Identity in Healthcare: A Diet for 2011 and Beyond – Part 1 of 3
For some time now, we have been working with healthcare companies looking at rolling out an Identity and Access Management (IAM) infrastructure to address their most pressing access governance needs;. Often, these deployments stem from a result of something bad happening or simply from a high degree of loudly voiced frustration from end users. In the past year and a half this trend has gained momentum thanks to companies looking to comply with Meaningful Use.
This experience has allowed us to gain very interesting insights in the healthcare sector, and in this 3-part article, I would like to share some of them. As you would expect, our focus will be mainly an identity-centric perspective on the issues; in no way we mean to trivialize other complex issues in healthcare, whether in IT or other business areas.
Some macro trends…
The reality is that there have been some tectonic plates movement in the healthcare industry for some time, but recently they seem to be aligning and maybe even accelerating, especially in regards to:
1. The aging population
This may be common knowledge to some, but as the baby boomers continue to reach retirement age, their needs for healthcare services will continue to increase. This means that the healthcare services demand will rise dramatically. Statistics show that “after adjustment for inflation, health care annual costs increased significantly among older Americans from $9,224 in 1992 to $15,081 in 2006”.
2. Healthcare remains highly inefficient
By many accounts, the US healthcare system is very inefficient. Its high costs do not translate to better care or longer life expectancy. From a technology perspective, we’ve found IT in healthcare is, on average 8 years behind the industry (with some exceptions of course).
As it relates to IAM, it is very clear to us that managing user access to both IT and clinical systems has been at best, an afterthought. Healthcare organizations consistently exhibit the most issues around: terminated user accounts still lingering in the environment; many users having more access than they should; end users having to remember a high number of different credentials; no reliable authoritative sources (particularly for non-employees) on top of which to anchor identity lifecycle processes, and rarely, are there any reconciliation or access recertification processes in place.
Some of the anecdotes that we have heard from working with clients include:
The case of a physician getting ready to perform a procedure on a patient, but since the procedure is done at a facility different than his regular consultation office; his credentials had been expired due to inactivity. After several failed attempts to log into the Picture Archiving and Communication System (PACS) to look at a previously taken MRI (Magnetic Resonance Imaging), the account was locked; a call went to the help desk, who, as the physician discovered was not responsible for this particular system, so they could not immediately unlock the account. In frustration, the physician asked a nurse to log in, and look for the image needed. Luckily, the nurse had been given more access than she needed, so she was able to access this patient’s record and pull out the required image.
Scary, isn’t it? (I can imagine how many times this scenario results in the wrong patient’s image being pulled out, but I will not go there). The fact is, in most healthcare organizations, access governance is at best, inefficient and at worst, non-existent.
3. More regulatory and compliance pressure
Beyond HIPAA, with its emphasis on patient’s privacy, and PCI for payment processing, healthcare organizations are looking to comply with meaningful use of Healthcare IT in order to qualify for the criteria and receive incentives. These forces have driven healthcare organizations to invest in security to enhance access control to sensitive information and systems.
Many organizations, have, for the first time, created an Information Security organization and hired a CISO. The shift towards Electronic Health Records exacerbates the need to ensure that people have access to only the information they are supposed to have access to. The collaboration of healthcare organizations in Regional Health Information Exchanges (RHIO) requires a minimum set of access control mechanisms to be in place to enable effective, and privacy-respecting collaboration. The combined effect of these regulatory drivers has forced access governance and privacy enforcement to bubble to the top of many healthcare organizations’ IT agenda.
Having said this, in most cases, we have seen organizations start with a single sign-on (SSO) initiative, many using proximity cards for both strong authentication and simplified sign-on process. I blogged about this trend several times in 2010, and predicted this trend would gain strength in 2011. Well, the evidence we have seen seems to support this prediction. Having said that, the risk to many organizations that start with SSO as the first initiative of their IAM program, is it may create the illusion they are in control, and take focus away from the real issues in managing user access to information.
…So what does this all mean?
Given these forces, we anticipate in the next few years, the healthcare industry will accelerate a push towards increased IAM efficiency. The market will no longer tolerate the inefficiencies in this industry, particularly as demand for healthcare services increase.
In part 2 of this 3-part article, we will dwell deeper into what implications this shift towards efficiency has in the world of identity.