In 2007, healthcare providers will face identity and access management challenges that will directly impact compliance, security
and audit issues.
These challenges stem from increased adoption of patient web portals and managing remote and non-employee access to information
in Electronic Health Records (EHRs).
Healthcare providers will need to rely on identity management technology that automates processes for granting and controlling
access to critical systems and information, tightens security and demonstrates compliance without disrupting the clinical
workflow.
With a more fluid and mobile workforce, providing immediate and appropriate access to corporate assets and patient information
is one of the greatest charges facing healthcare providers, and is a critical component in ensuring hospitals are providing
the highest level of patient care and privacy. As the volume of identities that need to be monitored and audited grows in
complexity, the magnitude of this growth underscores why automating the process is critical. Consider the varied obstacles related to remote user provisioning initiatives. Such obstacles may include the large percentage
of contingent workers, the independent physicians to whose comings and goings providers lack visibility, the orphaned accounts
that remain active long after a worker has left his assignment, other changes in a user's access depending on the facility,
department or floor they're assigned in a particular month.
Now consider the proposed convenience, efficiency and improved communication benefits associated with patient web portals.
These secure online sites provide an opportunity for patients and physicians to share and access information regarding prescriptions,
referrals, diagnoses and medical records, and conduct e-consults. For patient web portals to be successful, providers must
overcome barriers such as cost, security and privacy issues, especially when considering these portals must comply with the
Health Insurance Portability and Accountability Act (HIPAA).
Chief Information Security Officers and other senior IT security staff can face daunting identity management and authentication
challenges related to implementing these portals, which may or may not be tied to EHRs.
Ideally, access should be restricted to registered patients only. Portal accounts should be created conditionally based on
successful profile registration. The registration would require the patient to supply authentication based on attributes such
as name, date of birth, medical record number and/or social security number. Upon successful authentication, patients who
respond to additional security questions will be granted, or provisioned with, their portal account and password.
Leaning on automation
Provisioning for patient and remote worker access can be complicated and labor intensive, and worse yet, exposes providers
to tremendous risk. Enter automated provisioning solutions, which decrease the manually intensive processes of granting new
users access to applications or resources, or remove privileges based on changing responsibilities or status.
To ensure provisioning for patient portal or remote access runs as smoothly and cost effectively as possible, many user provisioning
best practices are involved. In addition to clearly defining primary business drivers for provisioning initiatives, it is
also important to continually monitor and measure the effectiveness of the automated provisioning solution. Measurement criteria
can include increased operational efficiencies, improved service levels/access availability, strengthened risk posture, streamlined
audit/compliance process or reduced help desk costs.
Scalability is necessary. The user provisioning solution should support the level of change in an organization and user population
without requiring specialized staffing and extensive programming. The solution must be able to scale with the organization
– whether through organic growth or mergers and acquisitions. Additionally, evaluate whether the user provisioning solution
provides capabilities for audit and policy compliance and enterprise role management. To support the level of change in an
organization and demonstrate audit controls, it is necessary to verify access continually, as well as govern the lifecycles
of roles.
A user provisioning solution needs to connect to key applications and infrastructure in a timely and seamless manner. This
includes integration with EHR systems as well as home grown and legacy clinical and business applications. It is important
to note that centralizing data and control does not scale and it is not agile. To deploy user provisioning, roles and compliance
on a broad scale it is vital to leverage existing assets and connect to distributed security and operational policy. That
may require pulling from various data repositories and directories to create an authoritative data store. Finally, beware
of architectural impacts and dependencies that introduce potential risk or require additional effort that could negatively
impact the overall success of a provisioning project.
An ability to predict and prepare for the next set of identity management challenges is critical to decreasing the time and
productivity sinks associated with demonstrating compliance and audit adherence. Preparing to automate and adapt your provisioning
initiatives to respond to remote worker requirements and the demands of patient portals will help achieve a provider's primary
responsibility—excellence in patient care and privacy.
Deborah Pappas is vice president of market strategy, Courion Corp.
