Skip to content Skip to navigation

Revolving Door of Identities

August 1, 2007
by Deborah Pappas
| Reprints
With an increasingly mobile workforce, healthcare providers are looking for clear, flexible and well-defined best practices

Deborah Pappas

Deborah Pappas

Providing immediate and appropriate access to corporate assets and patient information is one of the greatest challenges facing care delivery organizations, and is a critical component of ensuring that the highest level of patient care is delivered. Whether it's a network of affiliated physicians or an influx of interns at academic medical centers, healthcare providers have an increasingly rotating and mobile workforce. So, when providers introduce large numbers of new staff into their environment — many of whom may not exist in traditional HR or payroll systems — who controls their access to information? How is it monitored and audited? Is it provided immediately to ensure proper patient care?

Increasingly, healthcare providers are investing in identity management technology to help automate processes involved with granting and controlling access to critical systems and information, tighten security and demonstrate regulatory and audit compliance — without disrupting the clinical workflow. But before you head down the path of automation, there are some best practices to consider when provisioning resources for your workforce.

  1. Identify key business drivers. Identify the primary business drivers or pain points that impact user provisioning initiatives. Is it your large percentage of contingent workers? Or all of the independent physicians to whose comings and goings you lack visibility? Is it the risk of the orphaned accounts that remain active long after a worker has left the organization? Or simply handling the granular nature of how a user's access may need to change depending on what facility, floor, or department that they're assigned to in a particular month?

  2. Win Executive Sponsorship. Secure an executive sponsor who can connect the needs of your clinicians to specific user provisioning initiatives. This could include the CIO, CMO or chief compliance officer — not just from a HIPAA perspective, but from an increasingly "voluntary" Sarbanes-Oxley (SOX) compliance standpoint.

  3. Define metrics for success. Define how you will measure success up front based on criteria such as increased operational efficiencies, improved service levels/access availability, strengthened risk posture, streamlined audit/compliance process, reduced help desk costs, etc.

  4. Establish a starting point. Identify a starting point — whether with automated user provisioning, access compliance verification, role lifecycle management, password management, or enterprise single sign-on — and focus your identity management deployment accordingly. By targeting the first wave of implementation, you can more rapidly deliver measurable business results and continue to iterate through the program to drive incremental value.

  5. Ensure scalability. Make sure your user provisioning solution will support the level of change in your organization and user population without requiring specialized staffing and extensive programming/scripting due to hard coding relationships between users, access rights and resources. The solution must be able to scale with the organization — whether through organic growth or mergers and acquisitions.

  6. Integrate audit, policy and role compliance. Evaluate whether or not the user provisioning solution provides capabilities for audit and policy compliance and enterprise role management. Avoid having separate capabilities for these areas that don't integrate with core user provisioning, since audit/policy compliance reviews will inevitably result in provisioning actions (whether de-provisioning or re-provisioning users), and roles [Continued on p. 74] [Continued from p. 73] will also need to be provisioned once they're defined. And in order to support the level of change in your organization and demonstrate audit controls, you'll need to verify access on an ongoing basis as well as govern the lifecycles of roles.

  7. Assess infrastructure compatibility. Request a proof of concept to ensure the user provisioning solution can connect to key applications and infrastructure in a timely and seamless manner. This includes integration with electronic health record (EHR) systems (such as Cerner, Epic, McKesson, Meditech, etc.) as well as home grown and legacy clinical and business applications.

  8. Leverage existing identity and policy repositories. Centralizing data and control does not scale and it's not agile. To deploy user provisioning, roles and compliance on a broad scale you need to leverage existing assets and connect to distributed security and operational policy. That may mean pulling from various data repositories — Lawson, Oracle, MIIS, LDAP directories, etc. — in order to create an authoritative data store.

  9. Understand role requirements. Do not require roles up front as a prerequisite to getting into production with user provisioning; if HL7 role-based access control is part of your user provisioning initiative, roles can be built in parallel with provisioning automation or introduced in subsequent phases of deployment.

  10. Identify landmines. Beware of architectural impacts and dependencies that introduce potential risk or require additional effort that could negatively impact the overall success of your provisioning project.