Photo credit: Depositphotos
By Jackson Shaw, CSO, Clear Skye
Healthcare organizations have an upward battle when it comes to balancing security and business agility. This is especially true when it comes to identity and access management (IAM) and identity governance and administration (IGA), which ultimately governs who has access to what data and applications within an IT environment. While it sounds straightforward, gaining visibility into access and permissions across an entire organization is easier said than done.
Stringent regulatory compliance and risk management requirements for information security, including HIPAA, NIST, and ISO have made healthcare organizations selective about the solutions they choose. Add in financial constraints tied to new technology implementations and the resources necessary to get them up and running and many default to taking IAM into their own hands. Unfortunately, this often leads to very siloed and manual processes that are ultimately ineffective.
That said, a total IT overhaul is not always an attractive or even realistic option. In healthcare, the potential for interruption to service or IT downtime can be detrimental and downright dangerous in extreme cases. So, how do organizations strike the balance between good security and compliance measures and business agility? Fortunately, there are calculated steps they can take to better streamline IAM without sacrificing performance or adherence to industry regulations.
First, it’s important to understand what’s at stake without proper identity governance. In an increasingly digital world, virtual appointments, connected health devices, and electronic health records, are now the norm. These advances are great for giving a holistic view of a patient, which ultimately enables medical staff to provide better care, but it also opens a Pandora’s Box of new threats and vulnerabilities. And it’s not just hackers in search of valuable information to exploit, but also the more common internal mishandling of data—intentional or not.
Beyond the risk of a cyber attack, legacy IAM protocols can have a negative impact on worker productivity and overall business functions. Additionally, with most manual processes, the possibility of human error through complex workflows, duplicative data entry, and miscommunication are another concern. In fact, one healthcare organization reported that it was taking up to 40 man-hours to complete a review of a single application, taking months on end to complete a full audit of its hundreds of business apps.
For this company, and countless others, automating the IAM/IGA approach is key to freeing up IT teams to deal with both mission critical issues and supporting longer-term business needs. And in many cases, they need to do this without additional personnel or an expensive investment in a complex solution. Rather than poring over spreadsheets, automated solutions can assist in compliance efforts and give managers visibility into and control over what levels of access are most appropriate for certain users and groups within a company and manage privileges in real-time.
Another way to mitigate some of the challenges of implementing strong IAM/IGA programs is to use an ITSM approach, or finding solutions that work within their existing technology investments. As many businesses migrate to the cloud, IT leaders are increasingly choosing identity management solutions that run natively there, minimizing the need for additional hardware, end-user training, and expensive integration. In doing this, IT teams can take advantage of its existing expertise on their cloud platform while standardizing the automation process on a familiar product, enabling projects to take off quickly with less hiccups along the way.
To kick off the access certification automation project, and to make the best use of existing resources, Premise Health focused on approximately 60 reviews. The company took a risk-based approach, starting with the applications that have the most contact with personally identifiable information (PII) and protected health information (PHI) using Clear Skye to automate access certification reviews.
By automating processes and using an ITSM approach to identity management, the aforementioned healthcare company was able to reduce the time to complete reviews from 30 to 40 hours to 10 to 25—half the time. This has resulted in overall time savings of up to 1,500 hours annually and has reduced the overall security and compliance risk. By doing more with the same team and technology solutions, time- and cost-savings are a given.
As stricter regulations around data and voluntary certifications, such as HITRUST become competitive differentiators for healthcare organizations, it’s time to get serious about identity governance strategies. Thankfully, it doesn’t have to be a process defined by exorbitant expenses, added resources, or complicated systems updates. But in order to stay ahead and maintain the trust of patients and prospects, alike, it’s important to address identity and access management sooner rather than later.