our analysis uncovered the core limitation in YNHHS’s existing IAM program, which was the lack of centralized management of nonemployee identities. This drove the user issues YNHHS experienced related to password resets. To solve this immediate problem and shore up security, we recommended a number of immediate actions and a specific project to centralize the management of nonemployees.
In addition to solving the client’s user problem, we delivered a strategy that addresses the access governance, technology changes, and process updates needed to build a foundation that will allow for transparency and growth. The solution employs an identity warehouse to allow consolidated reporting and auditing of systems access and approvals. Role-mining capabilities will provide an efficient way to map users’ roles to the appropriate systems and update their access based on changing job titles or functions. Additionally, the solution includes auto-alert capabilities to notify administrators of any access conflicts (e.g., overlapping roles or former personnel whose access had not been disabled). This functionality will bring a high degree of transparency into access to YNHHS’s applications systems.
In addition to creating the multiyear roadmap, we advised on concrete steps YNHHS can take in the interim to address IAM issues. Using our 30-, 60- and 90-day activity plans, YNHHS can start making improvements right away. Finally, we provided the client with a fully developed business case for funding to implement the project.
YNHHS was pleased with our recommended strategy and is currently seeking funding to adopt the plan. Once implemented, the IAM program will provide a solid foundation for coping with a rapidly changing regulatory environment. Overall, the client now has a thorough understanding of their compliance and information access issues, and a roadmap for implementing the process and technologies needed to mature their IAM program. The end result will be an IAM program that enhances compliance, increases security and creates an efficient user experience.