Female doctor using tablet

Access Management Challenges in the Healthcare Industry

Willy Alvarado, Director Security and Privacy
Brian Isserman, Senior Manager Security and Privacy

What’s new: Organizations are reevaluating their access management strategies due to the evolving threat landscape, an emphasis on zero trust, new technology and frequent employee turnover.

Why it matters: Healthcare organizations face unique access management challenges as they balance security with giving providers the access the need quickly and efficiently so they can care for patients.

How to address these challenges? Organizations should implement robust user access management programs, using available technology to:

  • Ensure good identity governance for workforce and non-employee identities, including linking user accounts and personas to a single identity and identifying and immediately acting on changes in roles.
  • Consider dynamic, real-time access authorization to ensure users are authorized to access sensitive data or perform critical tasks in the systems.

 Go deeper: Read our insights below.

Organizations across industries are being prompted to reevaluate their access management approach due to the evolving threat landscape, an emphasis on zero trust, new technologies, and the industry norm of frequent employee turnover. Healthcare organizations in particular (and, specifically, hospital systems) must address several unique challenges when determining their access management strategy and must balance security with the ability to quickly and efficiently give providers the access they need to care for patients and perform their day-to-day responsibilities.

Some of the common issues healthcare organizations face include:

  • Managing the identities and personas of all who need access to resources. Healthcare organizations must manage an ever-increasing number of identity types from a variety of sources. In addition to managing identities and access for a traditional workforce (employed clinicians, back-office personnel, etc.), they must address contingent labor, affiliates (including affiliated private practitioners), vendors, partners, residents, volunteers, students, teachers and researchers. As an additional layer of complexity, one individual can have multiple personas, each of which may have very different access needs.
  • Protecting sensitive data, including patient data and other forms of protected health information (PHI). Healthcare organizations must ensure that access to sensitive and protected data, including PHI, is restricted to only those individuals approved to access or view that data. When not in use, data must be secured to prevent accidental or malicious exposure. Sensitive data must be readily and easily available for individuals with approved access. It is not uncommon in healthcare for individuals to change job roles within an organization, and with that change comes the need – and required authorization – to access PHI at the same level or at a modified level, creating a complex consideration.
  • Ensuring providers quickly and effectively get the access they need to information within complex clinical applications. Many clinical applications have complex security, with granular permissions that must be properly assigned to users and clinicians to enable them to do their jobs and provide appropriate patient care. Rightsizing access and ensuring it is assigned in a timely manner without overburdening IT operations is an ongoing challenge for healthcare organizations.
  • Ensuring users are properly licensed and credentialed and have completed necessary training prior to getting access to IT resources. Healthcare organizations often have prerequisites for access to key clinical systems, which may require the healthcare organization to validate that staff have the appropriate licenses or credentials. Users may need to complete additional electronic medical record (EMR)-specific training before accessing the EMR or certain functionality of the system. Organizations need to ensure that access to restricted functions is not assigned until all training requirements are met (e.g., completing additional training requirements before being allowed to dispense narcotics).

Addressing access and identity management challenges head on

There are several ways healthcare organizations can address these challenges and keep information secure while giving providers the access they need to properly care for patients and perform their day-to-day responsibilities.

Healthcare organizations first must ensure good identity governance for workforce and non-employee identities including:

  • Linking user accounts and personas in systems and applications back to a single identity.
  • Paying close attention to the functional roles individuals are responsible for within the organization and adjusting access appropriately. This is best managed with the use of role- and policy-based access control.
  • Identifying and immediately acting on changes in roles.
  • Implementing automation for periodic user-access reviews.

These capabilities can be best achieved with an identity governance and administration (IGA) solution like SailPoint or Saviynt. These solutions integrate with key clinical and corporate systems to provision access automatically based on roles or other identity attributes. IGA solutions also provide the ability to quantify or leverage access risks and other compliance requirements such as segregation of duties, to influence access decisions.

Healthcare organizations also should consider dynamic, real-time access authorization to ensure the user is authorized to access sensitive data or perform critical tasks in the systems. This “last mile” check can be used to:

  • Confirm risk behaviors have not caused the account to become suspect before providing access or data.
  • Mask certain data in a database query if risk factors are present.
  • Provide a real-time decision for allowing access based on identity attribute values at the time of access rather than trying to provision access in advance. This allows providers to get access much faster without waiting for it to be provisioned in advance. It also allows for a real-time check to confirm users have a current license, credential or training required for that access.

A leading dynamic, real-time authorization solution to consider is PlainID which provides a centralized policy-based access control decision engine. PlainID easily integrates with an identity provider such as Okta or Ping to provide real-time authorization decisions and embed them into the authentication flow. This eliminates the need for provisioning access in advance.

Robust user access management programs using some of the technologies mentioned above can have a profound impact on the day-to-day functions of a healthcare organization. They improve overall confidence in the accuracy of user access, help manage risks to user identities, and provide better customer service by ensuring users have timely provisioned access to the right data.

Add comment