Six months prior to its scheduled go-live with a new electronic health record in 2012, Pomona Valley Hospital Medical Center had a big problem: It lacked a scalable and sustainable identity and access management solution.
“The project was going sideways and was only going to get worse as we rolled out more applications, so we had to eject,” CIO Kent Hoyos says.
The 412-bed hospital, which serves eastern Los Angeles and western San Bernardino counties, started investigating IAM solutions it could implement in short order when its EHR vendor suggested Imprivata. Two weeks after being shown a proof of concept, the organization began piloting the company’s OneSign solution.
Soon afterward, Hoyos and his team rolled the technology out across the hospital and haven’t looked back since. OneSign allows Pomona’s clinicians to enter a single username and password and wave a badge over a reader, which automatically logs them in to all the applications they need to use. That enables unimpeded roaming between locations — from a patient’s room to a nursing station, for instance — as clinicians care for individuals and enter or retrieve data.
Pomona’s OneSign implementation also complemented work on the deployment of a Citrix virtual desktop infrastructure. The organization wanted to standardize its infrastructure so that no matter a user’s location, they would have the same experience and the same user interface, Hoyos says.
“The success for us has been clinicians’ acceptance, and as we’ve added applications, this tied in nicely with their workflow,” he says. “If they need to move somewhere else, they can tap out. The session lays in suspense for a few hours, and they can go right back to where they were.”
Hospital clinicians typically use multiple applications, with doctors and nurses at Pomona leveraging 35 to 40 different applications daily, Hoyos says. Identity and access management solutions enable IT teams to optimize workflow for end users, which ultimately leads to a better provider experience and more seamless patient care.
DOWNLOAD: See how organizations are keeping up with next-level security!
Envision Healthcare Adopts Common Computing After M&A
In an era of increased mergers and acquisitions in healthcare, many growing organizations are turning to IAM solutions to streamline operations and offer common computing experiences across user settings.
Nashville-based Envision Healthcare has grown rapidly through M&A activity. It contracts with hospitals and health systems to provide doctors and clinicians to those organizations, and owns 261 surgery centers and a surgical hospital. With that growth comes challenges around assimilating new employees and identity and access management for both business users and clinicians.
Photo: David Zentz.
In 2015, Envision began work on deploying a common single sign-on approach so clinicians and business users could more easily access various applications.
“If our providers want to look at a paycheck or view shifts, having multiple logins is very counterproductive,” says CTO Bryan Ferrel. “We needed to have a way to give providers a much easier experience and a more common access methodology.” Envision chose to implement Okta’s cloud-based SSO solution based on the company’s reputation in healthcare.
“Okta’s previous work with providers was an important factor for us,” Ferrel says. “They had demonstrated success, including with two-factor authentication, which is a requirement for some healthcare-specific applications.”
When users want to access their applications, either behind the firewall or in the cloud, they open Okta and click on buttons on the screen, called chiclets. That allows users to sign in to their chosen app and authenticate themselves.
One of the initial challenges involved getting all the clinicians to register and create profiles in Okta, Ferrel says. Another was that some legacy applications did not initially work with the solution. Most of the enterprise applications were already enabled, however, so it was an easy rollout, he says.
As Envision provisions new employees, Okta, Microsoft Active Directory and Oracle are the trifecta of solutions on which it relies most. “We have some automated ways where we can onboard users as they join our team,” Ferrel says. “We are rolling that out across the entire organization.”
Use of Okta’s tools has expanded gradually throughout Envision, starting with small pilots and growing from there. “We are moving to a broader initiative for it to be our single sign-on solution across our entire portfolio of companies,” Ferrel says. “The technologists in our company have been very appreciative because it has very much simplified our work with the applications we interact with every day.”
Security Ownership Can Boost IAM Projects
IAM issues have grown more complex with the introduction of mobile devices and two-factor authentication. In the past, IAM focused more on username and password management, typically the responsibility of the infrastructure operations team.
But as these projects become more high profile, data security gets involved. In fact, who owns IAM may reflect an organization’s maturity and how aggressively it pursues IAM strategies, says Mark Bowker, a senior analyst with Enterprise Strategy Group.
“I have seen IAM projects really accelerate when that ownership role is shifted to the information security team, which has the competencies to develop the strategy,” he says.
Now that more clinicians are using mobile devices, such as smartphones or tablets, hospitals and health systems have to take their username and password policy and bring it to the mobile world, Bowker says. Mobile devices offer a lot of benefits, but IAM solutions must provide strong authentication in that environment while still following HIPAA and other regulations.
“There will be a day when we eliminate or significantly reduce the use of usernames and passwords,” Bowker says. “I really believe that doing some type of strong authentication through a hardware token, a fingerprint or body movement is going to be the authentication of the future.”
Ensuring that the timing of an IAM deployment right is crucial too. Hoyos is convinced that it was important to get the organization’s IAM solution in place at Pomona prior to rolling out a slew of new applications, including the health records system.
“This gives us more control,” he says. “We have the ability to manage all of our passwords in one common way. It is a game changer for our organization.”
A lot of places start with the applications and don’t necessarily worry about how their end users are going to access them, which winds up being messy, Hoyos adds. “You have to think about how you’d want this type of solution brought to you as a user yourself.”
Hoyos also acknowledges that although there are many ways for an IAM implementation to turn out poorly, users tend to take it for granted when it goes well.
“They think of it as a utility, and it works like one,” he says. “Rarely do people comment when the water comes out of the fountain cold. They just expect it to work.”
