“We Want to Avoid Surprises”: How the Right Strategy Can Help Manage Identity Security

When the Covid-19 pandemic hit, healthcare organizations were forced to take drastic measures. One of them was to “break the glass” and ensure physicians and nurses had access to the information they needed to provide patient care. Although it goes against everything IT and security leaders are taught, breaking protocol was necessary in this case.

For organizations that already had automated and intelligent identity solutions in place, it wasn’t a huge undertaking. For those that had not invested in the technology, however, it was a different story. “Covid helped shine a light on some significant gaps,” said Matt Radcliffe, AVP of Healthcare with SailPoint. “Without automated processes, it would have been exceptionally painful to onboard contract nurses and physicians.” Organizations that still rely on manual processes have struggled — and will continue to struggle — to keep up with the pace of change, especially those that were overtaxed prior to the pandemic.

The key is to identify areas in which automation can provide value, noted Radcliffe, who believes identity security offers a “rapid win” to IT and IS organizations, as well as clinicians. During a recent panel discussion, he and Tareva Palmer, CISO at WVU Medicine, talked about how identity security solutions can benefit health systems, and what it takes to implement them successfully.

The ‘why’

As with any rollout, the first step is in making a case as to why the initiative is necessary. At WVU Medicine, one key factor is the size of the organization; and subsequently, the volume of identities and applications that must be managed, said Palmer.

“For us, it’s a matter of ensuring we can automate as much as possible to ensure we have standard access for standard roles.” As WVU Medicine has grown exponentially — going from 5 hospitals to 20 in a span of about 6 years — doing so has become increasingly challenging. “In healthcare, an RN isn’t necessarily an RN, and a physician isn’t necessarily a physician.” In other words, clinicians may require different levels of access depending on specialty or type of facility, all of which must be enabled before they set foot in the building.

“You want to make sure that when you onboard them, they’re able to function from that very first hour. To do that, you have to automate, and you have to make sure roles are built for their access,” said Palmer. Her team utilizes IdentityIQ, SailPoint’s Intelligent Cloud Identity Platform, to create work queues that are sent to various teams to provision access.

A “complex environment”

Another critical factor is the growing number of applications, some of which have only a handful of users. In those cases, the cost to automate isn’t justifiable, and therefore, a manual notification is required to add or remove an individual’s access to the system. This isn’t uncommon, noted Radcliffe. But although apps are disconnected, “you still want your identity platform to define the role and to track the workflow,” he said. “Because at the end of the day, it’s also about driving compliance processes. And so having your provisioning workflow engine fully integrated with your compliance engine is critically important. As you run certifications, you need the ability to automatically de-provision overentitled permissions.” And if individuals are being provisioned, it’s important to have visibility into what they can access to ensure there are no conflicts.

It’s a thorny issue, one that becomes even thornier given the fact that many organizations are moving toward cloud transformation, but currently exist in a hybrid environment. “A lot of applications are on premise, but they’re marrying with cloud strategies to enable organizations to adopt stronger BYOD, remote work, and telehealth strategies,” Radcliffe said. SailPoint’s solutions offer the ability to bridge the gap between on-premise and cloud strategies. “It’s a complex environment, but one that we understand.”

Making a case

All of that being said, it can still be difficult to state to executive leadership why identity solutions are essential. What’s vital, according to Palmer, is conveying the importance of being able to monitor access — both from a compliance and a security perspective and explaining how credentials that haven’t been deactivated can be used in an attack. “If you’re able to relay that information, you’ll gain the support of your leadership and the board,” she said. “But you need to make a business case and explain the why behind it, as well as how to mitigate the risk.”

Partnering up

The next step is choosing the right vendor partner based on your organization’s needs and objectives, said Radcliffe, who broke the process into three parts:

• It’s important to involve different lines of business as soon as the design process begins, he noted, and that includes clinical integration, credentialing, and the help desk, among others. By having these teams on board early, it can help sell the value of the identity security program, while also building adoption and engagement. “It’s just not an IT initiative; it’s an enterprise initiative,” he noted. “Having that participation is important for success.”
• With cybersecurity premiums rising, and more organizations pursuing security frameworks like NIST and HI-TRUST, it’s critical to ensure identity security initiatives are tied to the boxes that need to be checked in the security framework, said Radcliffe. “Identity security is an important tool that can check off a number of these boxes.”
• Rather than just accepting the vendor’s ROI case, Radcliffe recommended asking for a business value assessment that utilizes pertinent data. “Don’t just leverage the vendor ROI,” he said. “Make sure you’re working with a team of financial analysts that understand the technology and understand customer workflow, and build a plan based on that.”

Along the same lines, he cautioned against “buying off the demo,” urging leaders to “pull the covers back and understand how use cases are configured. How do you connect to applications? Force the vendor to do things in a dynamic way – I’m a big fan of that approach,” Radcliffe stated.

Finally, he advised including vendors in the discussion as early as possible, and to be transparent. “There’s a lot that needs to be unpacked and uncovered within any organization. We want to avoid surprises, and the way to do that is by having collaborative conversations early on.”

To view the archive of this webinar — Keys to Rolling Out Identity Security and Data Governance Solutions (Sponsored by SailPoint) — please click here.