A framework for digital identity in healthcare

In complex, varied enterprises, digital identity is foundational to security and the user experience.

During a December Becker's Hospital Review webinar sponsored by Imprivata, Wes Wright, chief technology officer of Imprivata, discussed identity management concerns with two leading health system CIOs:

• Cara Babachicos, senior vice president and chief information officer, South Shore (Mass.) Health

• Arthur W. Harvey III, senior vice president and chief information officer, Boston Medical Center Health System
  
  

Five key takeaways:

1. Digital identity management is central to the modern enterprise, but identity is currently fragmented. Digital identity plays a central role as the healthcare enterprise evolves from a clear perimeter to a complex web of connections among hospitals, providers, patients and ACOs. Identity becomes the "new control plane," Mr. Wright said. "Managing identity is fundamental to cybersecurity and personalization. Unless you control access to data, you are vulnerable. You control access by managing digital identities."

   Imprivata, a digital identity company, is building a digital identity framework for healthcare in a fragmented environment of disparate applications and tools. Consolidating overlapping systems serves the twin goals of health systems: security and a good user experience.

2. Organizations refer to Imprivata's framework to avoid overlooking key elements of identity. Imprivata's digital identity framework captures dozens of capabilities into four categories.

   - Governance and administration. The "nervous system" that ties components together.

   - Identity directories. The "heart" of identity and access management, with an authoritative identity store addressing      details about each identity, including roles, accounts, attributes and privileges. 

   - Authorization. Determining privileges based on user roles, rights and responsibilities. 

   - Authentication and access to systems and resources.
   
   

   This framework is useful to health systems. "It doesn't need to be prescriptive; just give me guidance so I can make sure I'm not missing something," Mr. Harvey said.

3. Identity management is foundational to the enterprise. Vulnerabilities that start with identity management proliferate through the system. "Everything that starts in identity perpetuates itself," Ms. Babachicos said. "If your identities are incorrect, then your authentication and all those pieces and parts can be hard to manage."

   Effective identity management enables automation, increases productivity and improves accuracy. Large IT projects, such as cloud migration or merger integration, offer opportunities to clean up past errors. But leveraging these opportunities is not always easy and can add time. Moreover, high-fidelity identity is an ongoing responsibility to maintain, requiring resources and planning.

4. Organizations face governance choices for identity management. The organizational structure for identity and access management varies, with some organizations locating it with the chief information security officer and others in the chief technology officer organization. There is merit in each: the CISO aligns with risk and the CTO advances operations. "There's not a right or wrong answer. The key is your CISO and CTO have to work together," Mr. Harvey said.

5. Access controls can use elements of zero trust architecture, but it is not sufficiently mature. ZTA may be the future, but today's enterprises are advancing in steps. "Most of our risk is from third-party vendors," Ms. Babachicos said, so it is critical to interrogate vendors and only integrate those that have implemented security. Elements of ZTA in practice today are interrogating devices at the firewall or VPN to ensure they are updated and utilizing behavior analytics to alert to anomalies.

In an increasingly complex enterprise environment, digital identity management is vital to security, productivity and personalization. Although digital identity is currently highly fragmented, it is important for organizations to consider identity management holistically.

To register for upcoming webinars, click here.