Inventory, Identification, Monitoring, and Provisioning

User Identity

3 out of 5

IT Security Professionals rely on manual processes

50% fewer breaches

Organizations with highest IAM maturity

User identity in healthcare organizations is a complex and multidimensional challenge.  Users generally have to access multiple clinical and administrative applications each day to complete their work and the compliance demands are varied and critical.  HIPAA regulations, segregation of duty requirements, and daily fluctuations in staffing all combine to create the need for powerful Identity Governance and Administration (IG&A) along with Identity Access Management (IAM) solutions.

Nearly three of five senior-level IT security professionals still rely on manual processes – as opposed to automated ones – to control and audit access to critical systems, according to research from SPHERE Technology Solutions.  More than three of ten rate their organizations as “low” in terms of overall IAM maturity.  Companies considered at the highest level of IAM maturity, however, are seeing significant benefits, according to research from Forrester Consulting.  They experience one-half the number of breaches than the least mature organizations do, with 43 percent of high-maturity businesses indicating that they’ve never had a network breach.  What’s more, nine of ten of those at the highest level of maturity are deploying integrated identity platforms, according to the Forrester research.  When asked to rank the benefits of identity programs, top performers cited improved privileged activity transparency (51 percent), reduced findings from compliance audits (51 percent), greater individual accountability (49 percent) and the elimination of redundant identity tech (46 percent).

An Effective Identity Program

It doesn’t help that developing an effective identity program is more complicated than ever, especially as healthcare organizations operate both on-premise and cloud-based applications.

Merlin recommends and assists with a focus on these critical components:

A thorough inventory

Whether you run a small, rural clinic or a multi-location healthcare corporation with 40,000 employees, you must conduct a risk-based, top-to-bottom inventory of all users and their roles, entitlements, and access.

Enterprise-wide usage identification

This is where you find out what users are actually accessing, as opposed to what they’re supposed to access.  As you conducted segregation of duties in step one, you now deploy automated analytics tools to examine activity logs and identify whether users are entering into areas which do not appear to serve a legitimate, work-intended purpose.

Continuous monitoring

Once you’ve inventoried roles and identified the degree of appropriate and inappropriate activity via automated analytics tools, you cannot “set it and forget it.”  You have to constantly monitor what’s going on to ensure individual roles align with allowable actions.  To make such oversight possible, the automated analytics product needs to deliver a “single pane of glass” view of activity.

Automated provisioning

Once you have a handle on the above, it is time to focus on the hardest part: linking your IG&A tool to HR systems and the actual applications users are logging into every day.  This enables timely provisioning and de-provisioning supported by compliant approval workflows with time-based expiration, fine-grained templates and other powerful capabilities.

Through effective inventory, identification, monitoring, and provisioning, an Identity Program doesn’t inhibit business at hand.  It supports it, building widespread confidence among managers, employees, and patients that everyone is accessing what they’re supposed to, and nothing more.  Merlin, and our technology partners, are available to assist with organizations with implementation of an identity program.