Identity and Access Management for Hospitals
title= No more wondering who did what and when} With about 180 separate clinical, financial and administrative applications, adding personnel accounts and application access was tedious, and involved inputting information about a new hire by hand, which could take three to five days, Hottovy said. Even then, some personnel didn't have access to the applications they needed, and would often have to log in using a colleague's name and password while access was requested, cleared and granted. "We can now provision applications right when Human Resources sets up a person for new hire orientation," said Hottovy. He said that Alegent is working on allowing application access based on an employees' role in the organization, as well as what floor the person is working on and what specific patients they need to see.Hottovy said implementing identity and access management software was a security process improvement, and that Alegent was also working towards physical access provisioning, or granting or denying access to certain areas of the hospital based on an employee's role and asset provisioning the hospital's laptops, smart phones and even cell phones. Account Courier can also resolve security issues surrounding employee terminations that used to take days to disable a user's account. If an employee left the hospital, their accounts would have to be deleted one at a time, and information would have to be manually removed from each application. "It's one thing if it takes time to get someone on board. But with terminations, you want that person off your systems as quickly as possible," said Heftler. Heftler said Sloan Kettering is in the process of implementing Account Courior, and she expects that there will be a much faster turnaround for access and account termination. "With the Courion product, you delete that person in one place and it'll terminate their accounts in all the other systems," Heftler said. No More "Who Did What and When?" Identity and access management can also play a role in compliance issues. Heftler said Sloan Kettering is also working on implementing Compliance Courier to ensure security and privacy in the event of an audit. "Until now all the audits we did involved the manual process of finding out who had access to what? Who authorized that access? When was it authorized? When was the last time they reset their password? Did they recertify their account access? When was the last time they recertified?" she said. With Courion, Heftler said, security and privacy auditing will be much easier, since managers will have ready access to their personnel information, their roles and their access rights to information and applications. "If a manager finds that somebody's got access they don't need, or doesn't have access they do need, it'll be a very simple to remove or add that access," she said.
An oncologist, for instance, would be automatically granted access to a specific set of oncologic applications, resources and records. A charge nurse would have access to a different set of applications. Roles can be modified to fit the needs of individual hospitals, since personnel with the same title may perform slightly different functions at different care facilities.