Skip to content Skip to navigation

Identity and Access Management: HCA Healthcare’s Big-Scale Approach

December 15, 2014
by Mark Hagland
| Reprints
At the vast HCA Healthcare, a focus on deploying comprehensive, manageable identity and access management solutions across 165 hospitals

Bobby Stokes is assistant vice president, enterprise systems and identity and access management at the Nashville-based HCA Healthcare. The largest for-profit hospital company in the United States, HCA Healthcare encompasses 165 hospitals and 115 freestanding surgery centers, as well as 204,000 employees, in 20 states and in England.

The size and scope of the organization are further reflected in the fact that its enterprise systems professionals must maintain 120 corporate applications, ranging from identity services, through provisioning services, mobility development, collaboration platforms (Intranet capabilities and search engines), security initiatives, and general development initiatives, among others.

Naturally, supervising such a broad range of activities and technologies requires strong identity and access management policies, protocols, and procedures. Stokes, whose staff includes over 70 professionals, and who reports to the corporation’s vice president of product development, works assiduously with his team to ensure both optimal availability and optimal security. Within that area, he and his colleagues have been partnering with the Seattle-based Caradigm USA. Stokes spoke recently with HCI Editor-in-Chief Mark Hagland. Below are excerpts from that interview.

You have a vast organization to help manage, when it comes to identity and access management. Have you implemented a single sign-on strategy?

As far as Caradigm goes, we have the whole identity life cycle management. The touch points with Caradigm are single sign-on and provisioning. Provisioning is the process of managing resource deployment for new employees, giving them access to applications, etc. When you join us, we want you to have a computer on your desk and applications at the ready. We also need to make sure that when you leave, you no longer have access.

So now, for example, you’re a nurse at one of our hospitals, and we notice you’re looking at the patient records of somebody who lives three doors down, and is that OK or not? We need to find out, and if something inappropriate has happened, we need to address it immediately. That latter part is not a Caradigm piece per se, but a downstream event. If you can give them access when they get there and then shut down access when they leave, that improves security.

You can’t get rid of risk, but you can minimize it. It goes back to giving the right people access at the right times. With employees, we can take them through the HR [human resources] process. Among our physicians, 6,000 are employees, but the rest are our customers.

What made you go for a comprehensive solution in these areas?

The Caradigm SSO product is fairly comprehensive; and ProVision does a good job in provisioning. But I don’t know that anybody has a total solution. And our HIS is Meditech, but there are many other systems out there, and you’ve got to be able to deal with all of them; and one of the things that makes Caradigm an interesting and viable player in this area is that they focus on healthcare. A lot of single sign-on solutions tend to be very generic. And Meditech is a very proprietary, fat client. And Caradigm has had to figure out a way to work with Meditech. If you’re talking about Epic and you say, we need to interface with Epic, they’ll know what you’re talking about. But it’s harder with Meditech.

What are the couple of biggest healthcare-specific challenges involved in developing a strong, enterprise-wide identity and access management program?

The security side of it is the biggest challenge; we’re so focused on security breaches. Yesterday, something I came across that was interesting, is that if you have a person’s SS number or credit card number, is worth about $1 on the open market, according to the FBI. But a person’s EHR [electronic health record] information is worth at least $50.

Yes, experts are now concluding that the identities of healthcare consumers and patients are worth $50 or even $75, which is extraordinary, in context. Why do you think the differential is so strong compared to, say credit card identities?

One reason is probably that the EHR is going to have a lot of information—the patient’s Social Security number, address, family members, insurance information; and if it’s somebody famous, you can imagine what that’s worth. Community Health Systems lost 4.5 million patient records a month or so ago, and it’ll probably cost them $75 to $100 million. They have to notify all the patients and pay for monitoring services.

When did you go live with these solutions from Caradigm?

About four or five years ago. About 130,000 people use the single sign-on every day. We track utilizations through log-ins avoided. Every time they click a button and access an app, that’s a log-in avoided, and we average about 17.5 million of those a month. That helps employees, but it especially helps physicians. Some of them may have 10-12 apps they’re working on. And if they’re not integrated—just imagine trying to keep up with your own personal passwords. These physicians are working different passwords at different hospitals and sites. And if you’re at HCA, you’re logging on with one name and password. Our goal has been to make things easier for them. It’s a small thing for them individually, but those things add up. And this affects their staffs as well. We have about 80 applications integrated with the single sign-on.

Have there been any broad lessons learned so far from the way that this program has been implemented?