top
Health Care Tackles New Risks Through Identity And Access Management

Health Care Tackles New Risks Through Identity And Access Management

by Ayan Roy

A pivotal transformation is taking place in the healthcare industry. Increasingly, encounters between providers and patients are virtual rather than in-person, with email, teleconferencing and videoconferencing replacing more traditional means of provider-patient communication. Business demands for IT are changing rapidly, with organisations having to adopt emerging technologies like mobile and cloud computing (with clinical applications like mHealth and telehealth in widespread use) big data and social media.

Along with the transformation come new risks. As organisations conduct more business over the web, they need to protect patient information and make sure only the right people have access to this information. Demands on identity and access management (IAM), the discipline for managing people’s access to enterprise resources, are growing. IAM serves as the foundation of any information security program.

IAM has shifted, but further change is needed

Historically, IAM’s main focus has been access-related compliance needs. Solutions have often involved provisioning technology and have been poorly adopted, resulting in bloated costs and yielding limited value. While compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other legislation remains a key driver behind IAM initiatives, IAM is evolving into a more risk-based program focused on entitlement management and enforcement of logical access controls across multiple systems.

Although healthcare organisations are starting to see benefits from new approaches to IAM, many are still challenged with managing time-intensive processes like manual approval, provisioning and access review. At many organisations, identity administration functions continue to be delivered in organisational silos, resulting in excessive access granted to users, inefficient processes and higher costs of provisioning and de-provisioning. And too many organisations have implemented new IAM approaches on a piecemeal basis. Appropriate access and securing clinical systems continues to be a challenge due to system complexity and end user needs.

Each healthcare organisation needs to develop and implement a comprehensive IAM strategy based on its unique business needs. The enterprise should explore broad approaches to IAM that are adaptable to new usage trends like mobile and cloud computing. IAM capabilities must leverage technologies to realise higher benefits versus costs incurred.

.

The IAM life cycle

EY views the management of identity and access permissions in a transformed IAM function as specific, multiple stages:

IAM_wheel_image

  • User access request and approve: The user gains access to the applications, systems and data required to fulfill his or her job responsibilities.
  • Provision/de-provision. The user must be granted appropriate entitlements and access in a timely manner. Also, access must be revoked when no longer required due to the user’s termination or transfer. Timely de-provisioning is especially critical at healthcare organisations,
  • Enforce. . User access to applications and systems is enforced through authentication and authorisation. Also subject to enforcement is compliance with access management policies and requirements. For example, psychological evaluations and patient health information (PHI) data must be made available only to the caregiver and his or her team and protected from persons who may have malicious intent.
  • Report and audit. Business-relevant key performance indicators (KPIs) and metrics are defined. Also, user access is audited for who has access to patients’ data and what the user is doing with the data.
  • Review and certify. User access is reviewed periodically to realign with job function or role.
  • Reconcile. Access is enforced within the system based on approved access levels.

IAM requires a well-defined strategy and governance model to guide all life cycle phases. The strategy must recognise specific challenges that may arise in each phase.

What your organisation needs to do now

Effective identity and access management processes are integral to driving business value – reducing risk, sustaining compliance, improving the end user experience and responding to the changing IT landscape. Your organisation should first assess its existing IAM capabilities using a capability maturity model and then develop a risk-based strategy and action plan that are aligned to the needs of the entity and consider people, processes and technology issues. The IAM capabilities should also address emerging threats and fraud scenarios relevant for the healthcare industry.

To improve your organisation’s chances of success, be strategic – not tactical – when designing a solution. Be prepared for objections and concerns during the change process. Avoid the ‘Big Bang’ approach; use a risk-based, phased implementation approach to ease the adoption of IAM changes.

For more information on taking IAM into the future at your organisation, read EY’s report, Identity and access management: beyond compliance. 

Topics:

Technology,

Strategy,

Healthcare & Pharma

Ayan Roy