Speaking of identity and healthcare, as we were in the last issue, I sat in on a panel discussion last week on provisioning non-employees in a healthcare environment. This was just one of the many fascinating sessions at this year’s (the fifth annual) Converge conference, the user conference put on by Courion and its partners Citrix, Cyber-Ark, Encentuate, RSA, Diaphonics, HealthCast, Imprivata and Radiant Logic – fairly familiar names to readers of this newsletter.

Most of you who handle aspects of provisioning for your organization will, sooner or later, come up against the problems of handling non-employees. Not that provisioning of employees is without problems, but it’s usually fairly easy to identify such things as the kick-off points for the provisioning and deprovisioning workflow. Non-employees, however, rarely touch the human resources department, nor do they all typically flow through any one particular point. Where there are few non-employees a virtually ad-hoc solution can be used, tailored to each one’s needs. In healthcare, though, as with one or two other fields, such as education, the number of non-employees needing access to some or most of the organization’s resources can often easily exceed 50% of the total user base. Also, these non-employee users don’t break down into one or two general categories as they do in some other industries. Retail, for example, could have more non-employees than employees but the bulk of them could be divided into two categories - customers and suppliers – each with fairly well-defined roles.

Healthcare organizations can have individual non-employees such as physicians, patients, caregivers and temps, as well as corporate non-employees (suppliers, affiliated organizations hospitals, critical care facilities, insurers); municipal services (emergency services, state and national health agencies); and educational partners (teaching hospitals, researchers). A strong reliance on role-based access controls can make healthcare provisioning easier, but the typical healthcare organization will probably have more roles than some other industries have total non-employees seeking access. Roles make it easier, but they don’t make it easy.

When you the add in the regulatory requirements for healthcare (HIPAA on top of Sarbanes-Oxley, Graham-Leech-Bliley, etc.), payment processing requirements (insurers, credit card processors, etc.) and the notoriously loose security-awareness of healthcare professionals the job seems monumental and the “rewards” minimal - at least the personal rewards for those who have to provide the provisioning/deprovisioning. Still, the rewards to the rest of us can be significant.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.