Published April 2021
The COVID pandemic has placed many pressures on the nation’s healthcare systems, and the high volume of changes required to adapt has prompted them to take a fresh look at digital identities and identity management. As healthcare clinicians flex roles in order to meet staffing needs related to COVID, that’s increased the need to ensure they have access to the right IT systems when and where they need them. Managing these permissions can be overwhelming for large healthcare delivery organizations, and that’s increased IT executives’ willingness to look at digital identity, says Wes Wright, CTO at Imprivata. But such initiatives are massive and can’t be defined as an IT project. Rather, implementing identity governance is a program that will impact a wide swath of people across an HDO. In this episode of healthsystemCIO’s Partner Perspective Series, Wright talks with Founder and Editor-in-Chief Anthony Guerra about why identity governance is being touted as an important weapon in the security fight; how to go about implementing it; and what the future of cyber defense may look like.
Guerra: Wes, thanks for joining me today.
Wright: Hey Anthony, always a pleasure talking with you.
Guerra: Tell me about your organization and your role.
Wright: I’m the chief technology officer at Imprivata. I’ve been at Imprivata three years come April. Prior to that, I spent 25 or so years on the health delivery organization side in various CIO and CTO roles. In my last one, I was at Sutter Health as the CTO. And at Imprivata, a lot of people know us the “Tap and Go” company, but since Gus Malezis, our CEO, came on board about five years ago, he has a great vision for where Imprivata needs to be and where we should be for healthcare, and that is to be the digital identity company for healthcare. One of the things Gus commonly says is that wherever there’s a digital identity in healthcare, Imprivata will be there. And that’s the kind of integrated product portfolio that we’ve built out. So from provisioning all the way to de-provisioning, and everything that happens to digital identity within an organization, Imprivata’s got a play in that area.
Guerra: We’ve seen a number of things in the news recently that seem to support your approach around digital identity. Gartner put out a report that strongly favored this approach. NIST put out an article about the SolarWinds hack in which they said that identity governance and digital identity is extremely important. I know you’ve been talking about this for a long time.
Wright: A couple years now, at least.
Guerra: Tell me about some of your experiences on the provider side that made you realize this was so important.
Wright: Unfortunately, a good, strong identity governance process is kind of like – for lack of a better analogy – like plumbing in your house. It’s got to be there; it’s got to work all the time; and if it’s not there, it’s a mess. But nobody likes to spend money on plumbing – it’s always better to put in new cabinets or something like that because it’s all flashy. So we’ve neglected in health IT the identity governance systems, or what Gartner calls identity governance administration, simply for that reason. The pipes are in the walls and nobody can see them, so when you do something good to them, you’re not being put on the shoulders of physicians and marched around and lauded.
But I think COVID and the reports that you mentioned – Gartner coming out and saying if you’re going to do digital transformation, don’t try to do it without a good IGA system in place because it’s just going to fall on its face. And after the SolarWinds hack, NIST came out and said that identity is everything. I think those events are just reinforcing what we’ve known at Imprivata for a while. This was reinforced when I was out at Sutter doing a desktop transformation project there; I worked really closely with Microsoft folks, and I started hearing from them that identity is the new perimeter. I was a little slow (LOL), so it took me a while to figure out what they were talking about there, to realize that that is how things get in and out of your network, which is the perimeter, using digital identity.
That’s when I first started realizing the importance of digital identity. As CTO and leader of operational IT in a health delivery organization, what digital identity meant for the longest time was, “I’ve got Provider A coming on Monday, and she’s got to see patients starting at 8 in the morning, so by God, I better have a digital ID ready for her, with the appropriate applications associated with the digital identity, come Monday morning.” And the way I’d do that is say, “Well, Provider A is going to be doing a lot of the same things that Provider C is going to do, so I’m just going to give Provider A what Provider C gets,” knowing that Provider C is also part of the medical executive committee and has access to those files and folders, so now I’ve given Provider A – who is a brand-new physician maybe just out of school – access to the medical executive committee’s stuff. And that’s the way we did identity “management” back then, and we’ve realized that that is not the right way to go about it, And we’re starting to see – again, with the Gartner report and NIST article – we’re starting to see folks say that identity really is important, and they’re reining in the horses with what they’re doing in identity.
Guerra: When was this approximately when you had this epiphany? What year?
Wright: I’d say 2015, 2016, somewhere around there. You know, I had tried to stand up identity governance systems, and it’s hard. You can get caught up in the politics of standing up an identity governance system. These systems don’t stand up easily because there’s so many people involved.
The way an identity governance system works is you take some feeds from your HR system that have a job code in them, and then that feeds into your identity governance system, and based upon that job code and other demographics, you can say, “OK, given that job code, I need to give him these applications and so on.”
There’s a big funnel at the front of your IGA system; well, included in that big funnel are a lot of different people, so whenever I tried to stand up an identity governance system, I’d go to HR and say, “Hey, I need your job codes and how they relate.” And that’s when HR would take the opportunity to say, “Well, we need to bring in a consultant, and we need to rationalize this. I’ve got 5,000 employees and 6,000 job codes.” And so my IGA standup would just be ground to a halt while HR did their thing. Then I’d go to the people running the ERP system and go, “Hey, I need to get these data feeds from you in order to build these identities,” and they’d go, “Well, we only have our employees in that system.” What about our contractors, what about our vendors, what about our students, what about our volunteers? They’d say, “Well, we’re going to have to come with a plan to get them into the system.” So I’d be stalled again, waiting for them to come up with a plan to get that stuff into the system. Then I’d go over to the chief information security officer and say, “Hey, I’m standing up an IGA system,” and they’d go, “Well, we really don’t have these roles well defined,” so I’d be waiting again.
So that’s why standing up an identity governance system has been so hard. We thought about it as a project, but it’s not a project. It’s an ongoing, everyday kind of thing, and to get the collaborative momentum going in an organization is just trying. That’s historically been the issue around this, and I see a lot of my friends who are still out there on the HDO side that have inherited some of those systems that do IGA have consultants in helping them determine these different pieces and parts, and really their IGA system is just sitting on the shelf, becoming shelf-ware while they do all this other stuff. Not only is it not sexy, but IGA is a really hard collaboration effort for a health delivery organization to get going.
At Imprivata, we do it a different way. We “cheat,” to some degree – at one point, because of the success we’ve had with Imprivata OneSign – the tap-and-go – we were kind of pigeon-holed as the “Tap Off” company. But I think we’ve broken out of that silo, but now we’re using the strength that comes with that, because as people in a facility have been badging in and badging out – sometimes for years – we actually, via OneSign, see the data and the applications that they’ve been badging into and out of. Now, we can take that data – you can tell me (their names) are ICU nurses, and I’ll just pull the data out of OneSign and find out what have they been tapping into over the last year – what applications have they been using? So then I can take that data and put it into my Imprivata identity governance solution and I can come with “Here’s the ICU, the ICU role, and here are the applications that they have to use during their ICU job.” So I shortcut all that big funnel at the beginning, to try and get all the roles and everything defined with the HR and ERP pieces, I can shortcut that by using Imprivata OneSign data, to define the roles based on what they had been using in the past. So that allows us at Imprivata to stand this up – we can get people up and running and get that software off the shelf in five or six months for five or six different applications. It’s a new way to think about identity governance rather than letting that big front-end process drive the roles-based access controls. We’re using data to drive the roles-based access controls.
Guerra: So the situation you described – the difficulties you had in having to go to each department to get things going – you’re saying that if you use a vendor like Imprivata, a lot of that goes away. How much of it goes away, and how much of it is still hard work left to be done? We know there’s some left, correct?
Wright: The first thing you have to do is realize that identity governance isn’t a project. It’s a program. It’s just like clinical operations – you don’t do a clinical operations project. Clinical operations are something that you sustain over the life of your organization. Well, identity governance isn’t a project – you’ll have milestones and such, like a project might have, but it’s something that you’ll sustain over the life of your organization. So first, you have to get that into your mind.
And then, you mentioned some of the folks you have to collaborate with, but you did leave out the CISO. Since identity is really becoming that control plain for everything that happens within a network, the CISO’s involvement is really key, right there at the front. So the first thing I do is get into the right mindset – see that it’s a program and not a project. Yes, I want to see some value returned as soon as I possibly can, but I know that I can’t just put my superstar IT person on identity governance for six months and then pull him or her off that project and it will run by itself. No, you have to have some resources, and actually, I’ve seen this over the last six months, at least three really relatively large health systems have actually hired vice presidents of identity and access management, so we’re starting to see that trend, that mind-shift from project to program, really having people put their money where their mouth is on this, and I’m really happy to see that.
So you’ve got to get those people who are part of that huddle that I talked about at the beginning – the CISO, the HR department, your business folks and even your chief medical officer – and you really have to evangelize to them why identity governance is important. Again, it’s really plumbing that they never usually see, and it’s just expected to be there. So you have to set out to them that this is what identity is, and this is how important it is in the lifecycle of the day-to-day work that your clinicians do. And then once you have them on board as champions – most of them sit on the exec council with you – then it’s not just the IT guy who wants to put in some technology to make life easier for his IT folks. No, it’s the whole organization that then realizes that identity IS everything in today’s world, and we have to have a much better methodology for managing our identities than what we’ve had before. That is the big, hard work right at the beginning that has to be done, no matter what technology you buy.
Guerra: Do you think you need a specific committee that includes some of those folks you mentioned to meet at some regular intervals?
Wright: In healthcare, we love our committees. I think it could be an agenda item for your already established committees. I don’t think you have to stand up a separate committee for identity and access management. I think it would fall pretty well into some of the other committees that you already have. Even with your boards, most have a security committee; an update on identity governance in that security committee’s board presentation would probably serve you well. Not to say that you wouldn’t have a bunch of working groups that would give data into that security committee, but I don’t think you have to have a separate committee, but that’s just my opinion.
Guerra: You mentioned some new titles with identity governance in them. If an organization doesn’t have one of those, who do you see typically running this program?
Wright: We’re really starting to see – and I think this is because the security side of the house is pushing this hard – the H-ISAC (Health Information Sharing and Analysis Center) came out a white paper essentially saying, “Hey CISOs, this identity stuff is pretty important, so you might want to pay attention to it.” And then they came out with their framework, which we based our digital identity framework around. So, I think because you’re starting to see the security side of the house push identity management so much, we’re actually starting to see the security side of the house – the CISO or somebody within the CISO’s office – really take up the banner for identity governance or identity management.
Prior to that, you’d see it in operations; as a CTO, I was responsible for identity management in many of my organizations. And that was because it was an operational thing. To go back to that earlier example, Doctor Jane is coming in on Monday, and we need to make sure that she has all of her stuff. That was always thought of as an operational IT facilitation thing, not a security thing, and so it fell within IT operations, because I was the one that caught hell for it if she couldn’t see patients at 8 a.m. on Monday, so I wanted to have some control over it.
Guerra: When you described the example of you putting in specific credentials for one individual, it makes me think that something like that can’t possibly scale when you have thousands of providers coming in and out, on and off. Those can’t all be one-off requests to Wes, and then you personally sit there and do it. Is that another reason that we want to automate this?
Wright: Yes, this is an area that just begs for automation. I’m a little sad that artificial intelligence and machine learning came onto the market so soon, because robotic process automation (RPA) didn’t really get its time in the sun, and I think there’s so much stuff and so many areas within healthcare IT and all other processes that, when you apply that RPA to a process, you could become so much more efficient than what you are right now. And identity governance is a huge one of those areas.
Yes, Wes couldn’t do it, but if we had 40 Wes’s sitting in a room and took a ticket from the ticketing system, and put enough hands on a keyboard, then we could brute force it that way. But then I’ve got 40 people doing the same repetitive task, over and over, day in and day out. They’re not having any fun doing it, and we’re spending a bunch of money doing it. So let’s put some robotic process automation around that.
Guerra: And we know there’s mistakes being made. You mentioned taking a similar profile and replicating it, but then having to make adjustments based on your knowledge of what the previous profile had that this one shouldn’t – it seems like that’s just ripe for mistakes. And if you have mistakes here, you have security openings and problems.
Wright: Yes, with that initial example, if I had a new provider coming in, everybody knows that this person has been a physician here and does the same clinical stuff that a new doctor is going to do when she gets here on Monday, let’s just copy the existing doctor’s profile, and that will get the new doctor set. Well, that existing physician is a member of the medical executive committee and actually is the director of the graduate medical education (GME) program, and so on. So now, the new doctor, who’s barely finding her way around the system because we’ve made it so complicated, all of a sudden, she’s got access to all the medical executive committee records and the GME records, and that, in and of itself, is a problem. CISOs will preach least privilege (for new people), and that is not least privilege. So yes, there’s tons of those mistakes being made – unwitting mistakes, mind you, but lots of those mistakes happening all the time when you try and brute force an identity governance system.
Guerra: We talked about who is going to run this, and you mentioned security folks, and I’m thinking that, for clinicians, IT running a project is not what you want to hear, or IT pushing a project. And then even below that there’s the security folks pushing a project. So is the convincing argument here to tie what you’re doing to system availability and thus to patient care and patient safety? Is that what’s going to work to get those clinicians to engage with a CISO on a digital identity or governance program?
Wright: Yes, that’s the hard work that we talked about up front, that you had to get that group of people that fed into the identity governance system funnel, you had to sit them down – they had to become the champions for the project. And I put CMO in there, because it is about availability for that new nurse that comes in on Monday morning. It’s an availability issue, not just for her, but we don’t ever want IT to stand in the way of a clinician being able to provide care to a patient, especially in an emergency situation. If all the physicians need access to the ED module or to the trauma module, and the new doctor didn’t have access to it, then when he or she sees a trauma patient and couldn’t get into the specialty area to do something, well we’ve just delayed the care to that patient. So, we never want to do that, so it is a patient safety issue, and it’s a clinical issue.
Guerra: And beyond that, beyond the proper roles so they can do what they need to do…if you don’t do identity right, you open yourself to breaches, and if that causes the system to go down, then you have a real problem, and nobody can get on the system.
Wright: That’s absolutely true. Just this last year, I saw a post about potentially the first patient death that was associated with a breach-type event. It was in Germany where there was a ransomware that took down a healthcare system. A patient was being transported there and was diverted because they were told, “Hey, don’t bring him; all of our systems are down.” That patient was diverted somewhere else and ended up dying because of that diversion, which was caused by that ransomware attack.
So, it’s a huge issue; I keep going back to that NIST article around the SolarWinds attack, and one of the CISA analysts came out with one of my favorite quotes. I’m paraphrasing, but he said, “With this attack, identity is everything.” So, if you don’t know, one, that the identities on your network are who you think they are or what you think they are (because there are non-human identities) and then, two, you have to know what they’re allowed to do. And then three, you have to know when they’re doing things that they’re not allowed to do. And then, when you see a SolarWinds-type attack, and you see a normal user that has elevated rights move from this PC to this PC, and once they got to the second PC, they elevated their rights somehow, and then they moved to this server, well, a normal user shouldn’t be doing that.
It’s a three-step process. First, you’ve got to have verified digital identities. Then you’ve got to know what they’re supposed to do, and then you’ve got to know when they’re doing things that are outside of what they’re supposed to do. And that’s why the H-ISAC second white paper said to use a unified system for identity and access management, and I would suppose that that’s why they said that, so that you can see what’s happening in those three major buckets of digital identity by using a single pane of glass to kind of check things.
Guerra: Among the healthcare IT executives in hospitals and health systems that are listening to this, you have those that are true believers and are off and running on this, and at the other end of the spectrum, you might have smaller institutions that don’t have either the bandwidth or the resources, and then in the middle…well, what’s in the middle? What’s going on with the average organization, and what do you want to say to those in the middle right now?
Wright: I think those people in the middle recognize that identity governance is a problem. Let’s call it identity management to better encapsulate the whole system. They can’t 100 percent look at those three buckets and say, “Check, check, check.” And they want to get there. But the problem in health IT – and it’s been this way for the 25 years that I’ve been in it – is they’ve got 10 pounds worth of work and a 5-pound bag to put it in. And every time they want to fix something, they know they’re adding work. And so they have to think, “OK, this is a big project. It’s a lot of work.” Identity governance systems are a lot of work. Even if you do it with Imprivata, it’s still a lot of work. And where are they going to find that support, given all the other work that is on their staff’s plate?
And you’ve got the COVID stuff that came up initially, with the building and outside tents and new networks, and you had a surge of people coming on board, and then people changing roles – an ambulatory nurse moving into the COVID ward, so you had to switch their roles and things like that. Actually, we’re seeing a big uptick right now; a lot of folks are saying, “Man, I don’t want to go through this again.” They created this big bowl of spaghetti and now they have to unwind it. “I don’t want to do that again, so I’m just going to throw that spaghetti away and build something that isn’t going to be spaghetti.” So we’re starting to see a lot of interest that way. Now, with the vaccine rollout, you see even more HIT demand out there.
So it’s a matter of prioritization, so I think that given the security and the operational and the clear demonstration during the COVID crisis of how important digital identity is, that identity governance project – that identity management project – is really floating its way up. It might have been number 15 or 20 on the list of things to do; oftentimes, we’re seeing it pop up in the top 5 now. These are smart folks out there, the CIOs, CTOs and CISOs, they’re smart folks – they know that identity is everything; it’s a matter of how can they reprioritize resources to get to this. And frankly, it’s a matter of how do I sell it to the rest of my executive staff that maybe I can’t do this clinical project for my doctors, for my clinicians, because I want to do identity governance. And that’s why it’s so important upfront that you build this cadre of champions for identity governance in that executive suite.
Guerra: Excellent stuff, Wes. I think this is going to be extremely valuable to a lot of people who listen. You always give a great perspective because of that provider side background.
Wright: Thanks Anthony. Always a pleasure talking to you.