It takes a wide variety of employees accomplishing a vast range of tasks to make a healthcare organization work. But, today, these organizations face challenges in ensuring their staffers “stay in their lane” by not overstepping the boundaries of their roles.
Research nurses, for example, can write up orders for blood tests, but they’re not authorized to release the orders. That is the physician’s job.
A billing administrator may write up charges for a patient’s visit, but cannot actually receive the payment. Otherwise, the administrator could conceivably commit financial fraud by falsifying charges and pocketing the money.
For IT managers and teams overseeing electronic medical record (EMR) and other systems, enforcing the limitations of authorized activity for these and countless additional roles creates confusion and frustration. It amounts to monitoring in piecemeal fashion one siloed system after another, without a cohesive, unified way to “see” everything and respond accordingly.
The constant threat of cyber attacks linked to the employees’ behaviors – whether they intend to cause a hacking incident or not – makes the situation all the more foreboding. In the absence of an entirely integrated “eye” over all activity that is acceptable and that which is not, the healthcare enterprise remains highly vulnerable.
This is where Identity Governance and Administration (IGA) can step in to help. As defined by Gartner, IGA tools manage digital identity and access rights throughout multiple systems by aggregating, correlating and distributing related data to better control user access. Areas of focus include identity lifecycle/ entitlements management, access requests/certification, workflow orchestration and reporting.
Overall, the global IGA market is expected to increase to $5.8 billion in 2021, up from $3.2 billion last year, according to projections from IHS Markit. Clearly, significant concerns expressed by healthcare security and IT professionals make a strong case for across-the-board industry adoption, with the rising risk of employee-linked cyber attacks keeping them up at night: More than three of five healthcare organization IT and IT security practitioners rank malicious insiders as a top security threat, and 64 percent say the same about employee negligence or error, according to survey research conducted by the Ponemon Institute and sponsored by Merlin International.
In attempting to respond, organizations are most challenged by a lack of tools to monitor employees and other insiders (as cited by 27 percent of healthcare IT leaders), according to additional survey research from Imperva. Other challenges include inadequate staffing to analyze permissions data when employees seek to call up files, information, systems, etc. (as cited by 25 percent of survey respondents); the growing number of employees, contractors and business partners connecting to the network (24 percent); and the abundance of company assets stored within the network or in the cloud (24 percent).
IGA products tackle these issues head-on, allowing IT teams to “see” in real-time who is accessing what data and critical workloads – and whether that person’s job function is cleared for such privileges. IGA helps the teams flag behaviors on the part of users who may unintentionally invite risks, in addition to alerting them to when a malicious insider could be stealing or destroying data. It provides access control and audit log management, as well as privacy- and breach-management maps to satisfy security requirements of the Health Insurance Portability and Accountability Act (HIPAA) Audit Protocol. In fact, identity management/authentication is considered among healthcare IT and IT security practitioners as the most effective step in achieving security objectives, as cited by 71 percent of respondents in the Ponemon/Merlin International survey.
Beyond enhanced cybersecurity monitoring and mitigation, IGA solutions empower organizations to address the following, key needs:
Segregation of Duty (SoD) rules
This refers to the previously described scenarios involving the nurses, billing administrators and everyone else on staff who must “stay in their lane.” For starters, it’s simply the best way to run a healthcare organization. What’s more, HIPAA and other regulations require the enforcement of SoD.
Fortunately, with IGA-level visibility in place, leadership and IT teams acquire a “single pane of glass” perspective of their entire infrastructure access ecosystem (including cloud environments like Amazon Web Services and Microsoft Azure), file sharing/collaboration activity (such as the usage of Dropbox and SharePoint), EMR usage and enterprise resource planning (ERP)/business functions (Salesforce, PeopleSoft, etc.) Thus, when the annual audit comes around, IT won’t have to gather endless records from many siloes to demonstrate appropriate role/access authorizations and controls. Instead, it will collect the information from a single source.
Too many healthcare organizations are still saddled with traditional, time-consuming manual processes when bringing in new employees (or contractors) and configuring their user access authorizations. In this case, HR typically sends a notice to various managers about who’s coming in, and what they’re allowed to do, and IT manually sets up provisioning. If the users’ roles change, then the authorizations require (manual) updating. If they leave the company, then their access rights must be removed (again, manually).
IGA eliminates these tedious inefficiencies by automating all provisioning – from onboarding-stage authorizations to promotions/role expansions to the end of a user’s association with the organization. The solutions do this for temporary hires too: If a contractor is only supposed to work on-site for three months, IGA will automatically grant allowable access for those three months, and shut it off when the job is done.
Ultimately, that’s what IGA is about – users getting their jobs done, without going beyond any authorized activity. Managers and IT teams are no longer stretched from silo to silo attempting to track who’s doing what, nor do they spin into a mad scramble come compliance-time to prove that they’re in good standing. Everything is “all there … in one place.” As a result, healthcare organizations boost efficiencies and save on operating costs while focusing more on what they do best: improving the lives of their patients.