Badly implemented IAM can kill you. Literally.
The above statement is not just a scare tactic – it is a fact that has been proven in healthcare, sadly, many times over.
The central function of IAM is to grant reliable access – for example to patient data – to those who are authorized, and to reliably prevent access by those who are not. In healthcare, both aspects are more critical than in many other industries.
There is so much more than money on the line.
Goldilocks and IAM in Healthcare
Timely diagnoses and successful therapies often rely upon the absolute instant availability of key information.
Consider an unconscious patient, one who is in a coma. Their health records could tell physicians that this coma is probably caused by the patient’s diabetes and could easily be resolved by controlling her blood glucose levels. That is, their records could tell them this...if the physician can access the health records quickly enough.
Or take, for instance, a little boy who arrives at the doctor’s office with a high fever and irritated tonsils. Before it’s too late, the physician needs to be able to access his health records and learn that the boy is allergic to penicillin.
On the other hand, granting unregulated, unfettered access to patient data is not only an invasion of privacy for the patient, but it’s potentially harmful too. If a patient does not have complete trust in his healthcare provider’s ability to keep his data private, he may decide to withhold personal information that is crucial to diagnosis and treatment – such as sexual history or mental health issues.
And it’s not just about patient security! Hospitals are at risk as well. Data leaks have repeatedly allowed malicious intruders to sell patient data on the black market or to blackmail hospitals into paying hush money.
That’s why healthcare IAM, even more than in other industries, must conform to the “Goldilocks principle.” There must not be too much or too little control, but just the right amount.
In healthcare, people are constantly working under severe time restraints. Time is a critical factor that holds together the thin fabric of an organization in which multitudes of processes depend upon each other. If the nurse is late with her rounds because the IAM system denied her access to the hospital information system, then the patient is not properly pre-medicated for surgery. Or Operation Room schedule gets messed up, which then means several doctors and OR technicians have to work overtime, and so on.
Some providers of hospital information systems are more aware of the role of usability in healthcare than others: Epic, for instance, has been a trailblazer for usability in electronic health records, and has repeatedly scrutinized and improved its products to make them more user-friendly.
With the help of software engineers, usability experts, healthcare professionals and cognitive scientists, interfaces have been streamlined to ease the cognitive burden for physicians, to increase consistency and logical flow, and to remove redundant options and make relevant patient information more readily accessible.
However, streamlined clinical processes don’t make patient data secure – even the most usable hospital information system still needs reliable IAM. This is where Saviynt comes in. They are an innovative Cloud Security and Identity Governance company who offer a solution tailor-made for Epic.
Saviynt for Epic does not only recognize and implement all healthcare-specific regulations in information security and governance – it also improves the usability of Epic template design and catches SOD errors before they have a chance to occur.
If this sounds like something that could improve your organization’s processes, get in touch with us! Simeio is one of the few IAM providers who have special expertise in the implementation and maintenance of Saviynt for Epic.
Dr Christina Czeschik is a writer and consultant specialized in information security, digital privacy, and Blockchain. Originally a doctor, she has slipped into the infosec pool by way of cryptoparties, and never quite been able to climb out again.