Monthly Archives: July 2014

The Role of Identity Management in Protecting Patient Health Information


Post by Azam Husain


Senior Product Manager, Caradigm

Last week, Mac McMillan presented a webinar through HIStalk on the role of identity management in safeguarding patient health information. Mac is the co-founder and CEO of CynergisTek, Inc., a firm specializing in information security and regulatory compliance in healthcare. He is considered a thought leader in privacy and security with over 30 years of experience in public, private, and non-profit institutions. Mac is also the current Chair of the HIMSS Privacy & Security Policy Task Force and was recognized in 2012 as a HIMSS Fellow.

In Mac’s presentation, he talked about three primary things:

  • The importance of identity management and its role in supporting a provider organization’s operational management of user access
  • How an effective identity management program supports compliance with regulatory requirements
  • Identity and access management as a proxy for an organization’s ability to conduct audits and run investigations

Mac explained that there has been exponential growth in user identities over the last several years, creating a perfect storm of provider problems managing access to clinical applications and data. Mac articulated three trends that are most acutely affecting providers today:

  1. Compliance to regulations like HIPAA
  2. Managing increasing threats to the organization such as inappropriate access and data breaches
  3. Maintenance costs for provisioning and managing user access

Healthcare ecosystems involve an unprecedented number of systems and applications. Hospitals also have a complex and fluid workforce. New clinicians, interns, and residents flow in and out of the organization throughout the year. This can place enormous operational and compliance burdens on the provider organization.

The consequence of these trends are a diminished user experience with increased wait times for access, help desk frustrations, and more compliance incidents. Mac argued for a more thoughtful approach to managing user access to clinical applications and data by employing identity management technologies that can address these trends.

Identity management systems codify and store organizational policies on roles and entitlements, including:

  • User information
  • Policy information
  • Organizational role data
  • Transaction data

This data can help compliance managers respond to audit events. Role-based access controls (RBAC) are a critical component of identity management systems, aligning access to the role the user plays within the organization. This can safeguard access to clinical applications and data. Identity management systems can integrate RBAC into the lifecycle of the user at the organization. Managers can quickly provision a new hire using pre-defined roles, streamlining the provisioning process and reducing the potential for over-granting access rights.

Many of the capabilities that Mac spoke of during the Webinar are central to Caradigm Provisioning:

  • Provisioning’s control mechanisms enable role-based access to clinical applications and data, ensuring that only the right people have access. This eliminates those risk vulnerabilities like orphaned accounts and over provisioned user access.
  • Provisioning’s password management capabilities allow uniform enforcement of secure password policies to enhance security.
  • And Provisioning also addresses those operational issues, ensuring that users are set up into appropriate clinical and business applications on day one.

View the HIStalk webinar to hear Mac’s full discussion.

HIStalk Webinar Thumbnail 3