Monthly Archives: September 2017

What to Look for in an Identity Governance and Administration Solution for Healthcare

Post by John Lammers

Vice President and General Manager of Identity and Access Management, Caradigm

In my previous post, I discussed the unique challenges that healthcare organizations face in the arena of identity governance and administration. In this follow-up post, we will review what to look for when choosing a solution for your healthcare organization.

First, let’s review what we mean by identity governance and administration. Gartner’s Magic Quadrant Report for Identity Governance and Administration[i] defines this as a set of identity management capabilities including: managing identity life-cycles, managing entitlements, and handling access requirements.

There are many supporting capabilities that are required to go from a set of point technologies to a fully-integrated solution for your organization, for instance: workflow orchestration, data validation, auditing, and reporting. In the healthcare IT environment, reach is quite important as well given that healthcare organizations utilize many disparate systems to provide the best possible patient care. Integrating those systems into a common process while automating as much of the identity management and identity governance activity as possible is essential, both to guard against breaches and to ensure that clinicians have secure and appropriate access to the applications they need from day one.

The following are identity governance challenges presented by the healthcare environment and what you can look for in a solution to address each of these.

Complex Staff and Identity Lifecycles

If you’re a typical hospital, change is your new normal. You have visiting specialty practitioners, students who come and go in waves and roles changing regularly. In recent years, we’ve seen a 70% increase in merger and acquisition (M&A) activity.[ii] All of this adds up to complex staff and identity life cycles. To mitigate the one-off and not-so-one-off changes, a strong solution is needed to support your organization’s control.

What to look for:

  • Workflow capabilities that help you orchestrate all of the activities within your processes
  • Unification of the human and automated parts of the process, so that you avoid identity management activity happening outside of and invisible to your process
  • Support for large inflow or outflow of staff in a short time
  • Support for staff members with changing roles or multiple roles

Flexible and Scalable Role Requirements

We see it over and over in our work with healthcare organizations. Different specializations, different sites, different systems and processes. It all adds up to a need for strong role management.

What to look for:

  • Ability to handle large numbers of roles
  • Ability to model your organizations roles and policies
  • Ability to detect outliers and inconsistency in roles
  • Ability to take action to resolve inconsistencies

Diverse and Continuously Evolving Technology Ecosystems

Healthcare IT organizations strive to deliver the highest quality, most capable systems to clinical staff. Taking advantage of innovative and best-of-breed tools leads to a diverse and continually evolving ecosystem of technologies. It’s critical that your identity management and identity governance solution encompass all your systems. One-off approaches to access control, auditing, and provisioning/de-provisioning accounts leads to situations where a clinical user has access to some of the applications they need; or when leaving the organization, have their access removed from some of those applications. This results in lost visibility, but also the potential for lost productivity and even security breaches. You need a solution that puts all your systems under a single identity governance process, and because that’s always easier said than done, the solution needs to give you a way to cover the basics right away, and then deepen integration (i.e., add automation) as time allows and based on ROI.

What to look for:

  • Ability to integrate with multiple HR systems
  • Ability to integrate with diverse IT support management ticketing systems
  • Flexible integration with of a diverse set of EHR (Electronic Health Record) systems, including systems that don’t provide easy remote access, such as systems without APIs, pre-accessibility era web applications, native apps, and even green screen systems
  • Facilities allowing you to handle operations manually and automate on your own timetable, while incorporating manual operations within a single, unified identity management process
  • Tools that put automation in the hands of your staff by making it easier to integrate applications
  • Services available to augment the capabilities of your staff

Scale and Criticality

Scale and high-availability matter to everyone, but every organization is unique in its specific needs. You need options that cover your scenarios today and will flex to accommodate changing needs.

What to look for:

  • Ability of the vendor to articulate their approach to high availability
  • Flexibility in the approach to disaster recovery and to services to guide you as you build your disaster recovery plan
  • Horizontal scaling (more capacity at a single location)
  • Geographical scaling (distributing capacity so that it’s near the users)
  • Throughput scaling (ability to handle bursts of high demand on the system)
  • A history of operating at scale in real production environments

Proactive Risk Mitigation and Breach Defense

No one wants to be in the news as the organization that just experienced a breach. No one wants to sideline valuable employees digging out information in response to an audit. Healthcare organizations must integrate risk mitigation into their day-to-day operations, and your identity governance solution can facilitate that.

What to look for:

  • Risks presented in a way compliance officers and managers can understand
  • Ability of take immediate action on a risk
  • Ability to leverage data to cross-check access that should be happening with access that’s truly occurring
  • Ability to integrate with complementary products, such as Fair Warning
  • Ability to create your own reports to surface risks unique to your organization
  • Audited workflow for all account actions
  • Support for scheduled, system-mediated and audited reviews of user privileges by managers and compliance staff


Over these last two posts, we’ve discussed the special challenges that identity management and identity governance present for healthcare organizations and what you should consider when evaluating solutions. Formulating your strategy for identity management and identity governance requires that you solve a multi-dimensional problem. At Caradigm, we address healthcare identity holistically. The importance of this approach is that we’re able to ensure that each aspect of the solution works with and complements the others. We have two decades of experience in healthcare identity and have assembled the industry’s only single-vendor identity and access management suite that covers the entire scope of identity management, secure access, and identity governance. To learn more about Caradigm’s solution to healthcare identity and access management, visit us at