How Integris Health fortified data security with identity governance

After audits revealed several gaps in identity management, the health system turned to an IG vendor to help it understand which users have access to what and, more importantly, ensure users have the right access to data.
By Bill Siwicki
09:58 AM
Share
confirming identification for data security in healthcare

After security audits uncovered several gaps in Integris Health's identity management, the Oklahoma health system concluded it was time to implement an identity governance program.

Previously, employees and contractors were accessing the organization's Epic electronic health record and other clinical applications without any type of access management policy in place. Integris needed visibility into each user and their access to sensitive patient information.

"We had increased our investments in IT security to address compliance pressures around protecting healthcare data," said James Landers, identity access management security engineer at Integris Health. "We also put measures in place to proactively protect ourselves from a potential data breach. Failure to meet compliance needs or exposure of sensitive healthcare data could have serious consequences for the organization if not properly addressed."

Despite these investments, Integris still had a limited view of the applications and healthcare information systems employees were accessing. This "identity" information was housed in disparate repositories. One of the bigger issues was the lack of visibility for all employees with access to a Cerner EHR which was the largest clinical application at the time. (Integris later switched from Cerner to Epic.)

"We could track what our full-time employees had requested access to, but we lacked a view of what access had been granted," Landers said. "We also had zero visibility into what our contract employees were accessing. Moreover, we used PeopleSoft to track full-time employee access to applications and information, but not contractors, who were managed in an ad hoc way."

So Integris turned to an identity governance program, with help from vendor SailPoint. An IG program helps an organization understand which users have access to what and, more importantly, ensures users have the right access to information. It also confirms that the contents of account repositories are properly controlled.

In addition to SailPoint, there are many vendors in the identity governance and identity access management market. These vendors include AlertEnterprise, Datum, Edgile, Janrain, OpenText and Oracle.

"Identity governance allows us to align our policies and establish consistent, centralized access controls across the enterprise," Landers explained. "For example, we have contract nurses and therapists who are constantly coming and going and need access to systems and information to do their jobs. It's important for employees to have the proper access needed, in a safe and secure way, and it's also important for us to have visibility into user access across our applications."

For Integris, identity governance is a solution that protects its patient data and healthcare information systems in the event of a breach. Identity governance also integrates with its clinical applications and tracks who has access to what within the organization.

Integris kicked off its identity program by addressing access certifications head-on. For Integris, this was key.

"We kicked off our identity program with the access certification because it's a crucial component in proving compliance with healthcare regulations," Landers said. 

The technology helped "establish and enforce user access policies like separation-of-duty," he explained. "Once these policies were established, we were able to automate the process of reviewing, approving and revoking user access rights across the organization, saving us time and money by reducing the burden on both IT and business staff, while strengthening our security posture."

Landers said the initiative made an impact in three key areas. 

The first was to give the health system a complete view of the users accessing applications within the organization. Upon bringing Cerner users into SailPoint and prior to transitioning to Epic, Integris learned there were quite a few Cerner accounts not mapped to active directory accounts. SailPoint helped correctly map them, eliminating unnecessary Cerner accounts and establish a governance process for future provisioning.

"The second area is helping us manage our contract employees," he said. "We moved forward with putting contract employees in PeopleSoft to address this issue, giving us the holistic view of the organization we were looking for. It also became critical to put access certification and provisioning in place for all employees."

Third, Integris developed a termination process to de-provision major applications from users who leave the organization in a timely manner. Integris also recently transitioned from Cerner to Epic, Landers said. 

Ultimately, Integris' identity governance program created greater efficiencies and workflows for the entire organization. 

"Every non-employee worker is now mapped to a manager, creating a clear line of sight of who has access to applications and data," he explained. "Integris now runs bi-annual certifications with 90 percent completion rate for all users with application access. We also run a uniform process and audit trail for all applications access granted, especially to non-employee workers."

Managers are aware of access – especially access to the main clinical application, Epic – that employees have because they requested or approved it. When an employee leaves the company, within 30 minutes of leaving in PeopleSoft, a user's active directory account is disabled, prohibiting them from accessing the IT environment, and service desk tickets are created to terminate each of their application accounts.

"The uniform provisioning process for both employees and non-employees means that no one gets access to an application without their manager, who has ultimate responsibility, knowing about it," Landers said. 

Additionally, he said, a uniform termination process for both employees and non-employees means that no one retains access that slips through the cracks, he added. Since active directory and other accounts are deactivated, no bad actors can use those accounts after the user has left the organization.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com