Identity and Access Management for Hospitals

You may think you’ve seen the last of a departed employee, but if your hospital doesn’t have a comprehensive identity and access management plan, you may be vulnerable to a security breach.

“The disablement of user accounts during the employee termination process is a gaping flaw in most organizations’ policy,” said Kurt Johnson, vice president of corporate development, at Courion, a single sign-on and identity and access management software vendor.

Months and sometimes years after employees have left an organization, it’s not unusual to see their names and personal information still floating around in various applications, he said. In some cases, former employees’ accounts are still active, leaving a security hole.

“Access creep” can also happen as employees change jobs within the same organization, but retain access to applications and information that aren’t appropriate for their new job roles, Johnson said. This is a huge security hole, he added, and one that many hospitals struggle to combat.

If an identity and access management policy is too lax, it opens up a hospital to data loss and security breaches since too many employees have access to sensitive patient data. However, if the policy is too strict, some employees who need access and do not have it will simply defy the policy.

“If doctors, nurses and caregivers aren’t given access to critical care information, they are going to find a way to go around,” said Johnson, in some cases by leaving one user logged into applications that contain sensitive patient data or by sharing passwords.

Eliminating “Post-it Note” Passwords

Johnson said Courion recognized that automating sign-on to applications and streamlining repetitive tasks like password resets, user provisioning and activation and deletion of accounts could strengthen identity and access controls and make it easier for hospitals to remain secure and HIPAA (Health Insurance Portability and Accountability Act) compliant.

Mark Jacobs, director of technology services, operations and security at WellSpan Health said Password Courier, which automates password reset and synchronization across health care enterprise systems, makes it easier for his physicians to manage their own passwords.

“Having a single password that can synchronize your access to multiple systems has definitely helped our organization,” Jacobs said. In some cases, he said, patient data could be stored in as many as 15 to 20 different places, and remembering different passwords for each was a challenge.

The Courion SSO system garnered a lot of positive feedback from WellSpan clinicians, Jacobs said.

Rachel Heftler, director of client services and information systems group at Memorial Sloan Kettering Cancer Center, said Courion’s Password Courier eliminated a huge security problem and made it simpler for personnel to follow security procedures.

“You don’t see any more of those sticky notes with people’s passwords on them,” she said, adding that passwords can easily be reset by having the user answer “secret questions” online or over the phone.

Troy Hottovy, operations leader for technology management at Alegent Health, said that implementing Courion’s Account Courier software helped take a huge administrative burden off the IT department. Account Courier automates account creation and management across health care IT applications.