Monthly Archives: August 2017

Evaluating an Identity Governance and Administration Solution for Healthcare

Post by John Lammers

Vice President and General Manager of Identity and Access Management, Caradigm

In this post, we’ll explore the unique challenges that healthcare organizations face in the arena of identity governance and administration and in a follow-up post we will review what to look for when choosing a solution for your healthcare organization.

Before we discuss challenges, let’s lay out what we mean by identity governance and administration. Gartner’s Magic Quadrant Report for Identity Governance and Administration[1] defines this as a set of identity management capabilities including: managing identity life-cycles, managing entitlements, and handling access requirements.

Accomplishing these objectives effectively requires more than just these goal-centric capabilities. There’s a set of supporting capabilities that you need to enable your organization to accomplish identity governance and administration effectively: for instance, workflow orchestration, mechanisms to certify the correctness or appropriateness of the data, and a rich set of auditing, reporting, and analytics capabilities. In the healthcare environment, where change is the norm, it is key to automate and unify as much of this as possible.

Gartner’s Magic Quadrant for Identity Governance and Administration and the Healthcare Providers Context

Many people rely on Gartner for guidance when searching for technology providers and the go-to report is Gartner’s Magic Quadrant, which ranks customers along two axes: ability to execute and completeness of vision. But did you know that the Magic Quadrant for Identity Governance and Administration only evaluates horizontal technology vendors? This means that, if you’re only looking at the Magic Quadrant, you’re missing companies that focus solely on a single vertical, such as healthcare.

Recognizing the unique needs of the healthcare vertical, Gartner has included a “Healthcare Providers Context” section in their Magic Quadrant Report for Identity Governance and Administration, and Caradigm is included as a “notable vendor”—the only one on the list that focuses exclusively on healthcare. This section of the report discusses the regulatory and integration challenges that set healthcare apart and provides guidance on what to look for when evaluating identity governance and administration solutions in a healthcare context. At Caradigm, we believe that our choice to focus solely on healthcare is our strength and one of the key differentiators of Caradigm Identity and Access Management.[2]

What Makes Healthcare Unique?

The nature of a healthcare organization’s workforce, processes, and information systems presents unique challenges. On top of this, healthcare organizations face an evolving regulatory environment, an ever-increasing threat from data breaches, and the cost of compliance and continual risk assessment.

Complex Staff and Identity Lifecycles

Change has become the new norm for healthcare organizations. In recent years, we’ve seen a 70% increase in merger and acquisition (M&A) activity.[3] Even outside of M&A activity, many healthcare organizations have staff members that come and go or change roles over time. For example, it’s common in teaching hospitals to have a large number of staff entering or leaving the organization or changing roles over a short span of time. Similar issues can be observed in the use of specialty practitioners. All of this adds up to complex identity life cycles in the healthcare space.

Flexible and Scalable Role Requirements

Healthcare isn’t an industry where you can cover your organization with a half-dozen roles. Organizations can have hundreds or even thousands of roles representing different specializations and different parts of the business. Just as M&A activity complicates identity lifecycles, it can result in an explosion of roles until the organizations involved reconciles them.

Diverse and Continuously Evolving Technology Ecosystem

Healthcare organizations are notorious for being late adopters of technology. But they’re also known for finding a way to react to emerging needs without disrupting reliable, critical systems. The result is a diverse technical landscape. A survey of accountable care organizations found that nearly 60% used multiple EHRs, and nearly 40% of medical practices have replaced or are considering replacing their existing EHR.[4] The mix of old and new systems means that your identity management solution must integrate with a wide breadth of technologies. Initiatives to standardize on large, increasingly-capable EHRs has reduced the number of applications in use, but most organizations continue to utilize many applications due to the value of specialty applications and best-of-breed approaches in areas strategic to the organization.

Proactive Risk Mitigation and Breach Defense

Healthcare continues to be hit hard by data breaches, and while incidents of hacking dominate the news, the most frequent cause of breaches is not hacking but inappropriate access by insiders.[5]

Against this backdrop, it’s critical that your organization have measures in place to guard against this. Rapid and complete de-provisioning of accounts is essential, as is conducting periodic reviews of the privileges assigned to roles or individuals and taking a proactive approach to detecting and remediating anomalies.

Selection of a Technology Partner is Key

A strong identity governance and administration strategy enables you to evolve your organization while maintaining compliance and preventing breaches. Selection of a technology partner is key, and looking to industry analyst reports and rankings can be great first step. For an industry as unique and complex as healthcare, it’s essential to read the fine print before shortlisting your vendor search. In a follow-up post, I will review some of the key features and functions of the capabilities needed to safeguard your organization and establish a quality identity governance and administration strategy for your teams.