Speaking of identity and healthcare, as we were in the last issue, I sat in on a panel discussion last week on provisioning non-employees in a healthcare environment. This was just one of the many fascinating sessions at this year’s (the fifth annual) Converge conference, the user conference put on by Courion and its partners Citrix, Cyber-Ark, Encentuate, RSA, Diaphonics, HealthCast, Imprivata and Radiant Logic – fairly familiar names to readers of this newsletter.

Most of you who handle aspects of provisioning for your organization will, sooner or later, come up against the problems of handling non-employees. Not that provisioning of employees is without problems, but it’s usually fairly easy to identify such things as the kick-off points for the provisioning and deprovisioning workflow. Non-employees, however, rarely touch the human resources department, nor do they all typically flow through any one particular point. Where there are few non-employees a virtually ad-hoc solution can be used, tailored to each one’s needs. In healthcare, though, as with one or two other fields, such as education, the number of non-employees needing access to some or most of the organization’s resources can often easily exceed 50% of the total user base. Also, these non-employee users don’t break down into one or two general categories as they do in some other industries. Retail, for example, could have more non-employees than employees but the bulk of them could be divided into two categories - customers and suppliers – each with fairly well-defined roles.

Healthcare organizations can have individual non-employees such as physicians, patients, caregivers and temps, as well as corporate non-employees (suppliers, affiliated organizations hospitals, critical care facilities, insurers); municipal services (emergency services, state and national health agencies); and educational partners (teaching hospitals, researchers). A strong reliance on role-based access controls can make healthcare provisioning easier, but the typical healthcare organization will probably have more roles than some other industries have total non-employees seeking access. Roles make it easier, but they don’t make it easy.

When you the add in the regulatory requirements for healthcare (HIPAA on top of Sarbanes-Oxley, Graham-Leech-Bliley, etc.), payment processing requirements (insurers, credit card processors, etc.) and the notoriously loose security-awareness of healthcare professionals the job seems monumental and the “rewards” minimal - at least the personal rewards for those who have to provide the provisioning/deprovisioning. Still, the rewards to the rest of us can be significant.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports