In part 1 of this 3-part article, we introduced the macro forces that are driving a shift towards efficiency in healthcare, and argued that these forces will have a direct effect on IAM. In part 2, we speculate on what specific consequences are in store for the coming years.


We anticipate that the following activities will intensify in healthcare over the next years:


This has already been at play and in full force, but with the passing of the Patient Protection and Affordable Care Act (PPACA) into law Consolidationin 2010, there has been a significant uptick in M&A activity among healthcare companies in the US.

For the CISO, this means that their strategic and operational focus should account for frequent M&A. Having a program for integrating acquired organizations in away that increases or preserves visibility and access control will be key. The CISO strategy should be so that all security functions, including IAM, should be approached as shared services available to the organization, as opposed to keeping siloed operations with disparate processes and redundant technologies.


StandardizationInevitably, healthcare organizations will need to standardize their application footprint, both IT infrastructure (email, file shares, productivity software) and clinical systems (PACS, ancillary systems, etc.).

This will be necessary to reduce costs, but also to allow the organization to scale its processes and maintain the appropriate balance between user productivity and policy-based access enforcement.  Moreover, standarization is an important step towards achieving interoperability in the long run, which is a key goal in the meaningful use criteria.

For the CISO, this will mean having an enterprise architecture and governance function, which will be in charge of defining and evolving the IT IAM infrastructure and application architecture in a way that will address the present and future business needs of the organization.

Part of the criteria for application selection will have to consider the application’s ability to easily integrate with the organization’s existing IAM infrastructure, such that processes, such as user on-boarding, termination, transfers, leave of absence, audit report and access recertification can consistently be enforced throughout the application landscape, particularly on high-sensitivity applications and systems.

Does this mean that there will also be consolidation among healthcare application vendors? …I would bet yes.


Another important shift that will need to happen in healthcare is the modernization of the IT infrastructure. Regardless of whether or not the organization is being proactive about this shift, it will happen.  The introduction of Electronic Health Records (EHR), Electronic Patient Records (EPR), SaaS, cloud computing, virtualization and consumerized end-user computing platforms (i.e. smart phones, tablet computers), is drastically transforming the IT landscape at large, and healthcare is no exception. I wrote an article on this last year on this trend, and discussed some recommendations on how to approach it.

In healthcare, end users are demanding solutions to simplify their day-to-day interaction with critical systems. For the first time, I have heard employees literally asking for single sign-on using their badge for authentication. This is a very specific and clear requirement voiced loudly by end users.

In fact, some of the physicians I have interviewed in our advisory services engagements tell us that they see a healthcare facility’s ability to simplify access as a competitive advantage, which will factor on where she/he decides to perform her/his medical procedures – how is that for a clearly articulated requirement?

The CISO will need to stay ahead and proactively monitor the modernization path and prioritize accordingly.   Since the underlying forces of this trend are complex in nature, unknown risks can easily impact the bottom line.  My belief is that healthcare will need to leap forward in modernizing its IT infrastructure.

Other predictions…

Other PredictionsBased on these considerations, my prediction is that healthcare will leap forward in technology, rather than go through a gradual modernization process. In many cases, healthcare organizations will sunset their old systems and start anew with a more modern equivalent. Therefore, I predict that SaaS adoption in healthcare will explode in the coming years.

This is evidenced already by offerings being introduced by the leading clinical system vendors, who are adding SaaS delivery options to their more traditional product offerings. IDC has also predicted that that SaaS adoption in healthcare will be aggressive in 2011, particularly EMR-as-a-Service.

At the same time, the need to drive efficiency will force the organization to really streamline and expedite user on-boarding, termination and granting of access to clinical systems. All of which shall become near-term goals of the CISO’s IAM program. But this does not exactly mean that managing complexity and sensitivity for the CISO gets any easier.  Thus, I predict that healthcare will also lead the way in adopting IDaaS – any variations of it.

End users and competitive pressures will force the organization to accelerate the delivery of identity lifecycle management solutions with very little patience and margin for error.  Therefore, a strategy that shortens time-to-value, minimizes implementation and operational risks will be preferred over traditional deployment models.

In Part 3 of this 3-part article, we will discuss specific considerations [and recommendations] that the IAM program stakeholders, namely the CISO, should ponder in light of the pressures in healthcare.


Health Quest Success Story Whitepaper

Frank Villavicencio

Frank Villavicencio