Guest Article: Practical Identity Management for Healthcare

In the past, I’ve written a number of postings on Identity Management for Healthcare. I recently contacted Ash Motiwala, CTO of Identropy to weigh in on the subject.  Ash and Identropy have plenty of real-life experience deploying Identity Management systems in the healthcare arena, and are industry innovators with their managed identity services platform, iMIS.  Identropy also provides identity infrastructure assessments, integration services and workshops to aid organizations find their identity management roadmap. These guys know what they’re doing and they take a good deal of identity management burden off the shoulders of CIOs and IT directors. If you want to make some headway on your initiatives but don’t want all the management headache or can’t hire the “best and the brightest” into your own firm check out their managed service offerings — they’re pretty unique.

Here’s what Ash had to say about identity management for healthcare institutions:

Identity Management is officially center stage for healthcare institutions.  According to the 2008 HIMSS Leadership Survey, which surveyed 300+ healthcare IT professionals, the number one technology they anticipated their organizations would use within the next two years was identity management (coming in at 45 percent).  In terms of security technologies, they identified single sign-on as high on their priority list, while nearly half of the participants acknowledged plans to deploy it in their environment within the next two years.

With that being stated, the questions regarding the definition of identity management and the practical steps that their institutions are taking to deploy them seem pervasive. As evidence, the same report stated that the respondents had overwhelmingly installed access control technologies (83 percent).

So, what’s going on here?  Didn’t 45% of the same respondents claim they are looking for identity management solutions?  The answer is quite simple: the term “identity management” means different things to different people. 

Some look at it as a synonym for a specific technology such as Single Sign-On, Automated User Provisioning, Access Management, Directory Services or Self-Service Password Management.  Others look at it as an umbrella term for multiple technologies, and yet others see it as “a set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.”

This posting for Shahid’s blog aims to provide simple yet practical guidelines to help your organization along in the conversation around identity management technologies and what it means to your environment. So here goes:

1. The first practical step you can take is to identify the drivers: Is it HIPAA compliance you seek? If so, which specific areas? Or is the main driver physicians complaining about logging into a myriad of different applications to do their job? Or is it a problem that your software engineers are trying to solve regarding passing patient identity data between heterogeneous applications and systems?
2. Validation.  Once you’ve listed out the drivers, validate!  If the physicians are a calling, answer by setting up focus groups to allow them to voice their concerns. Sometimes a physician may use a technology buzz word that she read in a magazine, not quite grasping what it really means – so ask them to explain their experience, perhaps even allow them to demonstrate their experience so you can evaluate exactly what they need.  Perhaps you’ll find that they don’t need an entire Identity Management suite, and a simple self-service password reset tool will suffice.  If the driver is the resultant clatter from a failed audit, then speak to those internal resources that were directly involved in the audit regarding their experience and any documentation that they could provide.  Find the exact audit failures, and how they were evaluated.  Second and third-hand information is quite often adulterated and can skew the true audit demonstration needs.  By taking the time to validate the drivers, you will ensure that your endeavors are based on hard facts.
3. Classify the drivers as long term versus short term, tactical versus strategic.  Some drivers point to a tactical point solution, while others require a strategic initiative and will probably require more than one technology to solve.  If you have identified it as a strategic initiative, getting help from a consulting firm that could help you identify a roadmap rather than doing it yourself could save you significant heartache 12 months down the line.  The upfront investment can save you from finding yourself in a vendor or technology lock-in situation that could have been avoided.
4. Another practical guideline is to stop using the blanket term “identity management” in internal conversations, unless you really mean it.  If your organization really means it, then define it up front. Creating a common vocabulary is a powerful first step for meaningful dialogue, and an evasive term like “identity management” can wreak havoc on any project planning sessions unless clearly defined.  If your organization is seeking a Single Sign-On point solution, then call it that.  But if it’s a Web Access Management solution that you are after, then call it that and sharply contrast it to Single Sign-On and what benefits it will provide you.  If your organization is seeking a technology set to comprehensively manage digital identities, then label it identity management, but define exactly what it means to your organization.  Nail down that moving target, and then be relentless on those around you to use the agreed upon terms appropriately.
5. Talk about vendors last. But when you get to it, and if you have defined a roadmap that is longer than 18 months, then identify only the technologies that you seek to deploy within the next 18 months, and use them as the criterion for vendor selection.  Looking beyond 18 months in the identity world is like looking into a crystal ball.  The M&A activity is fierce, the landscape changes quickly, and even the experts are having a tough time making their identity management predictions stick.  The sales folks from the various vendors will almost always try to sell you the entire suite, yet only a handful of clients utilize it all.  Be aggressive in your roadmap, but conservative when it comes to vendor selection.