SecZetta’s Customer Leader Webinar Series

Recently identity leaders from AdventHealth, one of the largest non-profit health systems in the nation, lead a discussion as a part of SecZetta’s Customer Leader Webinar Series.

Healthcare organizations of all types, including hospitals, utilize a large and diverse number of third parties, from students to doctors to affiliate partners to bots, each of which support the goal of creating a market-leading patient experience that’s rooted in satisfaction, safety, and privacy. Many healthcare organizations have found that managing these third parties and the associated access to facilities, systems, and patient data they require can be particularly challenging.

That’s why AdventHealth shared insights into the evolution of their third-party identity management processes from start to present, including the unique challenges that arose from the global pandemic, along with future plans and best practices learned from their journey.

Chrissy Booth, Identity & Access Management Manager, AdventHealth
We’re excited to share our journey here at AdventHealth on how we progressed from a homegrown non-employee system to our cloud hosted lifecycle and collaboration solution. Over the past several years, non-employees have increasingly become a larger percentage of our workforce. This is a common trend in in healthcare, particularly with the critical need for additional healthcare personnel over the past two years.

We needed an efficient and manageable way to onboard and off-board our non-employees for several reasons, including:

• Reducing our risks and costs.
• Efficiency during a difficult time (the pandemic).
• We needed the ability to bring thigh performing non-employees into our organizations as future employees.

With over 50 hospitals, 1,200 outpatient facilities, and 8,200 licensed beds in 9 states, our 83,000+ employees serve over 5.5 million patients annually. Our non-employees are also referred to as contingent workers (or CWRs), and they’ve become a critical part of AdventHealth’s workforce.

As of today, we have 35,000+ contingent workers that fill 43,000+ job roles across our enterprise. To define the 43,000 positions, we have non-employees that are assigned to multiple job roles. For example, imagine an agency registered nurse that’s also studying to become an advanced practice registered nurse (PRN). In this scenario, one contingent worker counts in two job roles.

Historically, we managed our non-employee personnel in our HR system. But over time, this became inefficient because:

• Our HR system didn’t incorporate a way to associate non-employees to our business contracts or provide our office locations.
• We couldn’t easily provide the ability to attest that a non-employee was still actively working on an assignment every six months, which is an audit requirement for us.
• We couldn’t assign a third-party delegate to manage non-employees in hospitals.

Our key takeaway here is that our employee HR systems were not designed to manage the volume and complexities of our non-employee workforce. To meet our needs, the AdventHealth identity and access management team was asked to build a homegrown system to manage all AdventHealth’s non-employees..

David Moosavifazel, Director of Identity and Domain Services, AdventHealth
To give more context and background, a lot of the drive for that “Non-employee Center”, as we called it, was driven by the fact that HR didn’t have the resources or the capacity or even the tools to manage our growing and complex non-employee workforce. So, it came down to us trying to identify and quickly pivot to creating something that allowed us to decentralize our management of these non-employees and the  locations and the people that they were working with.

Initially, the homegrown system got us where we needed to go. But it became apparent quickly that there was a lot of gaps in what we were able to build ourselves. Problems included:

• The absence of a good mechanism for external registration.
• Our UIs were very code heavy, so we needed developers to be engaged and building all the different views that we needed to see.
• The auditing wasn’t the greatest, and it was a struggle for us to figure out when things changed and who changed them.

So that drove us to start to looking for something more beneficial and would help drive the business. We really started to look at things like document management and the ability to give our users the authority to manage their own population, and even some of our vendors the ability to manage their own contingent workers. That led us to SecZetta.

Chrissy Booth, Identity & Access Management Manager, AdventHealth 
Every member of our identity management team had at least one task and played a part in the successful implementation of SecZetta. I am so happy to share kudos with our entire AdventHealth identity management team, our non-employee support team, and SecZetta’s customer engagement team. Since implementation we’ve had multiple successful system upgrades, including acquiring a region of 3,000+ contingent workers in March 2022.

Our non-employee support team now has four full-time team members that maintain the contingent worker approval queue, work through support tickets, and provide daily education to non-employee sponsoring managers. In addition to the four team members and myself, we also have two identity management analysts and two engineers that spend a high percentage of their time assisting with supporting contingent worker data updates as well as test for upgrades and workflow migrations. While I was putting this presentation together, I calculated that our new positions created is now over 1,100 weekly.  The team does a lot – from reviewing and approving requests from the non-employee sponsors to working on deactivating non-employees.

With SecZetta, we were able to:

• Cut out two internal systems, as well as implement an external portal for our non-employees to self-register. This was a huge win for us from every angle; time, effort, financial, privacy, and security.
• Now that SecZetta has been implemented, our sponsors can send an invitation to the non-employee, and they can register without sending their personal identifiable information over email. The sponsor simply acquires their name and personal-professional email.
• From there, they send an invitation for the non-employee to complete their self-registration, including our security and privacy acknowledgments that we require that they read and accept electronically.

We’re continuing to learn how to best leverage our tools daily to perform our own system enhancements. Also, SecZetta’s Customer Leader Program set us on a path to collaborate with other customers in the SecZetta network to access and share expert insight and best practices.

I’d like to wrap by sharing some of our upcoming highest priority future goals, which are:

• Working with SecZetta to implement the ability to dynamically search our identity repository for duplicates.
• Integrate the ability to affirm an identity during the CWR onboarding process, known as Identity Proofing.
• Take advantage of the Risk Management Rating feature within SecZetta.
• Once the business is ready, we will implement the ability for our trusted sponsors to promote CWR supervisors outside of our organization with the ability to manage their own user population, which is referred to as a delegated administrator process.
• And of course, we will always continue to improve the experience for our sponsors, CWRs, and the non-employee support teams who use this system daily.

Thank you so much for your attention today. I hope that hearing our journey assists in any future decision making for managing your non-employee contingent workers!

More About SecZetta:
SecZetta’s solutions enable organizations to execute risk-based identity access and lifecycle strategies for diverse non-employee populations. Because the solution is purpose-built, it’s uniquely able to manage the complex relationships organizations have with non-employees in a single, easy-to-use application that simultaneously helps facilitate commercial initiatives, support regulatory compliance, and reduce third-party risk. For more information visit, SecZetta.com, schedule a demo, or take a self-guided product tour.

You can watch the entire “Healthcare Variant – Harmonizing Third-Party Identity Risk” webinar here, which will provide you with:

• More details on AdventHealth’s architecture, and exactly how they utilize SecZetta in their non-employee’s lifecycle processes.
• Specifics about AdventHealth’s implementation timeline with SecZetta, including how it was impacted by COVID.
• How AdventHealth classifies their non-employees.
• More background on AdventHealth, our speakers, and SecZetta.