Critical Condition: Healthcare’s Identity Management Challenge

MJ Kaufmann

MJ Kaufmann

Security Specialist

Securing Temporary Workers Requires the Right Identity Governance and Administration Solution

The healthcare industry represents 17.7% of the U.S. GDP, and temporary workers are the lifeblood of U.S. healthcare. As much as 94% of healthcare facilities report utilizing locum physicians in their organization. From billing agents to nurses to heart surgeons, temporary staff touch multiple clinical systems and interact with patient information constantly. Healthcare identity management is crucial to addressing the security and compliance challenges presented by this dynamic workforce.

A traveling nurse can be assigned to Pediatrics for a week, rotate to Obstetrics, then leave the hospital for a month and return to an entirely different ward. Healthcare organizations must manage this exposure and provide controls so that only those that need access receive it. 

Healthcare’s rotating workforce presents unique identity management and compliance challenges. Health Insurance Portability and Accountability Act (HIPAA) requires that the principle of least privilege be applied to all accounts with access to protected health information (PHI). With personnel frequently changing roles, continuous compliance means more frequent updates to accounts and permissions. 

Identity management tasks that rely on manual processes increase the risks of excessive access or orphan accounts. We’ve recently discussed how too much access and orphan accounts lead to insider threats. They also lead to HIPAA violations which means expensive fines and mandatory remediation costs that average $7.13 million.  

In this post, we discuss how the healthcare industry can deliver timely access to its dynamic workforce without sacrificing security and compliance. 

Healthcare Roles Are Dynamic

The risk created by the temporary workforce in healthcare isn’t simply about workers that are hired for a short period and leave. It also relates to workers that fulfill different roles inside a single organization at other times. 

These individuals can range from seasonal accounting contractors brought in for major fiscal events to flex nursing staff that fill in for absent employees. They may work at multiple area hospitals simultaneously, alternating each day of the week. Identity management is essential with such a workforce. HIPAA compliance standards mandate that healthcare organizations maintain least privilege for every account with access to protected health information (PHI). 

It’s challenging to provide temp workers with the right permissions for their current role without inheriting permissions that are no longer applicable. The need to onboard people amplifies this challenge when staffing levels must be ramped up quickly. Healthcare organizations require a balance between security and speed. And let’s face it: your workforce is taxed enough already without having to manage identities manually. 

Eliminating Excess Access

As workers shift to different roles, organizations must verify that their permissions for one role don’t remain when they are fulfilling a different role. A rotating nurse working in Pediatrics yesterday and in the ER today, no longer needs access to the Pediatrics patient data. A simple role-based solution grants a set of permissions based on the “Nursing” role is not granular enough. It allows broad access to patient health information rather than narrowing it directly to those in that specific nurse’s care. To maintain HIPAA compliance with least privileged access, an identity management solution must know where the nurse is working each day— and then adjust permissions accordingly. 

Avoiding Access Delays

Patient care is often life or death, so healthcare workers don’t have time to wait on access. For example, our aforementioned nurse shouldn’t experience delays when accessing the automated pill dispensing machine to treat a patient. Having to ask another staffer for assistance might speed up the process, but it increases security risks and adds workload overhead. There is no guarantee that another worker will not be waiting for their access as well. This could lead to gridlock. Ensuring that workers can be fast and effective is critical to delivering quality care for patients.

IGA Enhances Healthcare

This is where a comprehensive context-aware identity-based governance solution enhances healthcare. A modern Identity Governance and Administration platform (IGA) allows for provisioning access based upon a healthcare worker’s roles, affiliations, and peer access. Effective IGA solutions include crucial aspects like Just-in-Time Access (JIT), contextual identity information, and rapid onboarding. Identity context and privileged access are critical to providing the healthcare workforce the balance of security and frictionless access while maintaining compliance.

Providing the Right Access at the Right Time

Access On Time, Every Time

Just-in-Time Access allows healthcare providers to manage access requests in an expedited manner using risk-based assessments of requests. Low-risk access can be automatically approved, while higher-risk access requests are escalated for manual review. Implementing JIT access requests allow users to initiate the access request and automatically removes access after a specified period. This lightens the burden on approvers, reduces potential rubber-stamping, and mitigates privileged account abuse risk.

“JIT Access allows for more granular, short-term access. The ‘Just In Time’ part comes from the fact that users can quickly get the access to what they need — without having to prearrange it or go through a long, drawn-out approvals process that impedes productivity.”

By narrowing down available access to exactly what staff members need, you reduce the possible damage caused by a compromised account or malicious insider. As an added benefit, JIT expedites the access request process — allowing providers to deliver healthcare faster without compromising security.

Hear Vibhuti Sinha discuss Just-in-Time Access at KC Live

In Identity, Context is King

In a healthcare organization, the same contractors return periodically to deliver a repeated service, such as accountants that come in for one week at the end of each quarter to assist with the closeout. This access would normally be considered high risk due to the data’s confidential nature and the contractor being temporary staff. The previous access granted without recorded misuse contributes to the system evaluating it as a lower risk factor. This allows for a streamlined granting of permissions. 

Contextual identity information is knowing who has access to what resources, why they need that access, and how they are using it. Artificial intelligence (AI) & machine learning (ML) are essential for putting things in context and delivering intelligent identity. They provide risk-based evaluation and informed decision-making for access requests and provisioning. By tracking the access approval process, the system learns what is considered acceptable behavior. Over time this information is curated, and the AI learns what is appropriate for common request scenarios. 

Saviynt’s Risk Insight Panel assesses risk from different sources and aids data-driven decision making

Automation Leads the Way

Without a modern Identity Governance and Administration platform, system administrators must perform a range of tasks and checks to verify adherence to procedures and policies — such as identifying segregation of duties (SoD) violations or toxic combinations of permissions that can lead to misuse. Manual processes increase the probability of omission and may lead to over permissioning, non-compliance, or data disclosure. 

Automation is about more than just guaranteeing timely and secure access. It is also about streamlining tasks and maintaining continuous compliance. With an effective IGA platform, if someone leaves, the software automatically removes/disables their accounts in target applications, helping organizations meet regulatory compliance requirements. Overly broad visibility to patient data or lingering access after employment can lead to large HIPAA fines.

As new permissions are added and removed, this action is tracked by the system and verified against defined policies and regulatory compliance rules. A comprehensive IGA solution can deliver alerts and reports identifying which identities have access to certain resources and when that access is no longer appropriate.

IGA Strengthens Healthcare 

Temporary and rotating workers are vital to the success of the U.S. healthcare industry. However, this dynamic workforce presents unique identity management and compliance challenges. An IGA platform that offers fine-grained controls, context-aware identity-based governance, Just-in-Time Access, and rapid onboarding can help meet those challenges. Modern IGA is strong medicine for healthcare’s identity management and compliance ailments.


Learn more about how Saviynt helps healthcare organizations address the challenges of efficiently providing patient services while simultaneously protecting their data.

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >