How do Healthcare Organizations Manage Digital Identities When They Aren’t on the Payroll?

Recently identity industry leaders came together for the “Discover How to Manage Digital Identities When They Are Not on Your Payroll” webinar, where the discussion covered how the digitization acceleration within the healthcare industry has created a greater risk of data and access-related breaches.

Below are some of the highlights of the exchange between Rob Sebaugh, Healthcare Identity Strategist for SailPoint, the leading provider of identity security for the modern enterprise, and Jen Kraxner, VP of Market Strategy for SecZetta, the leader in third-party identity risk solutions.

(Moderator) Mike DeMuth – Healthcare Director, SailPoint

Identity and identity security is a unique set of technologies that our listeners are trying to understand better. Rob, what kind of challenges are you seeing in the healthcare market?

Rob Sebaugh – Healthcare Strategist, SailPoint 

No two health systems are the same. Everybody has different processes and policies, but I am seeing a lot of commonalities across organizations.

Multiple authoritative sources tend to be the number one challenge.  What I mean is, you’re employing physicians that come through your HR system. You also have affiliated physicians with practice rights, but they’re not employed by your organization, so they funnel through a different source. It’s the same with nursing, where you have both employed nurses and volunteer nurses. Depending on how your organization manages those identities, you likely have different sources of truth, which can be complicated to manage. In academic hospitals, where there’s multiple affiliations and hospital systems, the complications and challenges start to compound.

Another topic I see a lot is the frequency where we see multiple roles for a single identity. One user inside your health system may have one role by day and a different role by night. Managing an identity like that across potentially legacy and dated systems is another challenge we see in healthcare.

The last point I’ll talk about is unstructured data.  Data gets downloaded out of an electronic health record (EHR), things get emailed, data gets moved around, etc. Sprawl is created, especially when it comes to business-to-business relationships, and that’s problematic.

But by far, the number one thing that pops up is the multiple authoritative sources.

(Moderator) Mike DeMuth – Healthcare Director, SailPoint

We’ve seen situations where folks could have up to 16 authoritative sources. How do you manage all those? Jen, do you see kind of the similar challenges?

Jennifer Kraxner – VP, Market Strategy, SecZetta 

Definitely. And one thing to note about those multiple authoritative sources, is not just that they exist, but that frequently the same person might live in many of them.

To Rob’s point about somebody really serving in multiple roles, this is something that comes up often in healthcare.  He mentioned somebody who is a volunteer at certain times, and other times they’re doing their clinicals for their degree. That person will end up coming into an identity program via several different sources. It’s important to make sure that we recognize when it’s the same person that we’re engaging with in multiple ways so that we can appropriately control their identity and their access.

Another big challenge for many healthcare organizations is that we’re tracking all the regulatory and compliance requirements around identity and access. Anything from fire certifications to understanding some physician’s credentials to simply getting an acceptable use policy or remote access agreement signed. These are incredibly important to be able to track and audit and just obtain and maintain throughout the lifecycle of someone within the healthcare system.  It can be a heavily manual and error prone effort, and a lot of time for teams to manage the process.

The result is quite often audit findings, but it can even lead to a breach if the process isn’t tracked and maintained in the right way.

A big part of the challenge is, especially when it comes to non-payroll and non-employee folks, is that they’re not centrally managed. There are so many people that play a part in the lifecycle management for these people, and it’s difficult to collaborate on gathering the right information from the right sources throughout a person’s tenure.

(Moderator) Mike DeMuth – Healthcare Director, SailPoint

Jen, can you talk about the SecZetta’s third party identity management solution and what your healthcare clients are talking about?

Jennifer Kraxner – VP, Market Strategy, SecZetta 

SecZetta is focused on third party identity and risk. And that really means that we support providing an identity authority for not just third parties, but for anybody that’s in an organization that needs access that wouldn’t be considered an employee. Our focus is helping organizations get a handle on what we call “all other identities.”

This includes helping to manage lifecycle for contract physicians, traveling nurses, students, and researchers. Most folks think about contractors, service providers, or contingent workers, but we’re really expanding to make sure that we’re covering ANY type of external identity for an organization, including things like partners, affiliate clinics, etc.

Even devices, applications, and bots are all technically non-employee identities in that they need to be managed and maintained within an identity program. At SecZetta, our focus is understanding those identities from the perspective of…why are they here? …why do they need access?

It’s particularly important to understand the relationships when it comes to non-employee populations as well, i.e., to understand what vendor that person comes from, what locations they’re working, who their internal sponsor is, etc. There’s a lot to keep track of when it comes to non-employees.

From an identity perspective, it’s important that we gather the information from the right people. Finding all the right sources (internal, external, or even other systems) that need to contribute gives us a full understanding of who a person is. For example, we can take information from a credentialing system to understand a physician’s credentials, or from a contract management system to understand the status of a contract or work order that needs to have non-employees applied to it. It’s about properly coordinating and gathering all this information from the right people in an easy way.

We’ve got to make it easy on the users to be able to provide that information, as well as enforcing that the information is maintained. By enforcing that, we prevent things like a contractor coming in for a two-week project but the access they receive remaining open for two years. SecZetta helps organizations collect, maintain, and validate identity data so all authoritative information can be sent to SailPoint, so it has what it needs to properly manage the access that an identity receives.

(Moderator) Mike DeMuth – Healthcare Director, SailPoint

Rob, how do SailPoint and SecZetta work together to complement each other?

Rob Sebaugh – Healthcare Strategist, SailPoint

SecZetta gives you the ability to have an authoritative source for all these third-party folks that you have in your network or environment. And if you marry that to SailPoint, which is connected directly to your HR management system, and potentially to your credentialing system and learning management system, it helps you understand the why, the what, the when, the how.

Bottom line is we together can help aggregate information from various sources of truth. You might be an employee by day and student by night and you might have an employee ID or employee network account and a student network account, each with different roles and accesses that need to be managed. We can correlate that information into a single system on the back end, help manage and certify that access and ensure that access is correct even as folks move around your organization.

Rob Sebaugh – Healthcare Strategist, SailPoint

So as a collective, we provide value and a level of insight across all your various authoritative sources and populations, aggregated down into a consolidated system that provides visibility, easy ways to request and approve access, certify access, and ultimately reduce risk.

(Moderator) Mike DeMuth – Director, Healthcare, SailPoint

This really summarizes a lot of synergies that we’ve been talking about. So, one other question as you think through kind of a joint implementation here— what advice would you give on how to prepare?

Jennifer Kraxner – VP, Market Strategy, SecZetta

Number one, make sure that you’re identifying the broad range of populations, and figure out exactly who needs to be part of your identity program. Get a handle on what are all the other identities that are on top of your workforce population.

And then understand who the stakeholders should be— understanding that there are a lot of different people that play a play a role in existing processes a well as other technologies that are also in play, like ticketing systems and databases.

Get a true understanding of who all the players are and what their current challenges are so you can take a holistic approach to make sure that that factors are all being considered as you move forward.

You can experience the entire webinar by clicking here.  You can also experience the SecZetta-SailPoint integration first-hand by taking a self-guided tour to see how easy it is to onboard a new third-party non-employee with our combined solution.