Hospitals and ambulatory provider networks typically manage identities and credentials on paper or with a manual workflow that involves a combination of software applications and, possibly, electronic forms. Automating the process gives IT staff the ability switch an identity on and off across the network, instantly bringing staffers online when hired or shutting them out of the network when their time with the company is through, disabling all network passwords, logins, badge accesses and so on.
IT leaders in charge of identity management have their hands full in this era of health care staffing models that features temporary workers, per diem staffers used on an as-needed basis, interns who work at a hospital but technically aren't employed by it and full-time "floaters" whose network privileges change as they move from building to building or department to department.
"The challenge with access management -- when you're managing multiple facilities and people at multiple locations -- is streamlining the flow of the data from the initial knowledge that someone's going to be hired to granting them access," said David Sheidlower, chief information security officer for Health Quest. The upstate New York provider includes three hospitals and several multi-specialty ambulatory group practices, which adds up to about 5,000 identities to manage.
Automation makes the process of managing up to 5,000 identities quicker and more accurate than the manual processes it replaced, he said. Manual workflows invariably have holes, and duplicate identities bred from typos and old-but-still-active identities can represent health care data breaches waiting to happen.
"By using the identity management system, we're able to automate that data flow without anyone filling out forms or there being any lag time or delay," Sheidlower said. "Taking away access, from a security perspective, is almost more important. When someone is leaving the organization and is no longer a member of the workforce, you want to see that access is terminated as soon as possible."
Define users, roles to ease access management
The question isn't finding a vendor -- Microsoft, Imprivata Inc., Citrix Systems Inc., CA Technologies Inc. and Novell Inc. are a few of the many offering health care-specific systems -- but narrowing the choice. That starts with assessing the complexity of your organization's staff. A health care provider's two complications are usually the number of locations an identity management system will serve -- One building, several campuses or multiple states? -- and the credentials to privilege -- physician, nurse and so on.
Typically, automating identity management involves plugging into a human resources management application such as Lawson (from Lawson Software Inc.) or PeopleSoft (from Oracle Corp.) to get a solid grasp of who is employed by an organization and what they do, cross-referenced with information from the provider's credentialing department that tracks rights, such as who can prescribe medications and access different departmental systems. Sheidlower said the key to limiting security problems through identity management is building an accurate list of staff and creating a least-privilege model based on each staffer's role.
"The health care professional's job is to focus on the patient, not to have to think about computer systems," said Sheidlower, who uses Novell software to manage identities for Health Quest. "You need to be providing access in a role-based manner so that health care professionals have what they need. The only way to do that in a secure manner is the least-privilege model."
The challenge with access management — when you're managing multiple facilities and people at multiple locations — is streamlining the flow of the data.
David Sheidlower, chief information security officer, Health Quest
Citrix customer Todd Bruni, director of identity and configuration management for CHRISTUS Health (which runs 40 hospitals in six U.S. states and Mexico), said he and his coworkers had the "what they do" part down well because they created what he called a "high-level map" of roles within the company before plugging employees into it. He and his team started by dividing CHRISTUS into two halves -- its acute and subacute businesses -- and then mapping privileges to physicians, nurses and the rest of the staffers within the two halves based on their locations.
That's a good way to start when preparing to implement an identity management system, Bruni said. After that, make a map of what your different software systems can do and understand how they plug into the identity management system via Active Directory. Think of ways to make things less complicated, such as the use of self-serve password resetting, and to deal with mandatory complications, such as employees who need remote access and regulatory tracking/reporting.
CHRISTUS’ main challenge is getting a better grasp on "who's who" across its geographically scattered workforce. To that end, the company is implementing a centralized identity human resources and credentialing system that will "totally change everything" for the better, Bruni said.
Choose identity management vendors wisely
Bruni said that health care IT leaders charged with choosing an identity management system must understand that, because it's such a complex undertaking, there is no right answer. Start with the quickest wins that secure the most systems in the least amount of time and require the smallest cost investments.
"There are so many different buckets about how you can go about it -- it's just figuring out what brings that organization the biggest value and start there," Bruni said. "You can always grow into the other buckets."
Sheidlower added that, when moving to more complex identity management systems, it pays to determine how much effort and training it will take to bring the system online and maintain it following installation. You and your team will ultimately be left with the care and feeding of the system -- if it's too complex, the identity management could be an epic failure.
Finally, before flipping the switch on an automated identity management system, prepare the network by performing a grand housecleaning. Search for and delete obsolete IDs while rooting out duplicates caused by typos or created when passwords were lost.
"The cleaner…[the] structures you use to regulate network access, the more successful your implementation will be," Sheidlower said. "Most of the problems you have when you first implement an identity management system [are] just from bad data."
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in December 2010