Guest Column | March 5, 2019

The Identity Lifecycle Of Healthcare Workers: Improving Security And Access Management

By Ian Aitchison, Senior Product Director, Ivanti

Security Industry Change Needed

A survey by Compdata validates what healthcare organizations are experiencing everyday: one of the highest employee turnover rates in an overall job market whose turnover rate is going up every year. The 2018 survey shows healthcare at a total turnover rate of 20.4 percent, bracketed by hospitality, at 31.8 percent and manufacturing and distribution at 20 percent. The implications are clear for healthcare IT and security professionals – a significant part of their job is onboarding new personnel, revising access as personnel change roles, and securely offboarding employees to guard against risk.

As a result of this constant employee churn, organizations are focusing more on the discipline of identity management, the process of granting people access to applications and data, and any other systems or ‘entitlements’ that they need to be productive. And it's about managing an employee's identity life cycle as they go through their tenure at an organization. Employees tend to gain access to an increasing array of resources, as they change positions or move to different departments. When they leave, offboarding can be a nightmare, often with employees leaving while still retaining access to some applications, and thereby opening the door to compliance violations.

Compliance And Efficiency Implications

Employee onboarding and continual identity management was becoming a challenge for UMC Health System, a Lubbock, Texas-based healthcare organization which operates a 500-bed acute care hospital, 38 urgent care and primary care clinics, and is the academic teaching hospital for Texas Tech University Health Sciences Center School of Medicine. UMC Health System employs 4,800 employees and supports 3,100 external and private users. On average, they were onboarding 75 new employees every week, and twice a year, they had to process over 400 requests from Texas Tech Health Sciences Center School of Medicine for new residents, new nurses, new nursing students, and to support their clinical practices.

“We began our journey before automation. It was not efficient. It was paper-driven. And it was a very manual, physical process to literally take paper between departments to get accounts set up. It would take upwards of two to three weeks to complete that process,” recalls Justin Fair, Director of IT Infrastructure for UMC Health System.

The onboarding delays were problematic for effectively meeting compliance standards. Nurses would be hired, get onto their unit, but not yet have access to the tools they needed to log into the electronic health record (EHR) to chart patient data. It was tempting to simply log in with another nurse’s credentials, a HIPAA violation. Similarly, physicians were being delayed in getting access to the clinical tools designed to protect patients. And on the ancillary support side there were users in accounting and finance who could not log into their computers, which could delay getting funds processed or received.

Moving To Modern Processes

UMC Health System needed to move from this arduous, inefficient, manual process to one employing modern automation, and a full complement of identity and access management tools. They began to search for a solution that could accomplish a dramatic shift in their culture, from a manual-driven, siloed process to an automated system in which HR and other departments would become more tightly integrated, and in which data could flow easily from HR and other departments to the identity management solution. Among the objectives were automating key operational processes, such as granting access privileges, managing over 300 applications, and account provisioning for private practice and external users.

This level of change is an evolutionary process at UMC Health System. The healthcare provider knows migrating to automated processes is a cultural shift as well as a technological change. “And within organizations, sometimes that's a difficult change because if you're used to having a piece of paper as people naturally are, they may be uncomfortable with relinquishing that piece of paper and going to something that is electronic. So that was another change hurdle that we had to overcome,” said Fair.

The change to an automated identity management system, which UMC Health System began in 2016, has resulted in significant improvements in efficiency and access to patient care records. They reduced their average onboarding process from seven to five steps, and dramatically cut average time for provisioning from two to three weeks down to two days.

Another major efficiency achievement was the automated provisioning of their Cerner Electronic Health Records (EHR) system. UMC Health System has between 5,000 and 8,000 active users within Cerner Millennium, depending on the time of year. “If a clinician does not have access to the electronic health record, they do not have access to the tools that are meant to help them from a patient safety perspective. And as healthcare is driven around patient safety, reimbursements and efficiencies, that is a significant risk for us. And so accomplishing that, was significant for us from a business perspective,” said Fair.

Looking ahead, UMC Health System will be automating the provisioning of over 3,000 external user accounts. “There are definitely considerable efficiencies that can be realized with automation, that results in both soft and hard dollar savings from the business side,” Fair noted.

Here are five considerations in moving to a secure, automated identity management process:

  1. Change management. Reshaping essential business processes like onboarding and offboarding requires a sensitivity to change management. To be successful IT needs to engage HR, line-of-business managers and application owners from the beginning, to get alignment on transitioning automation into the larger organization. This is the time to hear any implementation concerns in order to achieve effective buy-in and support.
  2. Integrating automation. Transitioning from manual-driven processes is both a cultural and technical shift. Automation changes how systems talk to one another and presents the challenge of integrating a myriad of applications into the identity management solution. Therefore, once you have buy-in you need to develop clearly defined, documented processes that become the standard for how HR works, and the process for bringing applications into the identity management solution. Guesswork doesn’t work with automation. This phase is the longest in terms of execution and absolutely essential to having automation be successful.
  3. Enabling innovation. IT needs to build a development environment for all critical applications as well as Microsoft Active Directory. This enables IT to create new processes or new automated entries. Having a development environment allows for quick testing and continual improvement.
  4. Controlling access. Mindful of cybersecurity threats, IT and security teams are starting to work more closely to integrate identity governance and administration with privileged access management systems. Those with higher access clearance are a cyber target since they are connected to the most valuable assets. Healthcare organizations ready to employ automation should work toward this tighter integration, further ensuring control over privileged and non-privileged accounts, and quickly revising access as people’s roles change. With better access controls, and automation as the foundation, line-of-business managers also can activate resources for their team, and individual employees can self-serve from an available menu – greatly enhancing workflow efficiency.
  5. Automated de-provisioning. Tighter integration between IT and security will enable the quick revocation of privileges and access to assets when an employee leaves or is terminated. With automation, IT can return services and revoke access immediately once an employee is offboarded. Using a real-time dashboard as part of an identity management solution, IT and security can immediately see who has left the organization, as further protection against risk.

Servicing Workspaces Of The Future

The workspace of the future is becoming even more virtual, more based in the cloud, and less tied to a physical location. At the same time, the number of devices people are using, and the endless array of applications in use, demand healthcare organizations move to more automated processes to control this complex environment. Servicing patients, staff, physicians, and all stakeholders is challenging against the backdrop of cyber threats and compliance requirements. An efficient, automated identity management solution, with cooperative buy-in from HR, line-of-business managers and executives, is an

Important step in improving the overall productivity and data security of a healthcare organization.

About The Author

Ian Aitchison is Senior Product Director for Ivanti.