Healthcare IT Blog

Identity and Access Management

Published on 07/14/2014 by Mark Luquire
Category: Security

It sounds like a mouthful but one of the most important areas that any healthcare IT organization will have to deal with in the new world of HITECH and Meaningful Use is Identity and Access Management.  Let’s think about this for a minute.  Healthcare IT organizations have always been responsible for managing the user accounts within the organization, facilitating access to various systems ranging from the electronic medical record (EMR) to email to file servers (i.e. Identity Management).  They have also been responsible for determining how those systems are accessed, either via a webpage, a virtual desktop such as Citrix XenApp/XenDesktop or VMWare Horizon View, a computer or device at the facility or remote, and so on (i.e. Access Management).

In the new world of HITECH, all of these same concerns exist, however the depth at which an organization must go becomes more intense.  For example, you now have a growing number of physician practices that must be able to access the EMR wherever they are, meaning you have to be able to support remote access.  Tablets are the new norm in healthcare environments and the ability to provide information in a secure manner on demand is a requirement.  As a result, your access management methodology has to adapt.  Restricting devices with access to only those managed by your organization is not really an option as you could risk driving business from those physicians away when you tell them they can’t connect with their own device.  Virtual desktop solutions can help to ease this burden.  These solutions allow you to introduce single-sign on technologies.  Imagine a physician simply being able to tap his ID card to complete a logon process and being able to roam from location to location without having to start over again.

The Identity Management process across your environment must be both efficient and comprehensive.   It is not unusual for a hospital to have multiple systems with separate/independent logons to each system.  You must make sure you have robust access management procedures that cover every system with a logon across the entire infrastructure.  Failure to adequately manage the identities across all systems could result in breaches of data and ultimately serious legal and financial penalties for you and your organization.

Routine processes must also support the organization’s security practices.  For example, when managing identities, do you have a mechanism in place to verify someone’s identity when they call for the inevitable password reset?  As you examine every aspect of identity management for your IT services, you must adjust processes to ensure security.  Determining that someone is who they claim to be on the phone can be challenging but critical in the healthcare space.  What about when you deploy MEDITECH’s Patient and Consumer Health Portal?  Your IT organization is now responsible for identity management to your patient population.  It is in this space that many organizations may struggle and find themselves at the most risk.  Establishing processes to verify identities, including patients, physicians, employees and others with system access, while maintaining confidentially, integrity, and compliance with HIPAA and other industry regulations and standards is a challenge.

In an effort to help streamline Identity & Access Management and increase EMR adoption and efficiency, consider looking at single-sign-on solutions.  Solutions such as this can enable clinicians to be able to simply tap a card and enter a PIN when trying to access their EMR and other applications.  While this isn’t a solution to cover all areas, it helps offer better security for your systems.  Organizations should still clearly define end to end processes for Identity Management to include account creation, modification, termination and periodic audits of activity and permissions throughout the related systems.  Security is an ongoing effort and no one control is full proof or covers all areas.

Mark Luquire is the Cloud Operations Manager at Park Place International.  He has been in the healthcare IT space for nearly a decade.  Mark managed teams of engineers providing services for more than 60,000 end users at the enterprise Healthcare IT level.  He brings experience with a wide breadth of technologies including MEDITECH, Citrix, network services, identity management, Microsoft, and more with a passion to make sure the patient is always considered.