Health care organizations both large and small have multiple user constituencies that access its IT systems: doctors, clinicians, patients, finance, HR, just to name a few. Collectively, they are key users and key stakeholders of the IT environment to achieve the singular business objective – which is patient care.
Managing the often-conflicting needs and expectations of these distinct user groups around authentication and sign in for various in-house systems and cloud apps creates a challenge for every healthcare CISO and IAM professional.
A San Diego, CA-based healthcare group Sharp HealthCare with 2,600 physicians and more than 18,000 employees and they deployed the SecureAuth Identity platform. SecureAuth’s CISO and Chief Evangelist, Bil Harmer, highlights how the customer successfully implemented the solution.
“IAM has tentacles everywhere — it really touches everyone because they are all users of the system. When you manage a large-scale IAM system, it’s important that you first create a cross-functional and empowered governance body that you can go to because otherwise you are going to be talking to a million people. You need to know all those decision makers to be able to ask: ‘Here’s the vision, can you buy into that?’ Only then will you have the empowerment to move forward. You don’t want to spend years trying to get decisions made – your strategy will change by then.”
Map out IAM ownership
The IAM implementation team must communicate how the organization is going to implement the identity and access management roadmap and who owns what pieces of the IAM architecture. A key component of the deployment strategy is IT partners who help connect everything together.
“One of the biggest lessons an organization such as Sharp Healthcare learned is the governance over IAM – who owns the strategy and architecture,” says Bil Harmer, CISO and Chief Evangelist at SecureAuth. “There are pieces of IAM throughout the organization: who manages an app, who designs roles for the app, who manages authentication, who manages federation. When you first walk into this, it’s important to get an agreement across all your IT and business partners. You need to set up a clear governance structure so that when the strategy is made, there’s an accountable owner who can make those day-to-day implementation decisions. Making sure that this accountability structure is set up is critical because there are so many tentacles with identity and access management.”
The success of any IAM deployment comes down to having a detailed understanding of use cases. Users unsurprisingly default to the path of least resistance regardless of security implications so removing any perceived friction from frequently used authentication flows is key in instituting security and getting user buy-in.
Win the end user
“When adaptive authentication and the push-to-accept was implemented in the last year or two, it was a huge hit within the organization,” explains Bil Harmer. “It went from ‘I got to login and put in a code every time’ to ‘Now, it does not require me to use a code’. The Healthcare IT team started analyzing the behavior and risk profile and sent a simple MFA push notification only if needed.”
IAM revolves around two topics that are not always aligned – security and user experience. Adaptive authentication, conceptually, aims to align these objectives.
“Their switch to adaptive authentication was just an example of where we maintain security—probably increase it to some degree—and vastly improve the user experience,” continues Bil Harmer. “That creates that trust with the user community so that the next thing you need to implement will not be met with resistance.”
Start small and build over time
A gradual roll-out of MFA, adaptive or even passwordless authentication provides an additional benefit to the IAM implementation team of being able to understand the internal costs, project velocity and user acceptance.
“Start small, with manageable chunks, get some quick wins, prove yourself out,” advises Bil Harmer. “At Sharp Health we lead with the adaptive authentication and MFA push notifications – that was a big win that bought us a lot of political capital and allowed us to kick things up to the next level.”
IAM and Healthcare Series
You can hear the entire interview on achieving Zero Trust on our website.