Without a solid identity governance and administration strategy, digital transformation can’t be done. Or perhaps more accurately, it can be done, but it shouldn’t. In fact, it’s the equivalent of building a brand new house without putting in built-in plumbing.
A bold statement? Yes, but one that Wes Wright, CTO at Imprivata, strongly backed up. “Digital identity touches everything,” he said during a recent panel discussion. “It’s essential to a great health IT operation.”
But, like basic plumbing, although the job it does is critical, it lacks the bells and whistles of other investments. “It’s not fancy. There are no fireworks; it’s expected,” he added. As a result, it’s been “kicked down the road again and again,” leaving organizations in a vulnerable position.
During the webinar, Wright and Randy Nale (Healthcare Technology Solution Strategist, Microsoft) talked about what it takes to protect digital identity, why it has become so important, and what happens when health systems aren’t willing to make the investment.
The reason comes as no surprise; during the past 10 months, digital health has accelerated to a point few believed was possible, noted Nale. “The expectations have changed. And so there’s a real focus on enabling the consumer digital experience so that when I get to the clinic, I’m already in line. They know who I am.” The paperwork has been filled out prior to the appointment. And for those who require care at home, therapeutic devices are automatically shipped out. “We had so much ground to make up,” and so to see it come to fruition has been satisfying.
But it doesn’t come without a price. With more digital experiences comes more devices, more applications, and more individuals accessing this information. And every member of the care team needs a secure identity to ensure they’re accessing the information and systems they need to do their jobs.
“There are more people who need to be validated and verified,” said Nale, which is where identity governance comes into play. “You need to track all of that, and do it in a sophisticated and automated way.”
Unfortunately, that hasn’t always been the case, according to Wright, who believes part of the problem is an overabundance of user IDs. “We’ve been disingenuous by handing those user IDs out like candy and not emphasizing how important digital identity is. It’s at the heart of everything. But we haven’t trained our end users — or worse, our technologists — on how important that is.”
As a result, IGA isn’t always viewed as a top priority by decision-makers. “To some degree, it’s a can people think they can kick down the road,” he said.
And while most information security professionals certainly understand the criticality of having an identity governance strategy, there’s a tendency to underestimate the need for automation, according to Nale. With a “very sophisticated, very complete, and very automated system,” the ability to verify an individual’s identity can become seamless — something that could pay dividends as health systems roll out and track the Covid-19 vaccine.
Naysayers & Can Kickers
That, of course, is just one example. As hybrid care delivery models become more common, manual processes will become less practical, noted Wright. And while organizations who choose that route to save costs will survive in the short-term, they’re going to run into some serious problems down the road. The other issue is that “can-kickers,” as he termed it, often assume that IGA is mostly about provisioning and deprovisioning, when in fact, that only accounts for a fraction of what a good system does.
“They’re not looking at the whole picture,” said Wright. “Yes, you need to do provisioning with digital identities, but that’s only one of the 32 capabilities that a good identity governance and administration program needs to make the technology transparent to the clinician or the business partner. If there’s anything that begs for automation in healthcare, it’s provisioning.”
Those who aren’t willing to pay up now could end up paying more in the future, said Wright, who compared the IGA holdouts to organizations that waited too long to virtualize servers in the data center. “They regretted that decision. They’re like, ‘I can’t believe I still have thousands of physical servers in my data center.’ Meanwhile, the folks across the street are able to do so much more and at less cost.”
Money and Other Obstacles
It’s a position no one wants to be in, which begs the question of why some are still hesitant — is it all about the money?
Not necessarily, according to Nale. For one thing, digital identity is competing with countless other areas for funds. Even then, “there are a lot of obstacles preventing folks who are willing to invest the money to make it a priority.”
Putting financials aside, there are still significant constraints, such as ensuring data validity. This can get complicated, as physicians and nurses often use different credentialing agencies. “When you add patients, systems, and applications into the mix, it’s a question of who owns the patient’s identity and which identity they’re going to use,” he noted. “Are they going to use the identity we gave them? Are they going to bring their own? You have different people who think about that in different ways.”
There are legal mandates to consider as well, particularly with EHR systems that don’t easily plug into the digital identity ecosystem.
It is, as Nale stated, a lot. “And if you try to do too much, especially at the beginning, you can really get stalled.”
To that end, both Wright and Nale recommended adopting a platform-based approach to identity governance, which was validated by findings from a recent Gartner report. “There’s never going to be one silver bullet, but if you take a platform-based approach, you’re going to get the flexibility that you need without too much deviation,” said Nale. The two organizations have teamed up do just that, leveraging Microsoft’s identity ecosystem and Imprivata’s tool set to create a unified digital identity that is applicable to specific workflows. Combining the two platforms, he added, can provide the “complete digital identity framework” needed to support digital transformation.
Of course, it’s not the only way to go, but both Wright and Nale strongly believe it’s the best option.
“In the past, many folks have tried to bring in best-of-breed tools,” said Nale. “What they found is the integration of those tools is just as hard — or in some cases, harder — than solving the actual problem, which is managing the digital identity and giving people access to what they need while preventing access to data they don’t need.”
It’s an approach they believe can accomplish the end goal without putting more strain on health IT and security teams, which have gone above and beyond to help accelerate digital health and ensure patients could safely receive care during the pandemic — which is no small feat, according to Wright.
“We saw quite a bit of heroics,” he said. “The hoops that folks jumped through is something the entire health IT community should be proud of.”
To view the archive of this webinar — Assuring Your Digital Transformation with Identity Governance & Administration (Sponsored by Imprivata) — please click here.