<html><body><span><p><img src="https://www.identropy.com/hs-fs/hubfs/images/Identity_Management_for_Healthcare.jpg?width=350&amp;name=Identity_Management_for_Healthcare.jpg" alt="Identity_Management_for_Healthcare.jpg" />The healthcare industry has been riddled with security and HIPAA breaches, especially since electronic medical records have become a major contender and requirement in more and more doctor’s offices.</p><p><span>With this increased need for security has come a demand for better identity management.</span></p><p><span>As noted by the </span><a href="https://electronichealthreporter.com/important-question-identity-management-health-care/"><span>Electronic Health Reporter,</span></a><span> Vice President of healthcare for LexisNexis Harry Jordan has said the most important question is not “Who are you?” but </span> <strong>“What do we need to know about you?”</strong></p><p><span>All of this boils down to the need for quicker access to patient data, while also keeping their information safe. The answer as to how this can be achieved? Proper identity management.</span></p><h2><strong>Issues in Today’s Healthcare</strong></h2><p><span>Whether you’re in a hospital, doctor’s office, or urgent clinic, there are hundreds of people that come in and out of the doors every single day.</span></p><p><span>Taking care of them is one thing--but being bogged down with 5 different logins and passwords to keep track of on top of that can make accomplishing anything in a day nearly impossible.</span></p><p><span>This is a revolving issue in today’s healthcare landscape, as well as:</span></p><ul><li><span>Not knowing what lifecycle stage users are in</span></li><li><span>The need for effective <a href="https://www.identropy.com/a-world-without-identity-and-access-governance">governance</a></span></li><li><strong>Poor user experience</strong><span> for staff</span></li><li><span>Multiple login points, creating multiple users and passwords</span></li><li><span>Outdated software</span></li></ul><p><span>Having a streamlined strategy and systematic approach to how you handle identity management will help you and your staff provide the best care possible.</span></p><h2><strong>There is a Better Way</strong></h2><p><span>Clearly there’s a need for better processes and identity and access management (IAM) initiatives in healthcare. But it can be hard to know where to start.</span></p><p>Some goals of an IAM program include <strong>improving the governance and user experience</strong> of your systems and processes.</p><p>This can save time--and i<span>f you were able to get 2 seconds back for every patient, that could amount to minutes, and dare we say, even </span><i><span>hours </span></i><span>of your time on a daily basis, would you do it?</span></p><p><span><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/35d6e1af-bc19-49ac-b658-ad57cd25630d"><img src="https://no-cache.hubspot.com/cta/default/40850/35d6e1af-bc19-49ac-b658-ad57cd25630d.png" alt="ALSO ON IDENTROPY: How to Implement an Effective Identity Management Strategy" /></a></span></span></span></p><h2><strong>An IAM Roadmap to The Rescue</strong></h2><p><span>By having a plan in motion and a roadmap to deploy, you can streamline all of your healthcare processes and </span><strong>save time and money while doing it.</strong><span> You can also acquire the right technologies for what you need, coupled with the right blend of expertise and assistance.</span></p><p><strong><span>We have a case study that explores issues a healthcare organization went through, and how our advisory services earned senior level buy-in and helped them <strong>navigate a multi-year IAM roadmap.</strong> To learn more, we invite you to click the link below:</span></strong></p><p><strong><span><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/76de39f0-c4ec-45fe-8e14-53fd8c2483a8"><img src="https://no-cache.hubspot.com/cta/default/40850/76de39f0-c4ec-45fe-8e14-53fd8c2483a8.png" alt="Healthcare Case Study" /></a></span></span></span></strong></p></span></body></html>

<div class="styles__contentBackground___Zc5y_"></div>

<html><body><span><p><img src="https://www.identropy.com/hs-fs/hubfs/images/Securing_Access_in_a_Digital_Healthcare_World_Webinar.jpg?width=350&amp;name=Securing_Access_in_a_Digital_Healthcare_World_Webinar.jpg" alt="Securing_Access_in_a_Digital_Healthcare_World_Webinar.jpg" />SailPoint and Identropy are teaming up to deliver a webinar about <strong>securing access in a digital healthcare world. </strong></p><p>One of our clients, Dartmouth-Hitchcock, will be presenting on challenges they faced with securing access within the organization.</p><p>Join us for this co-sponsored webinar on <strong>Thursday, August 18th at 10:00AM CT / 11:00AM ET. </strong></p><p>This<strong> webinar</strong> entitled "Securing Access in a Digital Healthcare World"<strong> </strong>will teach you:</p><ul><li>Challenges Dartmouth-Hitchcock faced with securing access within the organization</li><li>Steps taken to prioritize the issue with an <a href="https://gsd.identropy.com/data-sheet-saas-advisory">advisory</a> team </li><li>How you can use this advice to build a best in class identity governance program</li></ul><p>Identropy understands that <strong>healthcare is different.</strong> Learn how one of our clients leveraged us to build out their IAM program by registering today: </p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/cd0a8d9d-9e56-4659-9e10-594dc367ca1a"><img src="https://no-cache.hubspot.com/cta/default/40850/cd0a8d9d-9e56-4659-9e10-594dc367ca1a.png" alt="Identropy SailPoint Webinar" /></a></span></span></p></span></body></html>

<div class="main-section content-section10"> <div class="vc_row wpb_row vc_row-fluid lpcontent-section grid-section"> <div class="wrapper"> <div class="lpcontent-secleft wpb_column vc_column_container vc_col-sm-4"> <div class="vc_column-inner"> <div class="wpb_wrapper"> <p class="wpb_single_image"> <figure class="wpb_wrapper vc_figure"> <div class="vc_single_image-wrapper vc_box_border_grey"><img width="254" src="https://www.sailpoint.com/wp-content/uploads/2017/12/SailPoint_LP_image_254x254-002.png" class="vc_single_image-img attachment-full" alt srcset="https://www.sailpoint.com/wp-content/uploads/2017/12/SailPoint_LP_image_254x254-002.png 254w, https://www.sailpoint.com/wp-content/uploads/2017/12/SailPoint_LP_image_254x254-002-150x150.png 150w" sizes="(max-width: 254px) 100vw, 254px"></div> </figure> </p> </div> </div> </div> <div class="lpcontent-secright wpb_column vc_column_container vc_col-sm-8"> <div class="vc_column-inner"> <div class="wpb_wrapper"> <div class="wpb_text_column wpb_content_element mobilelp-off"> <div class="wpb_wrapper"> <p>Insiders were instrumental in numerous healthcare data breaches in 2016 and 2017. It will not likely change in 2018.</p> <p>How do you counter this threat? Relying exclusively on employee awareness is insufficient without adequate technology. Identity management closes this security gap.</p> </div> </div> <div class="wpb_text_column wpb_content_element desktoplp-off"> <div class="wpb_wrapper"> <p>Insiders were instrumental in numerous healthcare data breaches in 2016 and 2017. It will not likely change in 2018.</p> <p>How do you counter this threat? Relying exclusively on employee awareness is insufficient without adequate technology. Identity management closes this security gap.</p> </div> </div> </div> </div> </div> </div> </div> <div class="vc_row wpb_row vc_row-fluid lpcontent-section2 grid-section"> <div class="wrapper"> <div class="lpcontent-sec2left wpb_column vc_column_container vc_col-sm-6"> <div class="vc_column-inner"> <div class="wpb_wrapper"> <div class="wpb_text_column wpb_content_element "> <h4>In this webinar, you will come away with the following key takeaways:</h4> <ul> <li>Understand who the insiders are and what motivations lead to data breaches</li> <li>Learn how insiders create security gaps in their regular workflow and why these gaps are especially difficult to address</li> <li>Discover how coupling identity management of systems, applications and data files, with behavior monitoring and analysis can counter the insider threats</li> </ul> <h4>Watch the webinar on-demand today!</h4> </div> </div> </div> </div> </div> </div> </div>

<html><body><div><p><img src="https://www.identropy.com/Portals/40850/images/patient-identification-resized-600.jpg?width=208&amp;height=163&amp;name=patient-identification-resized-600.jpg" alt="patient identification" />Following my testimony before <a href="https://www.identropy.com/blog/bid/29695/Identity-Assurance-in-the-Nationwide-Health-Information-Network-NHIN-a-cross-roads-of-sorts">NHIN earlier this year</a>, I have met a number of visionaries in the healthcare sector who have been deeply involved in tackling some of the hardest and somewhat quixotesque challenges facing true electronic healthcare.</p><p>Of no surprise -a t least to me- is the fact that at the heart of many of these challenges is the issue of how individuals are actually identified. This very issue remains a fundamental roadblock for mass adoption and, whether due to cost, privacy, or technology, all of which are essential in creating a tipping point effect that can represent a much needed paradigm shift.</p><p>A good example of this kind of visionary in healthcare is <a href="https://gpii.info/team.php">Barry Hieb, M.D.</a>, Chief Scientist at <a href="https://gpii.info/">Global Patient Identifiers Inc.</a> (GPII), who has focused on the identification of patients as a stepping stone in enabling electronic healthcare in a scalable and privacy-respecting manner.  </p><p>Given my interest in both identity assurance and privacy as enablers for business transformation, I talked Barry into enlightening me on GPII's approach and its merits. GPII has introduced the <a href="https://gpii.info/system.php">Voluntary Universal Healthcare Identifier (VUHID)</a> project as the solution to enabling digital identification of patients. Understanding how VUHID works in the context of patient identification is the focus of this blog article. Below is a transcript of my Q&amp;A session with Barry.</p><p><span><span>Frank</span>: What is the business problem you are tackling?  Aren't things fine as they are?</span></p><p><span>Barry</span>: Accurate exchange of clinical information is an essential requirement of the NHIN, as well as supporting initiatives such as meaningful use and interoperability.  Healthcare uses <a href="https://en.wikipedia.org/wiki/Enterprise_Master_Patient_Index">enterprise master person index (EMPI)</a> systems to ensure that independent clinical automation systems exchanging information are actually "discussing" the same individual.  However, documented experience indicates an 8%-10% error rate for this process due to poor data quality.  This error rate represents a serious patient safety issue because it can lead to missing data or inappropriate mixing of information among individuals.</p><p><span><span>Frank</span>: What is being solved with the VUHID approach?</span></p><p><span>Barry</span>: The Voluntary Universal Healthcare Identification (VUHID) system has two primary goals:</p><p>1) Enabling accurate patient identification, and</p><p>2) Enhancing proper privacy management of clinical information. </p><p>VUHID issues unique identifiers that can be used to identify patients across all venues of care within a collaborating network - and eventually across regions and the nation.  It also provides enhanced protection for information that must be treated as sensitive.</p><p><span><span>Frank</span>: What are the tangible benefits? Can they be measured?</span></p><p><span>Barry</span>: Eliminating errors in patient identification yields substantial benefits in operational efficiency and patient safety.  Preventing avoidable complications and improving patient outcomes are just two examples of this.  In addition, benefits such as improved patient registration efficiency, elimination of duplicate testing and avoiding time wasted looking for missing information represent measurable and tangible benefits for care delivery organizations.</p><p><span><span>Frank</span>: Why isn't the government doing this?</span></p><p><span>Barry</span>: The original <a href="https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act">HIPAA</a> legislation passed by Congress included a mandate to create an individual healthcare identifier.  Two years later, based on valid privacy concerns, Congress reversed itself and prohibited any work on a national healthcare identifier.  That prohibition remains in effect today with the result that, for the past decade, there has been no federal activity on this topic despite significant progress on how to accomplish this in a cost effective manner that actually enhances patient privacy.</p><p><span><span>Frank</span>: How about the private sector? What would be their incentive?</span></p><p><span>Barry</span>: Creation of a national healthcare identification system has generally been considered to be beyond the scope of any private sector organization.  Global Patient Identifiers Inc. (GPII) was formed two years ago as a healthcare nonprofit organization using international standards and an innovative deployment strategy to avoid previous obstacles.  Our goal is to enable healthcare to solve the patient identification problem through the use of unique patient identifiers.</p><p><span><span>Frank</span>: Can this be done today? How? </span></p><p><span>Barry</span>: The VUHID system is currently available.  We are looking for beta test sites interested in performing pilot studies to demonstrate the feasibility and value of this approach.  A minor modification to the EMPI system of a <a href="https://en.wikipedia.org/wiki/Health_information_exchange">health information exchange (HIE)</a> or healthcare enterprise, and corresponding changes to the patient registration process, are all that are required.</p><p><span><span>Frank</span>: From experience, I know that most healthcare organizations have a lot of legacy applications in their IT environment, what do they need to consider now in light of electronic healthcare and patient identification?</span></p><p><span>Barry</span>: One of the advantages to the VUHID approach is that it does not require modification to underlying clinical automation systems in order to get started.  Only those changes required to integrate VUHID with your current EMPI and registration systems are needed.</p><p><span><span>Frank</span>: What steps can I take to better understand this issue and begin to plan a solution for my organization?</span></p><p><span>Barry</span>: <a href="https://www.himss.org/ASP/topics_privacy_committees.asp?faid=83&amp;tid=4#4">HIMSS Patient Identity Integrity Work Group</a> published a <a href="https://www.himss.org/content/files/PrivacySecurity/PIIWhitePaper.pdf">whitepaper</a> in December, 2009, which provides background information.  There are also a number of other studies on the <a href="https://gpii.info/">GPII web site</a>. </p><p>If your organization is an HIE or a large integrated delivery network that has an EMPI system in place, and you would like to discuss how to get started, there is contact information on the GPII web site as well.</p><p><span><span>Frank</span>: Are there privacy implications? How should I deal with them? What's the tradeoff if any?</span></p><p><span>Barry</span>: Any exchange of clinical information must be carefully structured to ensure that it does not impinge on patient privacy.  The VUHID system has been carefully architected from the ground up to ensure that it does not represent any threat to patient privacy but rather enhances the ability of HIEs and other healthcare enterprises to better manage the privacy of clinical information.  VUHID identifiers can support and enhance the privacy policies of healthcare institutions.</p><p><span><span>Frank</span>: What is the current status of the VUHID system?</span></p><p><span>Barry</span>: VUHID is operational in a test environment.  We are ready and actively seeking beta test sites that are interested in performing pilot studies to demonstrate the feasibility and value of this approach.  We are also seeking systems integration vendors that would like to partner in order to embed VUHID capabilities into their HIE integration solutions.</p><p><span><span>Frank</span>: How does this fit in with healthcare reform?</span></p><p><span>Barry</span>: The federal healthcare reform effort is trying to combine a variety of projects and capabilities such as NHIN, NHIN Direct, meaningful use, interoperability, enhanced privacy and many others into a set of solutions that can improve the quality and efficiency of our healthcare system.  Accurate patient identification is an indispensible prerequisite infrastructure in order to achieve these goals.</p><p><span><span>Frank</span>: Thanks Barry for this insight. Establishing identity in electronic healthcare is evidently a very broad and fundamental issue, your perspective helps me understand the scope of the challenges a bit further. This has been very informational for me, and I sure hope that our readers concur.</span></p><p>As always, we look forward to your comments and questions.</p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/c1c7793c-c239-47ca-93f9-73e0da68c30a"><img src="https://no-cache.hubspot.com/cta/default/40850/c1c7793c-c239-47ca-93f9-73e0da68c30a.png" alt="Health Quest Success Story Whitepaper" /></a></span></span></p></div></body></html>

<html><body><span><p><span><img src="https://www.identropy.com/hs-fs/hubfs/images/data-governance-in-healthcare-432721-edited.jpeg?width=690&amp;height=461&amp;name=data-governance-in-healthcare-432721-edited.jpeg" alt="data-governance-in-healthcare-432721-edited.jpeg" /></span></p><p><span>According to the </span><a href="https://www.protenus.com/hubfs/Breach_Barometer/2017/Mid%20Year%20Review/2017%20Protenus%20Breach%20Barometer%20Mid%20Year%20Review.pdf?utm_campaign=Breach+Barometer&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_ih8kwB15UPZBdGlha4KFl9963vuXgyt9ufyzVIDT98z1Da1LbyUNK-HkVnC1bBQMvmxn0rq3hjP3qPDedeqvX68P_Vg&amp;_hsmi=54901109&amp;utm_content=54901109&amp;utm_source=hs_email&amp;hsCtaTracking=6a0222c0-31dd-468e-a6e2-8c2538a8fea0%7C4be65339-88e0-4f55-a1a2-fadffbeb8c03"><span>Protenus Breach Barometer midyear report,</span></a><span> 233 healthcare data breaches have occurred in 2017 so far, with </span><strong>over 3 million patient records compromised. </strong><span>Although the primary culprits are external hacking and ransomware, an alarming 41% was the result of insiders (both from error and intentional wrongdoing). This indicates a continued and pressing need for healthcare organizations to implement data governance in order to protect patients’ information from attack.</span></p><p><span>Healthcare organizations are gathering more patient data than ever before, and this wealth of data has the potential to help identify future trends, regulate costs, and calculate performance metrics in order to make the most of every incoming dollar. With the transition to value-based reimbursement, governance is more pivotal than ever in the healthcare sector. Great data governance enforces information access policies and leverages security in an easy-to-understand way across an enterprise.</span></p><p><span>Let’s go into some best practices for data governance from our identity and access management (IAM) experts, and how you, CISOs, can showcase its value to key stakeholders and investors:</span></p><h3><span>#1: Get Executive Sponsorship and Buy-in</span></h3><p><span>One of the biggest obstacles to deploying a data governance framework is a lack of executive-level sponsorship. Data is no longer just an issue with IT – it has become far more complex and multifaceted, which requires a higher level of collaboration and resources. Getting executive support means more resources and funding toward the goal of regulating data, and ultimately, minimizing risk for your initiative.</span></p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/1fa050bc-9d44-449f-8b6a-e07a0ff19945"><img src="https://no-cache.hubspot.com/cta/default/40850/1fa050bc-9d44-449f-8b6a-e07a0ff19945.png" alt="See also: 5 Steps to Building Consensus in Your IAM Program &lt;https://gsd.identropy.com/webinar-5-steps-to-building-consensus-in-your-iam-program&gt;" /></a></span></span></p><p><span>In its simplest stages, getting executives to listen involves catering to a central problem statement, and tying in the value of a data governance program. For healthcare, these problems range from the risk of a breach, including current vulnerability to an attack. It’s imperative to </span><strong>associate data governance as the solution, and how it will ultimately contribute to the bottom line.</strong></p><h3><span>#2: Create a Consistent Organizational Framework</span></h3><p><span>Organizing information doesn’t mean things have to get more complicated; if anything, simplification is key with data governance. Healthcare organizations have a variety of different domains and Electronic Health Records (EHR), and it’s imperative to standardize the codes and information across systems. Finding balance in diverse clinical data and forming universal terminology between disparate systems is a surefire best practice when distributing to applications and other clinicians and providers.</span></p><p><span>Defining clinical terminology isn’t an overnight project – it takes considerable time, but will ensure the success and quality of your data governance program.</span></p><h3><span>#3: Enforce Data Protection with Access Governance</span></h3><p><span>Insider threats remain a constant risk to data breaches, so restricting appropriate access by defining data and setting policies mitigates leaks. This also helps you stay compliant under PCI and HIPAA regulations.</span></p><p><span>For example, an entry-level assistant shouldn’t have credentials to view a patient’s Social Security number or other sensitive information that could be targeted by ransomware unless it is required for the role they are filling. Providing access to what an employee needs to do their jobs – and nothing more – is essential to protecting patient data. That’s proper data and access governance at work.</span></p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/beb316bc-5cfd-4bd6-9aa6-096e92dd80df"><img src="https://no-cache.hubspot.com/cta/default/40850/beb316bc-5cfd-4bd6-9aa6-096e92dd80df.png" alt="See also: Access Governance 101: Job Changes and Elevated Permissions" /></a></span></span></p><p><span>With large-scale conflicting and duplicate data, though, it can present considerable challenges to regulating lengths, codes, and even unstructured information. Look out for:</span></p><ul><li><span>Changes in job title, which affects access</span></li><li><span>Periodic review of organizational access credentials</span></li><li><span>Provisioning and de-provisioning (privileges should be revoked as soon as an employee has left)</span></li></ul><h3><span>Map Out Your Strategy &amp; Roadmap</span></h3><p><span>The road to holistic data governance is a long one, and is just a piece of the identity and access management pie. Managing your healthcare organization’s security, usability, and integrity is vital to getting the resources, access, and peace of mind you need in order to drive success and value-based payments.</span></p><p><span>Building a roadmap is a pragmatic and effective way to steer your organization toward a common goal. Our advisors have decades of experience implementing an actionable IAM program that minimizes the risk of data breaches and uncomfortable information compromises. If you’d like to learn more, feel free to check out our newest whitepaper on </span><span><a href="https://gsd.identropy.com/cyber-security-whitepaper-towards-an-identity-centric-security-strategy">“Towards an Identity-Centric Security Strategy:”</a></span></p><p><span><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/e29799bc-5916-4cc7-9d97-0df14f110430"><img src="https://no-cache.hubspot.com/cta/default/40850/e29799bc-5916-4cc7-9d97-0df14f110430.png" alt="Cyber Security Strategy" /></a></span></span></span></p></span></body></html>

<html><body><div><p>In <a href="https://identropy.com/blog/bid/63526/Identity-in-Healthcare-A-Diet-for-2011-and-Beyond-Part-1-of-3">part 1</a> of this 3-part article, we introduced the macro forces that are driving a shift towards efficiency in healthcare, and argued that these forces will have a direct effect on IAM. In part 2, we speculate on what specific consequences are in store for the coming years.</p><h2>Predictions…</h2><p>We anticipate that the following activities will intensify in healthcare over the next years:</p><h3>Consolidation</h3><p>This has already been <a href="https://bits.blogs.nytimes.com/2009/05/28/electronic-patient-records-will-force-consolidation-in-health-care/">at play and in full force</a>, but with the passing of the <a href="https://en.wikipedia.org/wiki/Patient_Protection_and_Affordable_Care_Act">Patient Protection and Affordable Care Act</a> (PPACA) into law <img src="https://www.identropy.com/hs-fs/hub/40850/file-14023683-gif/images/consolidation.gif" alt="Consolidation" />in 2010, there has been a significant uptick in M&amp;A activity among healthcare companies in the US.</p><p>For the <a href="https://en.wikipedia.org/wiki/Chief_information_security_officer">CISO</a>, this means that their strategic and operational focus should account for frequent <a href="https://en.wikipedia.org/wiki/Mergers_and_acquisitions">M&amp;A</a>. Having a program for integrating acquired organizations in away that increases or preserves visibility and access control will be key. The CISO strategy should be so that all security functions, including IAM, should be approached as shared services available to the organization, as opposed to keeping siloed operations with disparate processes and redundant technologies.</p><h3>Standardization</h3><p><img src="https://www.identropy.com/hs-fs/hub/40850/file-14172648-png/images/standardization.png?width=255&amp;height=99&amp;name=standardization.png" alt="Standardization" />Inevitably, healthcare organizations will need to standardize their application footprint, both IT infrastructure (email, file shares, productivity software) and clinical systems (<a href="https://en.wikipedia.org/wiki/Picture_archiving_and_communication_system">PACS</a>, ancillary systems, etc.).</p><p>This will be necessary to reduce costs, but also to allow the organization to scale its processes and maintain the appropriate balance between user productivity and policy-based access enforcement.  Moreover, standarization is an important step towards achieving interoperability in the long run, which is a key goal in the meaningful use criteria.</p><p>For the CISO, this will mean having an enterprise architecture and governance function, which will be in charge of defining and evolving the IT IAM infrastructure and application architecture in a way that will address the present and future business needs of the organization.</p><p>Part of the criteria for application selection will have to consider the application’s ability to easily integrate with the organization’s existing IAM infrastructure, such that processes, such as user on-boarding, termination, transfers, leave of absence, audit report and access recertification can consistently be enforced throughout the application landscape, particularly on high-sensitivity applications and systems.</p><p><em>Does this mean that there will also be consolidation among healthcare application vendors? …I would bet yes.</em></p><h3>Modernization</h3><p>Another important shift that will need to happen in healthcare is the modernization of the IT infrastructure. Regardless of whether or not the organization is being proactive about this shift, it will happen.  The introduction of Electronic Health Records (<a href="https://en.wikipedia.org/wiki/Electronic_health_record">EHR</a>), Electronic Patient Records (<a href="https://en.wikipedia.org/wiki/Electronic_patient_record">EPR</a>), <a href="https://en.wikipedia.org/wiki/Software_as_a_service">SaaS</a>, cloud computing, virtualization and consumerized end-user computing platforms (i.e. smart phones, tablet computers), is drastically transforming the IT landscape at large, and healthcare is no exception. I wrote an article on this last year on this trend, and discussed some recommendations on how to approach it.</p><p>In healthcare, end users are demanding solutions to simplify their day-to-day interaction with critical systems. For the first time, I have heard employees literally asking for single sign-on using their badge for authentication. This is a very specific and clear requirement voiced loudly by end users.</p><p><em>In fact, some of the physicians I have interviewed in our advisory services engagements tell us that they see a healthcare facility’s ability to simplify access as a competitive advantage, which will factor on where she/he decides to perform her/his medical procedures – how is that for a clearly articulated requirement?</em></p><p>The CISO will need to stay ahead and proactively monitor the modernization path and prioritize accordingly.   Since the underlying forces of this trend are complex in nature, unknown risks can easily impact the bottom line.  My belief is that healthcare will need to leap forward in modernizing its IT infrastructure.</p><h2>Other predictions…</h2><p><img src="https://www.identropy.com/hs-fs/hub/40850/file-14171652-jpg/images/other_predictions.jpg?width=238&amp;height=190&amp;name=other_predictions.jpg" alt="Other Predictions" />Based on these considerations, my prediction is that healthcare will leap forward in technology, rather than go through a gradual modernization process. In many cases, healthcare organizations will sunset their old systems and start anew with a more modern equivalent. Therefore, I predict that SaaS adoption in healthcare will explode in the coming years.</p><p>This is evidenced already by offerings being introduced by the leading clinical system vendors, who are adding SaaS delivery options to their more traditional product offerings. <a href="https://idc-insights-community.com/posts/78c81ab57a">IDC has also predicted</a> that that SaaS adoption in healthcare will be aggressive in 2011, particularly <a href="https://en.wikipedia.org/wiki/Electronic_medical_record">EMR</a>-as-a-Service.</p><p>At the same time, the need to drive efficiency will force the organization to really streamline and expedite user on-boarding, termination and granting of access to clinical systems. All of which shall become near-term goals of the CISO’s IAM program. But this does not exactly mean that managing complexity and sensitivity for the CISO gets any easier.  Thus, I predict that healthcare will also lead the way in adopting <a href="https://identropy.com/blog/bid/29162/Defining-Identity-as-a-Service">IDaaS</a> – any <a href="https://identropy.com/blog/bid/29428/Approaches-to-IDaaS-for-Enterprise-Identity-Management">variations</a> of it.</p><p>End users and competitive pressures will force the organization to accelerate the delivery of identity lifecycle management solutions with very little patience and margin for error.  Therefore, a strategy that shortens time-to-value, minimizes implementation and operational risks will be preferred over traditional deployment models.</p><p>In <a href="https://www.identropy.com/blog/bid/63913/Identity-in-Healthcare-A-Diet-for-2011-and-Beyond-Part-3-of-3">Part 3</a> of this 3-part article, we will discuss specific considerations [and recommendations] that the IAM program stakeholders, namely the CISO, should ponder in light of the pressures in healthcare.</p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/c1c7793c-c239-47ca-93f9-73e0da68c30a"><img src="https://no-cache.hubspot.com/cta/default/40850/c1c7793c-c239-47ca-93f9-73e0da68c30a.png" alt="Health Quest Success Story Whitepaper" /></a></span></span></p></div></body></html>

<html><body><div><p>For some time now, we have been working with healthcare companies looking at rolling out an Identity and Access Management (IAM) infrastructure to address their most pressing access governance needs;.  Often, these deployments stem from a result of something bad happening or simply from a high degree of loudly voiced frustration from end users.  In the past year and a half this trend has gained momentum thanks to companies looking to comply with <a href="https://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp">Meaningful Use</a>.</p><p>This experience has allowed us to gain very interesting insights in the healthcare sector, and in this 3-part article, I would like to share some of them. As you would expect, our focus will be mainly an identity-centric perspective on the issues; in no way we mean to trivialize other complex issues in healthcare, whether in IT or other business areas.</p><h2>Some macro trends…</h2><p>The reality is that there have been some tectonic plates movement in the healthcare industry for some time, but recently they seem to be aligning and maybe even accelerating, especially in regards to:</p><h3>1.     The aging population</h3><p>This may be common knowledge to some, but as the <a href="https://www.aoa.gov/aoaroot/aging_statistics/index.aspx">baby boomers continue to reach retirement age</a>, their needs for healthcare services will continue to increase.  This means that the healthcare services demand will rise dramatically.  <a href="https://www.agingstats.gov/agingstatsdotnet/Main_Site/Data/2010_Documents/Docs/OA_2010.pdf">Statistics</a> show that “after adjustment for inflation, health care annual costs increased significantly among older Americans from $9,224 in 1992 to $15,081 in 2006”.<img src="https://www.identropy.com/hs-fs/hub/40850/file-14172732-png/images/the_aging_population_in_the_us.png?width=487&amp;height=356&amp;name=the_aging_population_in_the_us.png" alt="The aging population in the US" /></p><h3>2.     Healthcare remains highly inefficient</h3><p>By many <a href="https://www.nytimes.com/2010/11/30/health/30life.html">accounts</a>, the US healthcare system is very inefficient.  Its high costs do not translate to better care or longer life expectancy.  From a technology perspective, we’ve found IT in healthcare is, on average 8 years behind the industry (with some exceptions of course). </p><p>As it relates to IAM, it is very clear to us that managing user access to both IT and clinical systems has been at best, an afterthought. Healthcare organizations consistently exhibit the most issues around: terminated user accounts still lingering in the environment; many users having more access than they should; end users having to remember a high number of different credentials; no reliable authoritative sources (particularly for non-employees) on top of which to anchor identity lifecycle processes, and rarely, are there any reconciliation or access recertification processes in place. </p><p>Some of the anecdotes that we have heard from working with clients include:</p><p><em><img src="https://www.identropy.com/hs-fs/hub/40850/file-14023946-jpg/images/doctor-screaming-on-phone.jpg?width=214&amp;height=249&amp;name=doctor-screaming-on-phone.jpg" alt="doctor screaming on phone" />The case of a physician getting ready to perform a procedure on a patient, but since the procedure is done at a facility different than his regular consultation office; his credentials had been expired due to inactivity. After several failed attempts to log into the </em><a href="https://en.wikipedia.org/wiki/Picture_archiving_and_communication_system"><em>Picture Archiving and Communication System (PACS)</em></a><em> to look at a previously taken </em><a href="https://en.wikipedia.org/wiki/MRI"><em>MRI</em></a><em> (Magnetic Resonance Imaging), the account was locked; a call went to the help desk, who, as the physician discovered was not responsible for this particular system, so they could not immediately unlock the account. In frustration, the physician asked a nurse to log in, and look for the image needed. Luckily, the nurse had been given more access than she needed, so she was able to access this patient’s record and pull out the required image.</em></p><p>Scary, isn’t it? (I can imagine how many times this scenario results in the wrong patient’s image being pulled out, but I will not go there).  The fact is, in most healthcare organizations, access governance is at best, inefficient and at worst, non-existent.</p><h3>3.     More regulatory and compliance pressure</h3><p><img src="https://www.identropy.com/hs-fs/hub/40850/file-14172187-png/images/regulatory_comliance_pressure.png" alt="regulatory comliance pressure" />Beyond <a href="https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act">HIPAA</a>, with its emphasis on patient’s privacy, and <a href="https://en.wikipedia.org/wiki/Payment_card_industry">PCI</a> for payment processing, healthcare organizations are <a href="https://www.himss.org/ASP/topics_meaningfuluse.asp">looking to comply with meaningful use</a> of <a href="https://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204">Healthcare IT</a> in order to qualify for the criteria and receive incentives. These forces have driven healthcare organizations to invest in security to enhance access control to sensitive information and systems. </p><p>Many organizations, have, for the first time, created an Information Security organization and hired a <a href="https://en.wikipedia.org/wiki/Chief_information_security_officer">CISO</a>.  The shift towards <a href="https://en.wikipedia.org/wiki/Electronic_health_record">Electronic Health Records</a> exacerbates the need to ensure that people have access to only the information they are supposed to have access to.  The collaboration of healthcare organizations in <a href="https://www.himss.org/ASP/topics_rhio.asp">Regional Health Information Exchanges</a> (RHIO) requires a minimum set of access control mechanisms to be in place to enable effective, and privacy-respecting collaboration. The combined effect of these regulatory drivers has forced access governance and privacy enforcement to bubble to the top of many healthcare organizations’ IT agenda.</p><p>Having said this, in most cases, we have seen organizations start with a single sign-on (SSO) initiative, many using <a href="https://en.wikipedia.org/wiki/Proximity_card">proximity cards</a> for both strong authentication and simplified sign-on process. I <a href="https://www.identropy.com/blog/?Tag=electronic%20healthcare">blogged about this trend several times in 2010</a>, and <a href="https://www.identropy.com/blog/bid/53938/What-s-in-Store-for-2011-in-the-World-of-Identity">predicted</a> this trend would gain strength in 2011.  Well, the evidence we have seen seems to support this prediction. Having said that, the risk to many organizations that start with SSO as the first initiative of their IAM program, is it may create the illusion they are in control, and take focus away from the real issues in managing user access to information.</p><h2>…So what does this all mean?</h2><p>Given these forces, we anticipate in the next few years, the healthcare industry will accelerate a push towards increased IAM efficiency. The market will no longer tolerate the inefficiencies in this industry, particularly as demand for healthcare services increase.</p><p>In <a href="https://www.identropy.com/blog/bid/63762/Identity-in-Healthcare-A-Diet-for-2011-and-Beyond-Part-2-of-3">part 2</a> of this 3-part article, we will dwell deeper into what implications this shift towards efficiency has in the world of identity.</p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/c1c7793c-c239-47ca-93f9-73e0da68c30a"><img src="https://no-cache.hubspot.com/cta/default/40850/c1c7793c-c239-47ca-93f9-73e0da68c30a.png" alt="Health Quest Success Story Whitepaper" /></a></span></span></p></div></body></html>

<html><body><div><p> I am just returning from a week of travel and conference activity, which start for me in Newark, NJ on Monday March 1, from there to Atlanta, GA for the HIMSS Conference 2010 (north of 25,000 attendees), and then on to San Francisco, CA on Wednesday March 3 for the last 2 days of RSA Conference 2010 (about 16,000 attendees), and then back home in NJ on Friday March 5. In all, last week was very ...</p><p>Learn More</p></div></body></html>

<html><body><div><p> I am just returning from a week of travel and conference activity, which start for me in Newark, NJ on Monday March 1, from there to Atlanta, GA for the HIMSS Conference 2010 (north of 25,000 attendees), and then on to San Francisco, CA on Wednesday March 3 for the last 2 days of RSA Conference 2010 (about 16,000 attendees), and then back home in NJ on Friday March 5. In all, last week was very ...</p><p>Learn More</p></div></body></html>

<html><body><div><p>A few months ago, I wrote a few blogs about <a href="https://www.identropy.com/blog/bid/63526/Identity-in-Healthcare-A-Diet-for-2011-and-Beyond-Part-1-of-3">trends in Healthcare</a> and why these were making Identity a top of mind issue in the Healthcare sector.</p><p><img src="https://www.identropy.com/hs-fs/hub/40850/file-14024495-jpg/images/healthcare-consolidation.jpg?width=217&amp;height=157&amp;name=healthcare-consolidation.jpg" alt="healthcare consolidation" />As we continue to work with clients in Healthcare, we are seeing that many of the trends we had identified are at play before our eyes, and from this experience, we see patterns that may very well apply to other industry verticals outside of Healthcare, and as you would suspect, we are myopically focused on what these means to identity.</p><p>The main trend in healthcare that we see is Consolidation. It is happening at all levels. Healthcare organizations are growing through M&amp;A - and the intensity of activity seems to be <a href="https://www.healthcarefinancenews.com/news/record-healthcare-ma-deal-volume-reported-january">increasing in 2012</a>. This triggers the consolidation of different medical offices, hospitals and long-term care centers into a larger healthcare system. And with this comes the need to consolidate clinical, financial and ancillary systems to achieve consistency and economies of scale.</p><p>In turn, this trend has translated into intense M&amp;A activity in the Healthcare IT space – examples such as the acquisitions done by AllScripts, Siemens Healthcare, GE Healthcare Systems in recent years. In a way, these acquisitions are forcing consolidation and standardization across <a href="https://en.wikipedia.org/wiki/Electronic_medical_record">EMR</a>, <a href="https://en.wikipedia.org/wiki/Electronic_health_record">EHR</a>, <a href="https://en.wikipedia.org/wiki/Picture_Archiving_and_Communication_System">PACS</a>, Pharmacy and other systems. Healthcare CIOs are really busy working with their Clinical Informatics team, and their vendors to figure out which systems they should standardize on (regardless of whether or not the Healthcare organization is embarking on M&amp;A activity itself).</p><p>As I once explained in a <a href="https://www.identropy.com/blog/bid/63913/Identity-in-Healthcare-A-Diet-for-2011-and-Beyond-Part-3-of-3">prior blog</a>, IAM is relatively new as a discipline, managed as a program in healthcare. For many organizations, Chief Information Security Officers are in their first or second year at the job, since it was just created. And as such, many organizations are struggling with how to scale their IAM platforms (in the event they even had one) to keep up with the consolidation and growth that the organization is likely experiencing.</p><p>IAM budgets in Healthcare are very tight, which makes keeping up with these trends particularly challenging and exciting at the same time.</p><p>So what is an identerati to do?</p><ul><li>If your organization is embarking on an M&amp;A and business application consolidation strategy, you should view IAM as an enabler, rather than a barrier for the organization to execute this strategy. IAM will be front and center of the action. Therefore, you should have a defined IAM program with a <a href="https://www.identropy.com/blog/bid/57703/On-Creating-an-IAM-Governance-Body">governance model</a> in place</li><li><a href="https://cdn2.hubspot.net/hub/40850/file-14022503-png/images/application-grid.png"><img src="https://www.identropy.com/hs-fs/hub/40850/file-14022503-png/images/application-grid.png?width=360&amp;height=252&amp;name=application-grid.png" alt="Application Grid" /></a>You need to have a practical data or application classification methodology which can help you figure out which system or application needs to be integrated with IAM first and to what degree (i.e. automated vs. manual provisioning, local or externalized authentication, local or externalized authorization). We recommend that you define an “application grid” in which you map risk levels to a set of IAM integration requirements that the application will need to satisfy. This will help you devise a scalable and repeatable way to bring applications under governance. I recommend to customers that they <a href="https://www.identropy.com/blog/bid/56425/Am-I-Ready-to-Embark-on-a-Role-Management-Effort">define a risk/assurance level approach</a> to classifying and tackling applications. This way it is easier to manage the IAM-fication of applications at a program level.</li><li>When it comes to managing access, truly consider roles-based model. Managing at a granular level may not be practical, and is certainly not scalable. Often, organizations think that they are not ready to adopt roles management when in fact they <a href="https://www.identropy.com/blog/bid/56425/Am-I-Ready-to-Embark-on-a-Role-Management-Effort">need them badly</a>. I discussed this topic in <a href="https://www.identropy.com/blog/bid/48735/A-Pragmatic-Take-on-Role-Management-Part-2-of-2">a past blog</a>. But if you need to integrate new medical staff offices and hospital into the consolidated EMR or EHR system, your IAM program will be better served by mapping the new organizations to existing roles that are defined and likely integrated with the IAM access request, approval and provisioning system. To make decisions as to how the mapping should be done or whether new templates or roles are needed, involve the business stakeholders! Avoid, at all costs, having IT make decisions about who should have what access in the application, let alone approve such access. <a href="https://www.identropy.com/blog/bid/60755/A-Tale-of-Access-Governance-The-Difference-Between-Ownership-and-Facilitation-Part-1-of-2">IT is a facilitator not an owner</a>. There are some corollaries to this point that are worth discussing:<ul><li>If you end up being too granular, you won’t scale – it will be hard for end users to manage access for their users (i.e. managers will get confused), and it will be really hard for the IAM program to scale and not lose momentum.</li><li><img src="https://www.identropy.com/hs-fs/hub/40850/file-14022521-jpeg/images/are-you-really-that-unique.jpeg" alt="Are you really that unique" />Are you really that unique? For many organizations, defaulting to a myriad of access permutations is typically given as justification since "the organization is that unique". In my experience working with hundreds of organizations, I have found quite the opposite: most organizations, particularly in similar industry verticals have a lot in common, and rather than managing access by exception, would be much better off managing by roles.</li><li>If you are really that unique, do you need to be? Having to accommodate so many access permutations to systems may be indicative of bigger business issues which will likely result in increased complexity, which will be contrary to the desired state of an M&amp;A growth strategy. To be agile in integrating and consolidating, you will need to divide and conquer, and that means you have to define common business processes that can be manageable and that can scale. IAM is no exception. So feel free to challenge the business when you see complexity getting out of hand.</li><li>The more permutations you need to manage the more fun your auditors will have when assessing the effectiveness of your access controls, particularly for highly visible, highly sensitive systems.</li></ul></li></ul><p>In summary, a risk/assurance application categorization model along with a pragmatic roles-based access control model for managing user access to applications are the key elements in helping your IAM program achieve scalability, and this is not exclusive to an industry vertical.</p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/2bcbac14-0a66-4f32-b446-25e8f9931329"><img src="https://no-cache.hubspot.com/cta/default/40850/2bcbac14-0a66-4f32-b446-25e8f9931329.png" alt="IAM Program Data Sheet" /></a></span></span></p></div></body></html>

<html><body><span><blockquote><p><i><span><img src="https://www.identropy.com/hs-fs/hubfs/images/Unstructured_Data_in_Healthcare.jpg?width=350&amp;name=Unstructured_Data_in_Healthcare.jpg" alt="Unstructured_Data_in_Healthcare" /></span></i><i><span>“Gartner defines unstructured data as content that does not conform to a specific, pre-defined data model. It tends to be the human-generated and people-oriented content that does not fit neatly into database tables.”</span></i></p><p><i><span>-Darin Stewart, </span></i><i><span><a href="https://blogs.gartner.com/darin-stewart/2013/05/01/big-content-the-unstructured-side-of-big-data/">Gartner</a></span></i></p></blockquote><p><span>When discussing the healthcare landscape, you can scarcely get past the handshake before the looming elephant of unstructured data enters the room. This uninvited guest sits in your periphery; a constant reminder about what many healthcare and IT professionals have yet to tame.</span></p><p><span>Suffice to say unstructured data – text-heavy sections of patient information and history in the realm of healthcare – still poses an issue that is untenable in most doctor offices and hospitals.</span><span>How can we get a collective grip on the fact that</span><strong> unstructured <a href="https://www.identropy.com/unstructured-data-governance-assessment">data</a> is growing at a rate of 62% per year per IDC?</strong></p><h2><strong>You Verify Your Current Environment</strong></h2><p><span>Before delving too far, It’s important to note despite unstructured data’s challenges, it’s an extremely valuable facet to understanding patient data, symptoms, family history, and more. Call it </span><a href="https://acumenmd.com/blog/human-condition-structured-unstructured-data/"><span>“the human condition,”</span></a><span> or a stream of consciousness narrative, but not all data can be put into neat checkboxes.</span></p><p><span>That said, in order to establish an at-order environment, you need to know who your current users are, what they have access to, and where/when they have access to what data.</span></p><p><span>In other words, you’re identifying that elephant in the corner and taking an actionable step to get it out of the kiddy corner – because ignoring its presence could lead to detrimental consequences later.</span></p><h2><strong>You Get an Assessment</strong></h2><p><span>Unstructured data in <a href="https://www.identropy.com/IAM-blog/bid/83818/Consolidation-in-Healthcare-What-can-we-learn-from-it-in-IAM">healthcare</a> is particularly difficult to manage because of the revolving door of doctors, nurses, patients, and visitors that circulate a single hospital in a given day.</span></p><p><span>Ensuring cardiologists only have access to that department’s files and not orthopedic, let’s say, is harder than it may seem at first glance.</span></p><p><span>However, ignoring lapses in your healthcare organization’s security could lead to </span><a href="https://www.tulsaworld.com/news/saint-francis-health-system-confirms-data-breach/article_e92d7b77-71f3-542e-aad8-526b9eeade04.html"><span>data breaches</span></a><span> or worse – compromised patient information.</span></p><p><span>A data breach from earlier this month at Saint Francis led to </span><strong>over 6,000 compromised names and addresses.</strong><span> It’s no longer about wondering </span><i><span>if</span></i><span> you could be breached, but </span><i><span>when</span></i><span>.</span></p><p><span>Be proactive with an unstructured data assessment. This high-impact assessment scans an Active Directory domain or file servers and seeks out sensitive information such as financial accounts, PII, and more.</span></p><p><span>From there, we then can determine the earlier questions of who has privileged/non-privileged access to this sensitive data.</span></p><h2><strong>Elephant be Gone!</strong></h2><p><span>Unstructured data isn’t going anywhere – instead of it remaining in the corner unmonitored, take steps to protect your patients’ and employees’ information.</span></p><p><span>We have a data sheet that explains more about our unstructured data governance assessment solutions. To learn more, click below:</span></p><p><span><span><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/fea27d4b-b067-4c4e-8bfd-f436d3ae3924"><img src="https://no-cache.hubspot.com/cta/default/40850/fea27d4b-b067-4c4e-8bfd-f436d3ae3924.png" alt="Unstructured Data Governance Assessment" /></a></span></span></p></span></body></html>