“Identity in the Age of Digital Trust”: A Healthcare Provider’s Case Study on Why They Partnered with SecZetta

Recently identity industry leaders came together for the “Identity in the Age of Digital Trust” webinar, where the discussion focused on how rapid growth of workforce identities in the enterprise has resulted in renewed attention on identity and access management (IAM) solutions.

Below are some of the highlights of the exchange between Asif Hafiz, executive director, Identity, Access Management and Domain Services for AdventHealth, one of the largest healthcare providers in the country, and David Pignolet, founder and CEO of SecZetta, the leader in identity risk management solutions.

Samantha Santaniello, MassMutual Ventures (Moderator)

Asif, your organization, AdventHealth, has decided to use SecZetta. Can you tell us a bit about the business problem and how you’re solving it with SecZetta as a solution?

Asif Hafiz, AdventHealth
Sure, so we’re one of the largest healthcare providers in the US, with about 50 hospitals, hundreds of medical offices, and other care centers across the country. AdventHealth has approximately 75 to 85,000 employees at one time, and 40 to 50,000 non-employees. So, the ratio of our non-employee population compared to our total workforce is about 40%.

We started having conversations because initially all our non-employees were being entered and managed into our HR system. HR didn’t want to own these non-employees…they have completely different processes.

Leadership came to us saying that we need to find another way to manage the identities of these non-employees. At that time, we started building our own homegrown solution to manage non-employee identities. We spent hundreds and thousands of hours building that application.  …Actually, two separate applications: one for managing the lifecycle of non-employees identities, and the second one to handle identity governance.

Over this time, we were in constant touch with SecZetta, and at the beginning of 2020 we decided that SecZetta was ready for us because we had several deficiencies in our applications. That’s when we signed the contract with SecZetta.

Some of the areas that we were lacking in our homegrown applications were self-registration and the ability for the sponsor (or hiring manager) to invite a contingent worker to self-register using a secure portal. This was a labor-intensive task for our sponsors to manually enter this information, especially for students and volunteers, which can be in large volume and high turnover. Self-registration also increased the accuracy of entered information and increased the speed of approval for onboarding of the subject.

We were also looking for risk scoring…the ability to assign risk score to our CWRs (contingent workers) and vendors that we onboard. We can monitor the access and control that these CWRs have based on the score assigned to them. We also integrated with our contract management application and can deactivate all CWRs associated with a particular vendor whose contract expires at a certain time.

And finally, the ability to make changes to workflows through the application rather than needing a programmer to make code changes. Those are the reasons why we went with SecZetta.

Samantha Santaniello, MassMutual Ventures (Moderator)

Dave, I heard a few different things from Asif on why he loves SecZetta. What are other reasons that your customers are using your solution?

Dave Pignolet, SecZetta
I can think of three reasons in addition to the standard third-party identity lifecycle and risk:  collaboration, managing non-human workers, and consolidation (or identity mastering).

On collaboration, Asif talks about this from their implementation perspective…managing third-party identity is different because it takes a group of people to provide and manage the data around that individual that eventually equates to access. It takes a sponsor within the organization…It also takes somebody from the third-party’s organization like a project manager.  There’s an inter-collaboration that needs to happen. Having the ability to collaborate in a well-defined and automated way is key to maintaining good data quality that drives appropriate access.

On managing non-humans, they are a lot like third parties in they have a sponsor within the organization, they’re granted access, they need to consistently re-attest to their entities, etc. There are lifecycle processes and assurances that are needed to ensure that non-human identities are managed appropriately.

And last is consolidation and identity mastering, which is key because people often have more than one relationship with an organization. Identity mastering is the process of knowing a person is the same person that had a different relationship with the organization in the past, or even currently. A lot of organizations struggle from a consolidation perspective…

A teaching hospital is a great example- Say I’m a student at a teaching hospital today who works evenings.  I graduate, and I become a different type of employee because now I have a degree in nursing. Then I go work for a third-party nursing agency, and I’m a third-party non-employee. I’m the same person throughout these changes, but many organizations create a separate identity for each one of those relationships. We should never create an identity based on each relationship a person has, but instead we should create a single identity, manage those relationships appropriately, and consolidate that identity.

Those three things are unique use cases that that our customers bring to us and talk to us about solving with our tools.

You can experience the entire webinar by clicking here.