Provisioning for non-employees in healthcare organizations

The foundation for security and enterprise management

Speaking of identity and healthcare, as we were in the last issue, I sat in on a panel discussion last week on provisioning non-employees in a healthcare environment. This was just one of the many fascinating sessions at this year’s (the fifth annual) Converge conference, the user conference put on by Courion and its partners Citrix, Cyber-Ark, Encentuate, RSA, Diaphonics, HealthCast, Imprivata and Radiant Logic – fairly familiar names to readers of this newsletter.

Most of you who handle aspects of provisioning for your organization will, sooner or later, come up against the problems of handling non-employees. Not that provisioning of employees is without problems, but it’s usually fairly easy to identify such things as the kick-off points for the provisioning and deprovisioning workflow. Non-employees, however, rarely touch the human resources department, nor do they all typically flow through any one particular point. Where there are few non-employees a virtually ad-hoc solution can be used, tailored to each one’s needs. In healthcare, though, as with one or two other fields, such as education, the number of non-employees needing access to some or most of the organization’s resources can often easily exceed 50% of the total user base. Also, these non-employee users don’t break down into one or two general categories as they do in some other industries. Retail, for example, could have more non-employees than employees but the bulk of them could be divided into two categories - customers and suppliers – each with fairly well-defined roles.

Healthcare organizations can have individual non-employees such as physicians, patients, caregivers and temps, as well as corporate non-employees (suppliers, affiliated organizations hospitals, critical care facilities, insurers); municipal services (emergency services, state and national health agencies); and educational partners (teaching hospitals, researchers). A strong reliance on role-based access controls can make healthcare provisioning easier, but the typical healthcare organization will probably have more roles than some other industries have total non-employees seeking access. Roles make it easier, but they don’t make it easy.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Speaking of identity and healthcare, as we were in the last issue, I sat in on a panel discussion last week on provisioning non-employees in a healthcare environment. This was just one of the many fascinating sessions at this year’s (the fifth annual) Converge conference, the user conference put on by Courion and its partners Citrix, Cyber-Ark, Encentuate, RSA, Diaphonics, HealthCast, Imprivata and Radiant Logic – fairly familiar names to readers of this newsletter.

Most of you who handle aspects of provisioning for your organization will, sooner or later, come up against the problems of handling non-employees. Not that provisioning of employees is without problems, but it’s usually fairly easy to identify such things as the kick-off points for the provisioning and deprovisioning workflow. Non-employees, however, rarely touch the human resources department, nor do they all typically flow through any one particular point. Where there are few non-employees a virtually ad-hoc solution can be used, tailored to each one’s needs. In healthcare, though, as with one or two other fields, such as education, the number of non-employees needing access to some or most of the organization’s resources can often easily exceed 50% of the total user base. Also, these non-employee users don’t break down into one or two general categories as they do in some other industries. Retail, for example, could have more non-employees than employees but the bulk of them could be divided into two categories - customers and suppliers – each with fairly well-defined roles.

Healthcare organizations can have individual non-employees such as physicians, patients, caregivers and temps, as well as corporate non-employees (suppliers, affiliated organizations hospitals, critical care facilities, insurers); municipal services (emergency services, state and national health agencies); and educational partners (teaching hospitals, researchers). A strong reliance on role-based access controls can make healthcare provisioning easier, but the typical healthcare organization will probably have more roles than some other industries have total non-employees seeking access. Roles make it easier, but they don’t make it easy.

When you the add in the regulatory requirements for healthcare (HIPAA on top of Sarbanes-Oxley, Graham-Leech-Bliley, etc.), payment processing requirements (insurers, credit card processors, etc.) and the notoriously loose security-awareness of healthcare professionals the job seems monumental and the “rewards” minimal - at least the personal rewards for those who have to provide the provisioning/deprovisioning. Still, the rewards to the rest of us can be significant.

By reading the white papers and case studies associated with identity management in healthcare we can discover lots of tips that can be applied to other industries as well as pitfalls that can be avoided. Here are a few to get you started.

* Stamford: A Case Study - The case study describes the challenges faced by Stamford Hospital and how Encentuate helped Stamford achieve the proper balance between ease of access for caregivers and adequate security compliance.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.