Hospital identity management systems are no longer composed of simply employee key cards for limiting building...
access control. They are a key tool for Health Insurance Portability and Accountability Act (HIPAA) compliance, giving employees access to only the patient data they need to do their jobs -- a bedrock tenet of the regulation. They also help protect health care providers’ networks from security breaches when employees leave.
CIOs are looking for ways to comply with the objectives of this coming decade’s health care IT infrastructure expansion, which has seemingly contradictory regulatory mandates. On one hand, federal health care reform and health IT leaders are forcing CIOs to open up patient and provider access to information online. On the other, HIPAA rules, sharpened by the Health Information Technology for Economic and Clinical Health (HITECH) Act, require ever-tightening security and increase accountability for breaches when that security fails.
In this regulatory climate, identity management systems are growing in importance to help hospitals regulate the flow of protected information, said Chris Bidleman, director of health care at Novell Inc., which offers several applications to authenticate hospital employees and manage their access to confidential patient data on the network. Other vendors in the space include Oracle Corp. and CA Inc.
Both the HITECH Act and health care reform laws bring much focus on the privacy and security of information within electronic health record systems, Bidleman said in an April audio conference sponsored by the Healthcare Information Management Systems Society (HIMSS). “Finding ways to secure that is one of [providers’] highest priorities.”
To that end, hospital employee identification systems offer reports about who received care from which provider and when. Meanwhile, specific information about those sessions, including which doctor, nurse or other provider was seen, appear in the patient’s electronic medical record. The systems also secure communication among staff, and between providers and patients, by limiting access.
Better HIPAA compliance while cutting costs
HIPAA compliance was the main driver for upgrading the identity management system at St. Vincent Health in Indianapolis, said Stephen Whicker, the health system’s manager of security compliance and HIPAA security officer. He also participated in the HIMSS audio conference. The process, which began in 2005, spanned the enterprise, integrating Novell software with existing PeopleSoft human resource applications and the various network systems requiring login and authentication.
“We had a very manual process,” Whicker said. “We wanted to reduce costs by automating the provisioning of network accounts and other accounts within our systems in order to reduce the manpower requirement.”
[We wanted to give] people the IDs and the accesses they needed to do their job on the first day they were here, instead of on the 21st day.
Stephen Whicker, manager of security compliance and HIPAA security officer, St. Vincent’s Health
The system upgrade blended four networks -- and two access points -- into a single network under the new identity management system. That, combined with the software integration, has saved $250,000 and freed two full-time staffers to tackle less mundane IT issues such as systems management and expansion, he added.
Beyond technology, Whicker and his colleagues also fixed workflow problems by developing what they called an “identity management roadmap” in planning sessions before setting up the software.
For example, Whicker and his team improved privilege validation, which confirms that a person really needed a particular login and ensures that the right supervisor really granted that access. Previously, there had been no point person or automated response to let employees know they had been granted a login to a particular application or system.
During workflow analysis, Whicker’s team also established a procedure for decommissioning IDs. This closed a loophole that allowed an employee to be given multiple IDs, not all of which were deactivated when the employee left the company.
Five years later, the roadmap for the identity management system is almost complete. All that remains, Whicker said, is finishing up role-based access control to applications, based on role definitions and job codes. Such a scheme connects and integrates applications so employees use a single ID and password for multiple systems.
Automated identity management means faster starts, stops
An automated identity management system can add other benefits beyond cost savings and faster reporting, Whicker said.
There are fewer opportunities for manual data-entry errors, it is harder to accidentally create duplicate accounts for networks and services, and employees can reset their own passwords. As a result, employee data is more accurate, security loopholes are closed and the help desk can focus on more pressing issues, Whicker said.
In addition, employee accounts are quickly authorized and de-authorized. This gets old employees locked out of multiple systems across the facility almost instantly -- and it improves new-hire productivity.
“[We wanted to give] people the IDs and the accesses they needed to do their job on the first day they were here, instead of on the 21st day, which was the average time it was taking to get people fully provisioned with the ID that they needed,” Whicker said.
That not only increased productivity and efficiency, but it also boosted data integrity within the medical record, he added. Staff members no longer need to share IDs to complete routine work while new hires wait for access to the network tools they need to provide patient care.
Let us know what you think about the story; email Don Fluckinger, Features Writer.