Skip to content Skip to navigation

Not too Tight, Not too Loose

March 3, 2008
by Mychelle Mowry and Reid Oakes
| Reprints
Today’s healthcare environments require an enterprise approach to identity management that ensures security while letting clinicians practice.

In healthcare, the swift digitalization of clinical and financial data offers promising benefits, including reduced costs, higher quality of patient care, and a channel to include and help educate consumers. The growth of electronic data in healthcare, however, has been accomplished through a relatively non-structured approach to IT procurement, leaving provider organizations to support numerous clinical and administrative systems while lacking a single-support and security framework to effectively manage the high volume of digital data. The resulting situation is a maintenance nightmare with increased risk of access and security breaches.

A recent study of more than 850 provider organizations by the board of the eHealth Vulnerability Reporting Program revealed that the security of electronic health records (EHR) is squarely at risk. Indeed, some industry experts estimate that as many as 77 people could view a patient’s record during a typical hospital stay. While necessary to ensure access for clinicians focused on saving lives, it is equally important to protect the security and privacy of sensitive patient data from inappropriate use.

To reduce risk, streamline IT management and enhance compliance, progressive healthcare organizations are rethinking their approach to identity management ― moving toward an automated enterprise-wide framework that treats identity management as a centralized IT service, as opposed to an embedded, duplicate functionality in every application deployed. This approach enables organizations to effectively manage access, role management and the end-to-end lifecycle of user identities across all enterprise resources.

Protected Health Information (PHI) spread across numerous clinical and enterprise systems challenges an organization’s ability to secure, audit and report on data access. Maintaining critical data points in multiple systems with separate security roles and asynchronous privileges increases the potential for error. As organizations look to implement longitudinal patient views or collaborate with other providers, the complexity associated with best-of-breed solutions greatly increases the cost of success.

By deploying an automated identity framework, organizations can consolidate practitioner access roles and privileges, ensuring practitioners have access to all relevant data in the enterprise. The automated framework also enables centralized reporting and policy enforcement, decreasing the time and cost associated with Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and other privacy and security compliance requirements.

Simplifying the provider experience

Healthcare organizations are challenged with managing two opposing requirements ― the practitioner’s need for easy access to information versus the organization’s need to apply increased privacy and security controls against that data. Excessive security within a healthcare organization limits its ability to provide effective and efficient patient care. Conversely, the lack of sufficient security makes the organization vulnerable to legal and civil penalties. Clinicians need solutions that minimize the number of keystrokes required to access information; however, best-of-breed IT strategies have complicated this process.

Physicians spend on average seven minutes per patient encounter, of which they spend nearly two minutes on managing logins and application navigation. Likewise, an average major healthcare provider has more than 150 applications ― most requiring different user names and passwords ― making it difficult for caregivers to navigate and receive contextual information. Healthcare organizations must strike the right balance, in terms of simplifying access to core clinical data sets while maximizing the time providers can interact with patients without jeopardizing data integrity and security.

To simplify the provider experience, organizations need to bring multi-faceted identity-based services to the end-user level. Many organizations have undertaken “phase1” project initiatives, such as enterprise single sign-on, contextual management or adaptive authentication. While a good start, these initiatives alone do not provide a comprehensive solution. To fully address the problem, healthcare organizations require an enterprise approach that encompasses enterprise single sign-on, context management and adaptive authentication ― as well as the ability to deliver fast and efficient enterprise-wide workflow to manage the user experience.

Ø Single sign-on and context management

An enterprise single sign-on service must integrate not only with clinical systems, but also with critical network and infrastructure components such as e-mail, file sharing and enterprise collaboration services. While enterprise single sign-on improves the user experience when accessing multiple applications, it only provides the initial authentication to the system. To mitigate risks, providers must also provide context management.