Identity access management tips from the security pros
Here's a challenge: Overseeing identity access management for a 163-hospital health system that spans 20 states and the U.K. But despite the myriad challenges – and they're growing more prevalent these days – HCA's Bobby Stokes is ahead of the game and has a few tips for those looking for guidance.
Stokes, the AVP of identity access management at Nashville, Tennessee-based HCA, says protecting data is akin to that of playing Donkey Kong. "We're like Mario," he said. All those barrels being thrown at us that we have to work around represent government regulations and an ever-changing landscape – think ACA, updated HIPAA and meaningful use.
Stokes is charged with the not-so-light task of managing a single sign-on implementation that today has 130,000 users every month.
Add to that the complexity of those users. New employees come in; some leave.
"What's an ally and an employee one day may be a contractor or an outside force the next," added Stokes, speaking in a Healthcare IT News webinar this past winter. "And you have to deal with that."
HCA has tapped a Caradigm identity access management platform to help with it all.
Stokes described what was once perceived as "stretch goals" of identity access management – that is, providing immediate access for all employees and clinicians when they're hired and terminating their access as soon as they leave.
"At one point, those were stretch goals. That's what everyone was trying to do," said Stokes. Fast forward to today's healthcare landscape, and there's no sugar coating it: That's just not going to cut it anymore.
"Yesterday's stretch goals are today's requirement," he said. There are some things security folks need to stay on top of – and this is one of them.
"If you don't know if disgruntled employees leave, and you don't shut their access down, you're going to have a problem," he added. "You're going to be asking for it."
This goes for smaller healthcare organizations too.
"The disgruntled employees are the biggest concerns," said Susan Snedaker, information security officer at the 600-bed Tuscon Medical Center, at the Healthcare IT News Privacy & Security Forum this spring. "Then second to that disengaged employees."
Snedaker and her team work with their clinical managers and directors and have them identify those specific employees they're concerned about. They do this "so we can put additional controls and monitors around those folks," she explained.
Establishing a point team
Meredith Phillips is the chief information security officer of the six-hospital Henry Ford Health System in Detroit. And also top of her priority list? Tackling identity and access management.
It's an item that's "the top of our mind," she said. Phillips heads a team of 42 full-time employees that are broken up into five smaller teams. One of the most recent changes they've made is establishing a core group of individuals within Phillip's team who focus solely on the enterprise approach for identity and access management.
"Truthfully, that's the core of security," said Phillips. "What is it that we give people access to based on their role they have here at Henry Ford?"
The initiative is still in its beginning phases, but Phillips said they've already made "good headway."
For those looking to start something similar, HCA's Stokes offers some advice. It's not that it's extremely difficult. Rather, "it's just a lot of work as far as defining what your roles are," he explained. "Getting standard roles and having a good process in place to say, 'OK, we have this sort of role, this is the application this particular role has, and this is who says it's OK to do it.'"
This is where it can get complicated because you have to involve multiple stakeholders. "This is a collision between HR processes, your security processes, audits and compliance," he added.
Sure, OK, say you've defined your roles, and who's in the roles and which roles should have access to which applications. "But who said it was OK for them to have access?" he pointed out. "We need a report that tells us who said they have access and who has access that they shouldn't." Then, it gets even more complicated when individuals change roles.
But it's well worth it for many different reasons, as Stokes explained. Having one identity per user across the enterprise, for one, simplifies the whole identity access management piece. Five or six years ago before HCA implemented the single-sign on, "We had a lot of people complaining, 'I got 27 identities; I got 27 usernames,'" said Stokes. And people couldn't keep up with them. It also proved a nightmare for the help desk group.
This also makes things easier when you have an individual whose employment was terminated.
"If you had someone terminated in a hostile format, and they've got seven or eight different accounts, it's not always real easy to figure out what those are especially if you don't have any tooling," said Stokes. "Probably a more recent thing that we're seeing is, OK, you set them up. You set them up right. We know who said they could have that access, but what did they do after they had the access?" he explained.
Bottom line, said Stokes, you have to get the people and processes piece done before you focus on the technology or identity access management platform. Security folks need to think of identity access management as a business problem, he said. "You could have the best tool in the world, and if you don't have this stuff resolved you're going to be a failure; you're going to have a lot of trouble."