Identity Governance and Administration for the Healthcare Gig Economy

As the malpractice insurance costs increase, the healthcare industry finds itself facing a significant dilemma. The current healthcare talent gap increases patient costs, decreases the quality of care, and places a financial burden on healthcare organizations. To close this gap, more healthcare professionals and organizations embrace the “gig economy.” However, maintaining patient electronic health information (PHI) privacy and security in this gig economy leads to increased costs from HIPAA violations that undermine the reason for hiring temporary staff. To overcome this burden, the healthcare industry needs modern Identity Governance and Administration (IGA) solutions to support these new business operations.

What Is The Gig Economy in Healthcare?

The Talent Gap Is Expanding

According to research conducted in 2018, the healthcare industry not only struggles with a current talent gap, but the gap will continue to grow in the future. For higher-skill practitioners, role openings exceed available workers by 40%. To further complicate the situation, the research indicated that the field needs:

  • 52,000 more physical therapists
  • 43,000 more nurse practitioners
  • 24,000 occupational therapists
  • 23,000 physician assistants

These numbers are only the beginning. The healthcare industry’s talent gap is expected to expand over the next five to ten years.

Patients Want More Communication and More Control Over Their Health

Meanwhile, patients continue to adopt a consumer approach to healthcare that incorporates new technologies. According to one study, 19% of patients said the “most important” factor in choosing a physician was the use of technology. An additional 21% placed technology as the second most important factor in choosing their physician. Thus, 40% of patients consider a healthcare provider’s use of email communication, online scheduling, and mobile device use in the office a primary factor for making their consumer healthcare decisions.

Patients now expect their healthcare providers to communicate with them electronically. Unfortunately, healthcare’s talent deficit often leads to patients waiting for responses which translates into poor patient satisfaction and poor outcomes as patients move to different providers.

Temporary Staffing or “Gig Economy” Enables Healthcare Organizations

To accommodate the skills gap and patient communications requirements, the healthcare industry has begun to embrace the gig economy. Healthcare professionals seeking flexible schedules or looking to make extra money become “traveling” practitioners. Healthcare organizations seek to minimize their inability to meet patient needs by hiring temporary practitioners to fill in gaps.

As the gig economy continues to expand, healthcare organizations face EHI privacy and security concerns that can leave them facing HIPAA violation penalties.

How Does the Gig Economy Impact HIPAA Privacy Compliance?

Under the HIPAA Privacy rule, healthcare organizations need to:

  • Make reasonable efforts to use, disclose, and request the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.
  • Develop and implement policies and procedures to limit internal workforce member access to PHI based on roles and groups
  • Determine reasonableness of covered entity requests to ensure they align with the HIPAA Privacy Rule

When working with freelance health professionals, the HIPAA Privacy Rule becomes overburdensome. Healthcare professionals require access to the organization’s systems and applications to provide appropriate patient care. However, contractors create risks by adding additional devices and identities to the ecosystem.

6 Major Privacy Risks The Healthcare Gig Economy Causes

Snooping

Although organization policies require contracted practitioners to undergo detailed background checks, people get curious. Employees – contracted or full-time – create a snooping risk when they have too much access to EHI. Contractors lack the formal connections to the healthcare organizations and create a greater risk since the organization may not be aware of their connections to other patients. A snooping contractor not only places the EHI at risk while working with the organization but can take it with them to other short-term employers.

Maintaining appropriate access controls

Practitioners need access to information that enables them to provide care, but they do not always need access to the full patient profile. For example, a physical therapist needs patient health information to help create a rehabilitation program, but she does not need patient medication, financial or health insurance information. However, as part of the rehabilitation plan, she may need to review medications for side-effects. After requesting additional access, the healthcare organization needs to ensure that she only accesses what she needs at the time she needs it. Thus, maintaining appropriate access controls can become overwhelming when attempting to limit information sharing to the minimum amount necessary.

Ensuring Appropriate Termination of Access

Clinical workers join and leave organizations on a regular basis. Healthcare organizations need to ensure that they create the appropriate timebound access and enforce their rules.

Rejoining the Organization

Often, healthcare organizations build relationships with their contracted workers. A hospital may need extra support from a physical therapist for a short, three month period that elapses. Later in the year they may need another short term contract with the same person. However, access the physical therapist previously had for a legitimate reason has expired. Simply resetting the old identity may lead to a privacy violation.

User Access from Personal Devices

Organizations not only need to maintain Electronic Health Information (EHI) privacy on their own devices, but that privacy requirement extends to user-owned devices. Within the gig economy, personal devices are the way that users access important assets such as email and cloud-based applications. However, user devices are inherently risky ways of accessing data which place user authentication credentials at risk.

Multiple Sites, One Data Source

Large healthcare organizations incorporate multiple locations. However, contractors only need access to information associated with the office in which they work. Ensuring least privilege necessary means limiting their access to only the information they need to provide healthcare, not all patient information for the organization.

Legacy Solutions Cannot Meet the Dynamic Identity Demands of the Gig Economy

The gig economy thrives on a dynamic, transient workforce. Thus, the current set of available solutions cannot meet the increased need for IGA programs that align with the changing workforce in conjunction with HIPAA privacy requirements.

Single-Sign-On creates access and authentication controls at the organization’s highest level, its entrance. SSO does not help protect user access once the individual is inside the organization’s systems. While it acts as a preventive solution, it cannot secure all systems and data.

Legacy solutions enable high level, or coarse-grained, access controls. They often only provide access protection at the application level. For example, the traveling practitioner cannot obtain payroll information but can access the entire patient database. As such, the practitioner may maliciously or accidentally obtain information about a patient in a different location or gain access to too much information about a patient.

The Modern Healthcare Workforce Needs Modern IGA Solutions

As the modern healthcare workforce evolves, so much its IGA solutions. The workforce no longer consists of static employees committed to a healthcare organization. The modern workforce – whether driven by cost or skills – is a dynamic workforce. As such, healthcare organizations need modern, dynamic, intelligent solutions that can adapt to the shifting healthcare landscape. 

Intelligent Risk Analysis

Intelligent risk analysis means developing a full portrait of the user’s risk profile by incorporating access analytics, usage analytics, individual user activity, and inherent user risk. By aligning data and user access across the enterprise, healthcare organizations can create detailed user roles and groups that allow them to manage user identity, data classification, device, and location.

By analyzing user activity with filters such as type, role, permissions, data accessed, and functionality performed, IT departments gain visibility into interactions with patient data, i.e., who’s accessing which systems at what time, and why.

Intelligent Compliance

HIPAA requires that healthcare organizations define and implement controls to maintain continuous compliance for organizations. To move from compliance to intelligent compliance, companies need solutions that provide a depth and breadth of integration that map across industry domains and applications while aligning with compliance requirements, including but not limited to SOX, PCI, NIST, and HIPAA/HITRUST.

Intelligent Privacy

Privacy focuses on data access protections. Intelligent privacy means organizations classify data and continuously monitor for anomalous activities such as use and requests. Accidental unauthorized data access arising from a failure to properly govern identities still violates the HIPAA Privacy requirements.

Why Saviynt? Assured Compliance-as-a-Service

Intelligent Identity. Smarter Security and Privacy.

Saviynt starts with people and their access. Our cloud-native IGA solution enables full visibility into how and where users interact with data whether using a cloud, hybrid, or on-premises IT infrastructure. Meanwhile, our FedRAMP Authority-to-Operate (ATO) eases vendor risk analyses by providing assurance over our platform’s security.

Bringing together access analytics based on peer group analysis with automated preventive measures, we offer an IGA module that helps identify potential risks while streamlining the access request process.

Our Cloud PAM module and its cloud-native capabilities ease the continuous monitoring and documentation burdens needed to prove continuous assurance over escalations.

Finally, incorporating our risk-based DAG module allows organizations to classify data and review access analytics to protect information and ensure compliance in real-time.

Address the entire landscape of your governance needs from our single source of truth, and your organization will realize all the value of digitization without exposure to new vulnerability and risk.  

For more information about how Saviynt’s platform and intelligent identity solution can enable your healthcare organization, watch for our upcoming free webinar.

 

Diana Volere

About author

Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals. In her role as a Principal Solution Architect at Saviynt she works as a technical evangelist and strategist with partners and customers to derive business value from technical capabilities. Her past twenty years have been spent in product and services organizations in the IAM space.

Leave a Reply

Your email address will not be published. Required fields are marked *