Data is an all-important resource in healthcare. Caregivers and payers depend on data to make clinical, operational and financial decision every day. However, as the volume and value of data grows, so does the threat of data breaches.
In a webinar hosted by Becker's Hospital Review and sponsored by Imprivata, Wes Wright, the company's chief technology officer, discussed identity and access management, a key component of keeping data safe and in the hands of only those who can be trusted with it.
"No longer can we depend on ACLs or VLANs or, god-forbid, firewalls to keep [our data] safe," Mr. Wright said. "It's the veracity of that digital ID that's key and knowing what [an] ID can and can't or should access that is truly the new perimeter that keeps our data and our patients' data safe."
Identity and access management has three main pillars: identity management; access, authentication and authorization; and governance and compliance. It is no longer just about onboarding a new employee and making sure they have their IDs and access to the data they need; rather, it is a continuous process to make sure employees and non-employees don't have unnecessary access to data. Modern identity and access management also requires a robust governance system that allows systems to keep tabs on who has access to what data and who is granting employees access to that data, said Mr. Wright.
Identity and access management in healthcare has unique challenges
Most industries today cannot survive without data and are challenged to keep that data secure; however, healthcare presents a unique set of challenges to data security.
Connie Barrera, chief information security officer at Jackson Health System in Miami, said that the sheer number of applications and systems used in healthcare is overwhelming. Many of these apps don't have the core capabilities with regard to user IDs and passwords, leaving health systems to make do with a bare bones security framework.
Another issue is the make-up of the workforce in healthcare, said Ms. Barrera. It is a fluid workforce, with caregivers in the same roles often shifting between hospital units and sometimes, within facilities in the same health system.
"A nurse is not a nurse everywhere," Ms. Barrera said. "A nurse that works in the intensive care unit may have very different needs from someone in behavioral health. Even nurses on the same floor, some may have administrative tasks that their peers do not. So really understanding the exact use-cases that are needed for the different employees even within the same resource type is really huge."
Additionally, personnel from outside agencies often require access to data, presenting another authentication and authorization challenge with regard to making sure the data is safe even outside the organization. For example, Ms. Barrera noted that Jackson Health System, being a county entity and an academic medical system, is often inundated with data requests from payers and researchers.
A healthcare-specific identity and access management is necessary for healthcare organizations to overcome these unique challenges. Solutions created for other industries, such as manufacturing, cannot offer healthcare facilities the flexibility they need, said Mr. Wright.
How privacy regulations are affecting access management strategies
According to Mr. Wright, every identity and access management strategy should have the governance, reporting and compliance piece at its core. Organizations need to have processes in place to make sure they are compliant with the latest regulations and processes to prove that compliance.
"It really is about what you can prove, not about what you did," he said. "Granted, you have to do things… but you also have to be able to prove that you did that, and that you are doing that on an ongoing basis."
However, government regulations dictating how healthcare organizations need to protect data and report compliance is just one aspect of data security. New privacy acts are being created to give patients greater access and control over their data, and healthcare organizations need to make sure they are giving appropriate access to the right person.
One such act is the California Consumer Privacy Act of 2018. Jake Dorst, chief information and innovation officer at Tahoe Forest Hospital System in Truckee, Calif., said positive patient identification is key to ensuring compliance with the act, which allows patients to gain information regarding who has their data and who it is being shared with.
"If I've got a medical record number with three or four people attached to it, how do I actually provide that information and am I providing it to the right person," Mr. Dorst said.
Hospitals and health systems need to implement solutions that allow them to perform positive patient identification, so they can make sure they are giving the correct information to the correct person.
Managing burnout and exhaustion caused by access certification
Providers must constantly reenter logins and passwords on various systems, while trying to manage patient care. This can contribute to frustration and burnt out.
Mr. Dorst said his facility mitigated burnout related to access certification by implementing an identity management and single-sign-on solution. The key is to implement tools that don't require providers to login and re-login 20 to 30 times a day. The tools should help providers streamline their workflow, thereby helping to fight fatigue.
"[The EHR] has become the de facto symbol of physician burnout, whether it truly is or truly isn't, but I think perception is reality and putting the systems in place that can help them access these [clinical] systems quickly and correctly is a big boon," he said.
In this day and age, data is king, and healthcare entities must do everything possible to protect patient information. A robust identity and access management strategy and system may be just the partner health systems need.
To learn more about Imprivata Identity and Access Management solution, click here, and view the full webinar here.