New expectations raise standards for identity management

March 1, 2007

In 2007, healthcare providers will face identity and access management challenges that will directly impact compliance, security and audit issues.

In 2007, healthcare providers will face identity and access management challenges that will directly impact compliance, security and audit issues.

These challenges stem from increased adoption of patient web portals and managing remote and non-employee access to information in Electronic Health Records (EHRs).

Healthcare providers will need to rely on identity management technology that automates processes for granting and controlling access to critical systems and information, tightens security and demonstrates compliance without disrupting the clinical workflow.

Consider the varied obstacles related to remote user provisioning initiatives. Such obstacles may include the large percentage of contingent workers, the independent physicians to whose comings and goings providers lack visibility, the orphaned accounts that remain active long after a worker has left his assignment, other changes in a user's access depending on the facility, department or floor they're assigned in a particular month.

Now consider the proposed convenience, efficiency and improved communication benefits associated with patient web portals. These secure online sites provide an opportunity for patients and physicians to share and access information regarding prescriptions, referrals, diagnoses and medical records, and conduct e-consults. For patient web portals to be successful, providers must overcome barriers such as cost, security and privacy issues, especially when considering these portals must comply with the Health Insurance Portability and Accountability Act (HIPAA).

Chief Information Security Officers and other senior IT security staff can face daunting identity management and authentication challenges related to implementing these portals, which may or may not be tied to EHRs.

Ideally, access should be restricted to registered patients only. Portal accounts should be created conditionally based on successful profile registration. The registration would require the patient to supply authentication based on attributes such as name, date of birth, medical record number and/or social security number. Upon successful authentication, patients who respond to additional security questions will be granted, or provisioned with, their portal account and password.

Leaning on automation

Provisioning for patient and remote worker access can be complicated and labor intensive, and worse yet, exposes providers to tremendous risk. Enter automated provisioning solutions, which decrease the manually intensive processes of granting new users access to applications or resources, or remove privileges based on changing responsibilities or status.

To ensure provisioning for patient portal or remote access runs as smoothly and cost effectively as possible, many user provisioning best practices are involved. In addition to clearly defining primary business drivers for provisioning initiatives, it is also important to continually monitor and measure the effectiveness of the automated provisioning solution. Measurement criteria can include increased operational efficiencies, improved service levels/access availability, strengthened risk posture, streamlined audit/compliance process or reduced help desk costs.

Scalability is necessary. The user provisioning solution should support the level of change in an organization and user population without requiring specialized staffing and extensive programming. The solution must be able to scale with the organization – whether through organic growth or mergers and acquisitions. Additionally, evaluate whether the user provisioning solution provides capabilities for audit and policy compliance and enterprise role management. To support the level of change in an organization and demonstrate audit controls, it is necessary to verify access continually, as well as govern the lifecycles of roles.

A user provisioning solution needs to connect to key applications and infrastructure in a timely and seamless manner. This includes integration with EHR systems as well as home grown and legacy clinical and business applications. It is important to note that centralizing data and control does not scale and it is not agile. To deploy user provisioning, roles and compliance on a broad scale it is vital to leverage existing assets and connect to distributed security and operational policy. That may require pulling from various data repositories and directories to create an authoritative data store. Finally, beware of architectural impacts and dependencies that introduce potential risk or require additional effort that could negatively impact the overall success of a provisioning project.

An ability to predict and prepare for the next set of identity management challenges is critical to decreasing the time and productivity sinks associated with demonstrating compliance and audit adherence. Preparing to automate and adapt your provisioning initiatives to respond to remote worker requirements and the demands of patient portals will help achieve a provider's primary responsibility-excellence in patient care and privacy.

Deborah Pappas is vice president of market strategy, Courion Corp.