Security

Choosing the Right Identity and Access Management Solution for Healthcare

Organizations must consider vendor reliability, breadth of integrations and ease of use for this critical security system.

Mike Chapple

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Healthcare organizations increasingly find themselves in the crosshairs of sophisticated attackers. From high-profile ransomware attacks to the insidious compromise of network monitoring tools, healthcare cybersecurity leaders face a dizzying array of threats and must focus their efforts on building a defense-in-depth approach to addressing those risks.

Identity and access management (IAM) systems reside at the center of cybersecurity strategies, providing the core identification, authentication and authorization services required to create secure technology environments.

Hospitals, health systems and other large organizations have struggled with IAM solutions for years. Their unique needs have long stretched the limits of IAM technologies, which were mainly designed to support the more straightforward requirements of traditional firms. Much of this challenge comes from the many affiliations that exist within the healthcare space. A single provider might operate out of his or her own office and have admitting privileges in several hospitals. Health information clearinghouses must reach across institutional boundaries and aggregate information from providers around the community. While many organizations adopted third-party IAM solutions, they were often forced to build their own integrations to service these affiliate relationships and integrate with diverse systems.

This approach served the healthcare community well for decades, but the emerging reliance on hundreds of diverse cloud services has pushed the teams maintaining those solutions to their limits. IAM teams struggle to keep pace with the many new integrations demanded each year, and it is clear that the uniqueness of the healthcare environment is fading away. Many technology leaders now recognize that commercial IAM solutions are better able to keep pace with the rapidly changing cloud environment, and that the time has come to adopt these systems to better serve patients, providers and administrators.

Technology professionals studying the IAM vendor landscape face a monumental decision. The IAM platform they choose will require an almost-herculean undertaking to implement; and once in place, it will serve in a pivotal role at the center of the organization’s cybersecurity program for years, if not decades, to come.

Let’s take a look at some of the key factors technology leaders should consider as they select an IAM platform for their organization.

Evaluate the Reliability of IAM Vendors

IAM platforms join Infrastructure as a Service providers, networking vendors and database platforms at the heart of an organization’s technology stack. A failure in any one of these critical components could bring the organization to its knees. In fact, the instability of homegrown integrations is often one of the driving forces behind a move to adopt a commercial IAM platform. When the IAM system goes down, providers and administrators find themselves unable to log in to any systems, bringing their work to a halt.

For this reason, teams must carefully scrutinize the operational credentials of vendors under consideration. Negotiate service-level agreements, but look beyond the text at the vendor’s track record and architecture. Do the promises they make in agreements seem viable in light of the state of their technology? Do they have a track record of successfully managing operational issues?

Consider the Breadth of Healthcare Security Integrations

The rapid pace of adopting new cloud services is another of the critical factors driving the adoption of commercial IAM platforms. Teams find themselves stretched beyond their limits keeping up with the demand to integrate newly adopted services. Commercial platforms come prebuilt with hundreds of integrations for popular services. Analyze the array of existing integrations against the services used by the organization. How many current services are covered out of the box by the candidate, and how many will require custom development work?

In addition to examining existing services, try to get a sense of the pace of development of new integrations. When new services become popular, how quickly does the vendor release an integration? Is it likely that these new integrations will become available before they are needed, avoiding time-consuming manual integrations?

Ease of Use Matters for Cybersecurity Tools in Healthcare

The IAM platform resides at the core of the technology infrastructure, but in an ideal world, users are barely aware that it exists. How seamless is the IAM technology? Will users rapidly adopt it? In particular, how convenient is the multifactor authentication experience? Will an existing MFA approach integrate seamlessly with the new platform? Or, can a migration to MFA technology offered by the IAM platform occur with minimal user inconvenience?

Make sure to consider the ease of use for the technologists operating the IAM back end as well. Is the administrative interface intuitive? How well does the platform integrate with other components of the organization’s cybersecurity program?

Commercial IAM platforms offer healthcare organizations a variety of important benefits. Institutions that have not already migrated away from homegrown approaches will likely do so in the coming years. The selection of a new IAM platform is a decision that will affect the organization for years to come. Therefore, technology leaders should treat this migration with the attention that it deserves.

Brad Yeo/Theispot