OverviewIdentity and access management — the new challenges for healthcare
Many countries have introduced or are introducing legislation to ensure the security and privacy of health information. Complying with these new rules can be a costly headache if done manually or using inadequate tools. We describe a more rational approach, focusing on the specfic example of the United States HIPAA requirements and terminology (see box).
Among the stated goals of HIPAA are an improvement of the health insurance and health care industries in terms of protection of health information and cost reduction through administrative simplification. The Security and Privacy Rules are designed to make sure that patient health information is not misused.
As more and more health information is now available in electronic format, it is critical to control access to systems and applications containing that information. Covered Entities are required to implement technical safeguards and security measures in order to restrict access to users and patients on a need-to-know basis.
These technical safeguards can be very time-consuming and even ineffective if you restrict yourself to out-of-the-box security provided by application or server vendors. Individually configuring each such data repository — and workstation — so that they comply with the Security and Privacy Rules is not a good solution.
The best way is to implement a global Identity and Access Management (IAM) solution that will help to protect access to PHI at the enterprise level.
The three Ps of I&AM for regulatory compliance
Implementing an IAM solution to ensure regulatory compliance involves the whole CE, and goes beyond simple technology considerations. Indeed, the implementation phase of the product itself is usually quite fast, thanks to automated deployment tools. What consumes time in a project are the organizational and human aspects, as well as the inventory of applications, data stores and workflows that concern Protected Health Information.
| People | Regulatory compliance will require the cooperation of physicians, staff and other employees. A project can be greatly helped if it has the clear and public support of the Covered Entity's general management. |
|---|---|
| Process | Implementing regulatory requirements such as the HIPAA Security Rule means putting in place new processes. These processes represent a lot of changes in people's habits, and costly training for the entire organization. If some processes are automated, that can help decrease costs. |
| Product | This is the technology side of the equation. As the technological environment within the Covered Entity may be quite complex, it is best if the management of the entire solutions hides that technological complexity |
Evidian IAM Suite can help Covered Entities implement the requirements of the Security Rule in a cost-effective and coherent manner:
- Define in one single location the HIPAA-mandated procedures pertaining to access control, then deploy them over the whole Covered Entity.
- Use simple yet systematic role-based rules to restrict access to Protected Health Information.
- Centrally define and enforce a global password policy.
- Centralize activity logs related to user access to Protected Health Information in one location, so that they can be easily audited.
- Control access to workstations and applications.
- Manage user identities in a systematic way, even if the data stores containing these identities are located in various directories.
