Worried CISOIn this final part of this 3-part article, we discuss some of the considerations that the CISO of a healthcare organization should take into account as their IAM program gets under way.

Note: while we use the CISO as the target audience, we really mean senior IT management responsible for IAM within the organization.

What should a CISO consider?

First off, congratulations! You are likely the first or second person in your post in this history of your organization, and you are coming into an industry that has not historically embraced security or IT all that much, so your efforts will show immediate impact no matter what you do. Also, chances are that you were brought in to fix things that are broken, and do so quickly, which means you will get access to funding. You are expected to deliver with unbelievably aggressive timelines since the organization is already behind schedule in meeting the Meaningful Use criteria timelines, and it is desperately trying to catch up after realizing that security and privacy are an important part of meeting the requirements.

Moreover, you have the opportunity to dramatically change the way healthcare services are provided and have a direct impact on patient and providers’ experiences in receiving or providing care, more than in many other industries where you likely worked before (financial services, government, etc.). So, you must be very excited about the challenges ahead. This is going to be a historic and fun ride.

As you commence this journey, here are some items to consider, specifically for your IAM program:

  1. Remember, it is a program, not a project. IAM is a long-term initiative, more like a marathon, not a sprint.  Not understanding this notion is one of our top ten pitfalls in IAM that should be avoided.
  2. Understand your end users. They do not understand security very well. They are interested in getting access to the systems they need promptly, without any delays, A doctor without egosince this would otherwise impact their day-to-day job, and literally this could be a life and death situation. There is high turnover in some areas, some access the systems very sporadically, many work at more than one facility, many of them have big egos (<sarcasm>I am not specifically singling out some physicians out there, since none of them have egos</sarcasm>), but they are very important end users and they need to be “happy” with the IAM capabilities you rollout. Otherwise you will hear about it, believe me. Remember, IAM needs to be an enabler not an obstacle.
  3. Embrace change. For the next few years that’s what the game will be. Frequent M&A, a new tablet or smart phone being used in the ER every month, and expected to integrate with your existing clinical systems. Plan for a flexible and resilient architecture. For example, we Embrace Changerecommend that our healthcare clients invest in a virtualization and governance solution for their Active Directory (AD) environment. AD is, by a long shot, one of the most pervasive and significant identity stores in the organization and it is imperative that the quality of its data be as high as possible. Waiting for the AD consolidation project to complete before applications and systems integrate with the AD environment is not realistic, so you will need to create a virtualization and governance layer on top of your AD environment to shield applications and systems from the complexity underneath it.
  4. As you focus on improving the end user experience, do not lose sight of the goals of your IAM program: enhance privacy and effectively govern access to sensitive informationfocus on the goal. Since SSO is likely already one of your identified [and hopefully budgeted] projects, ensure that you are not just putting a band-aid in place, but that rather you leverage this project to launch more strategic capabilities and build a solid foundation for the future. A common pitfall is to pursue SSO as the goal for an IAM program and then forgetting to clean up the mess underneath it (orphan accounts, non-compatible password policies, no way to map users across systems, etc.). Our recommendation is that you embark on a strategy that:
    1. Delivers reduced sign-on or SSO to the most critical systems (based on your data classification criteria)
    2. Ensures identity data is well-mapped so the user is known consistently and reliably across all systems
    3. Whenever possible leverages a common set of credentials (likely the AD credentials), and when this is not possible, leverages password synchronization and self-service to simplify the number of credentials to manage, and ensure that password policies are enforced consistently
    4. Integrates cleanly with your provisioning infrastructure so that user accounts are created appropriately where they are needed, and are automatically mapped so to achieve SSO.
    5. Since you are going to roll out SSO for clinical systems, considers coupling SSO with context management (i.e. all clinical applications the user is accessing understand that this user is viewing the records for patient X). This will help you deliver greater value to the end users.
    6. Takes into account your authentication mechanism requirements. If you are going to rely on the user’s badge to authenticate, ensure that the issuance and lifecycle management for the badge (including PIN reset) is solid, consider whether or not your environment is able to make use of the badge (i.e. do all systems have readers?), and if they cannot, consider alternative means to log in that achieve the same level of identity assurance. This is an area where innovation is making headway, and as I discussed in a previous article, but often times organizations end up over spending without any additional benefit in risk mitigation or user convenience – it is important to really understand risks.
  5. Mitigate risks… from all angles. Beyond the obvious risk mitigation that security and IAM will bring to the organization, it is important to also look at operational risks Avoid risks(i.e. how do you keep the IAM infrastructure running well after it is in production? Is your organization ready or equipped to effectively run and support the IAM infrastructure?). In addition, given the high expectations, low tolerance, and unrealistic timelines that are expected from the IAM program, the CISO should consider how to mitigate implementation and deployment risks. There is very little room for error. Nowadays, there are many ways to deploy and operate an IAM infrastructure which significantly differ from the traditional, SDLC-approach. I have discussed some of the merits of a managed services model for operations management of an IAM infrastructure, and more recently about the approaches that we provide to help reduce implementation risks and shorten time-to-value. The bottom line is that in healthcare, the IAM program is off to a tough start, and hence, it makes sense to minimize any additional risks in the implementation, deployment and operations side wherever possible.
  6. Budgets are tight. Even though initiatives are funded, economic conditions, CapEx vs. OpExcompetition and the pressure to lower healthcare costs will put significant pressure on budgets to fund IAM projects and the program as a whole. Hence, CISOs should consider the benefits of an OpEx-heavy approach (aligned with a pay-as-you-go model) vs. CapEx (mostly paying upfront). There are economic advantages of going with one vs. the other, and the good news is that there are options to be able to have a successful IAM program using either of these models today, which did not exist say 2 years ago.
  7. Your program needs to align with the business. At the end of the day, the goals of the IAM program need to be aligned with that of the healthcare organization at large: providing the best health care at the right price. This means that metrics will be very important in supporting the case of an IAM program. Having visibility into how IAM is helping reduce the cost of treatment per patient, or reducing delays when providing services, or improve overall patient satisfaction will be vital in ensuring that the IAM program does not lose importance. Ensure that you can produce business metrics from operating your IAM infrastructure.

In closing…

These are just some insights that we have gained from having done numerous IAM implementations for medium and large healthcare organizations.  As always, they are informed and biased based on our experiences and while we believe that they should generally hold for most organizations in the healthcare industry, as the saying goes “your mileage may vary”.

For those that have already embarked on this journey, has your mileage varied?   How much and where?  And for those who are just getting underway, how are you planning your deployment strategy relative to the thoughts laid out above?  I’d love to hear your thoughts and feedback.


Health Quest Success Story Whitepaper

Frank Villavicencio

Frank Villavicencio