Sabotage from within

By Kevin Cunningham*
Tuesday, 15 May, 2018

Sabotage from within

IT strategies that meet the bare minimum compliance regulations are not an option for healthcare organisations, or they may find themselves fending off attacks from within.

Our healthcare IT ecosystems are made up of many different and disparate technologies. On any given day, healthcare professionals use countless systems and applications that are essential to delivering patient care and safety. With sensitive patient information residing in and passing through these systems, continuity and consistency in delivering reasonable freedom of access to doctors, nurses and consultants, while avoiding the unintended exposure of patient information, is vital for the day-to-day running of any healthcare organisation.

As a result, identifying and enforcing strong access controls has become critical to healthcare organisations. Furthermore, having the right technology to execute and enforce those policies across a myriad of applications and systems residing across both on-premises and cloud IT infrastructures is paramount.

Managing disparate technologies in large organisations

Healthcare organisations face a juggling act when it comes to IT and security — with compliance and regulations often a top priority. While ensuring compliance with industry regulation is vital, passing an audit does not necessarily guarantee a patient’s information will be safe. This is why healthcare organisations need to address the larger security concern of employees’ access to data and applications. As part of this, they must address the issues that can be encountered when using disparate IT systems. Three key considerations include:

1. Security gaps

Even small gaps in cybersecurity measures can lead to significant negative consequences. For instance, a worker’s disgruntled separation from employment may have been properly reflected in the HR system. However, because the provider may utilise a number of disparate systems, the worker may not be adequately de-provisioned of access and entitlements to health data. This means that sensitive patient data is still accessible to the employee, potentially resulting in it being exposed.

2. Clinical workflow

From a workflow perspective, disparate systems and processes can also affect clinical care. For example, due to accidental oversight, a contracted doctor may be given access to the EHR, but not the enterprise content management system where scanned clinical media and photos are stored. This could be problematic, as the doctor’s efforts to fully understand a patient’s condition and provide timely care may be delayed.

3. Multiple authoritative sources

Many healthcare organisations have multiple authoritative data sources, such as HR and contractor management databases. These are systems and applications where user identity and access rights are most accurately defined and deemed by the organisation. However, having to manage multiple identity sources and their access rights makes it difficult to consistently execute policies and optimise resources.

Opting to meet the bare minimum compliance regulations is no longer a sufficient IT strategy for healthcare organisations. On its own, compliance cannot protect the security of sensitive patient information. It also cannot prevent interruptions to day-to-day hospital operations. A unified approach to healthcare provider identity management means incorporating all other applications and systems that are essential to provider operations — from billing to HR — to ensure that these issues don’t arise.

Taking an identity governance-based approach to security allows healthcare organisations to use tools that can see into every part of the organisation, ensuring that decisions about users’ entitlements are based on the right data. It serves as the ‘connective tissue’ that bridges these disparate systems together, giving providers a unified and centralised method to manage and enforce governing policies to ensure efficiency and drive efficacy across all systems and applications — which is essential to ongoing patient safety. It’s time healthcare providers started eliminating security gaps and inefficiencies, and start talking about identity.

*Kevin Cunningham is Chief Strategy Officer and co-founder of SailPoint.

Top image credit: ©

Related Articles

How clinical decision support systems can save lives

When successfully embedded with electonic medical systems, CDSSs can save lives.

Unlocking meaning in EMRs

The next-generation EMR is innovating through solution, strategy, technology and change management.

How virtual reality is changing health care

Virtual reality, while long used as a buzzword in many sectors, has found a real-world...

  • All content Copyright © 2019 Westwick-Farrow Pty Ltd