Security

Getting Identity Management Right Is Crucial for Healthcare Security

Many organizations face challenges when it comes to provisioning and deprovisioning identities. Best practices and partnership can help health systems overcome obstacles to identity management.

Nelson Carreira

Nelson Carreira is an Executive Healthcare Strategist for CDW.

Kevin DeMers

Kevin DeMers is a Senior Security Solutions Executive at CDW.

A key concern for IT and security leaders is user identity and access control. Identity is a prime target for attackers who want to gain unauthorized system access and carry out malicious acts. In healthcare, identity management has a complex lifecycle that makes it challenging to secure. When healthcare organizations hire or let go of staff, nurses, contractors and vendors, it’s crucial to manage their accounts effectively. Ensuring proper provisioning and deprovisioning of accounts is essential for reducing cybersecurity risks.

If the IT department doesn’t have the ability to automatically deprovision the account of an employee who was just let go, then the organization could be at risk of a disgruntled employee accessing the network to plant malware or take sensitive information. For a healthcare organization, this means risking being out of compliance with HIPAA regulations and even losing patient trust. It’s critical to minimize any potential insider threat.

Despite the importance of a robust holistic identity management strategy and an effective identity and access management platform, it's common for healthcare organizations to have difficulty achieving identity success due to complex environments, poor technology implementations or a lack of strong identity governance. To improve their approach while mitigating security risks, healthcare organizations need to understand common identity pitfalls and best practices to overcome those challenges. Equally important is how an expert partner can help.

Click the banner below to find out how IAM improves healthcare security and simplifies access.

Common Identity Management Challenges in Healthcare

Having the right type of data about each employee’s role can often be a challenge for healthcare organizations. For example, all roles, whether they’re clinicians or administrative personnel, flow through an HR information system. The data from that platform then flows into an identity or automated provisioning tool. If the roles don’t define what each role requires in terms of data or network access, then it can be hard to find the right set of entitlements for provisioning.

As a result, someone might take a copy-and-paste approach to provisioning. They might model a new doctor’s access on that of a doctor in the same department without realizing that they have different data needs. Many healthcare organizations need help getting to that level of granularity. It can also be a challenge to ensure the organization is using an authoritative source of data to make those identity management decisions.

On the deprovisioning side, the process isn’t always straightforward. If a doctor leaves, it’s possible an organization would prefer to disable their access but maintain the identity in case the doctor comes back to do work as a contractor or is being seen as a patient. Organizations need to create governance that helps IT identify when an employee should be deprovisioned versus simply changing their access, or to determine how long that identity should stay in the system.

A common mistake we see is that organizations prefer to handle their deprovisioning in batches, meaning that an employee could still have access for a few weeks after they’ve left or after they have been terminated. This creates unnecessary risk, especially if that account isn’t being monitored.

EXPLORE: These are the top three reasons to modernize your IAM program.

How Do IAM Tools Help IT Teams Overcome Provisioning Challenges?

A good IAM platform can handle the entire identity lifecycle management. It should give HR the ability to provision users automatically when they’re onboarded. All of those user creation tasks can be completed automatically, including giving birthright access to a specific set of applications and creating additional role-based access.

Centralized management is another big benefit of using an IAM platform. Some organizations have gone through a lot of merger and acquisition activity, leaving them with disparate domains and multiple sources of truth. A good IAM system can bring all of that information together and create one source of truth that allows the organization to be flexible when undergoing cloud migration or integrating Software as a Service applications.

It's also important that healthcare organizations have a cohesive strategy around their end-user service catalog as it relates to both identity provisioning and access requests because not everything happens on birthright. Birthright refers to a new employee onboarding and getting an active directory account, email address and anything else needed for their role, but that’s where it stops. From there, the employee has to ask for access.

Joining access and device provisioning is also a useful best practice. When those two are disjointed, then the user experience can be poor for both the new employee and the staff handling the onboarding process.

Understand how access management tools such as IAM, MFA and PAM differ.

Find out why MFA fatigue is a growing headache for healthcare and how to combat it.

Identity Management Best Practices to Improve Healthcare Security

Prior to deploying technology to help with identity automation, the organization should have an established IAM program with a steering committee of stakeholders. That committee should include not only IT and security, but also people who represent the organization’s various lines of business. It’s also crucial that the organizations have a strong understanding of the business process and how identities get brought in, change throughout their lifecycle at the organization and ultimately get removed. Identities not only apply to humans, they also apply to devices. A service account or a medical device can have an identity.

Training and support are crucial for making sure IT teams are up to date with identity management best practices and able to support IAM platforms. From an implementation standpoint, understanding how to onboard a full IAM system and create governance is the hardest part. The organization needs to undergo information gathering to understand the architecture underneath the IAM that will need to connect to the identities. Whether it’s Epic or a different third-party system, understanding how they all connect is important before implementing a new IAM system.

When we see customers go straight to technology of process automation to help them solve a problem without having a strong understanding of the business process supporting it, then that technology implementation usually fails miserably. It doesn’t get off the basic group access. That’s why 9 times out of 10 we recommend program development for step one.

LEARN MORE: Bust the top three identity and access management myths to boost security.

How Can Organizations Benefit from Partnership on IAM?

In many cases customers tend to complicate identity with several on-premises active directory domains. It’s simpler to build a greenfield environment and create a process with the help of a good partner such as CDW than to try to clean up an existing mess and then implement a big product. Technology won’t solve operational complexity, organizational complexity or technology complexity. Nothing an organization lays over the top of the problem will make it easier. It will just hide some issues for a while.

CDW offers consulting engagements to help healthcare organizations wrap their arms around the operational and organizational structures before deploying technology to help with automation and governance. We’re a full lifecycle shop that can handle anything from upfront advisory consulting to help organizations with their program management and governance to technical evaluations, cost benefit analysis and facilitating the request for proposal process. We can help with the technical scoring and weighting of those RFPs for organizations seeking proposals from multiple vendors.

CDW can also help with design, deployment and operational support. If an organization can’t maintain or operate the identity system post-deployment or if they need additional help with access requests and approval workflows, then we can take that off the organization’s plate. That’s part of our managed support offering. Think of it as a creative staff augmentation service with service level agreements on response times. Essentially, we handle the full lifecycle across the whole identity technology stack, including access management, identity governance and privileged access management.

This article is part of HealthTech’s MonITor blog series.