About five years ago, PeaceHealth, a 16,000-caregiver healthcare provider in the Pacific Northwest with 10 hospitals and 250 ambulatory clinics, began a focused effort to meet the compliance standards of the HIPAA role-based access requirements.
At the same time, the provider organization invested $ 300 million in converting the electronic health records of its ten hospitals and 250 clinics to an Epic system. At the time, the organization was using a homegrown system to help grant access to providers. But with this tool, it took a provider 28 days after they were hired to receive access to systems.
“We then brought in a legacy tool, Microsoft Identity Manager, to help decrease the time to access,” said Robert Siebenthaler, manager of identity, access and security at PeaceHealth. “While this tool was able to automate part of the process, internal and external audits revealed its shortcomings. We evaluated the tool’s roadmap and concluded it was not fit to support PeaceHealth in the long term.”
So the provider organization started the process of evaluating identity governance systems that mirrored its goals for the future: A dedication to identity governance and a strong integration with Epic. During this evaluation phase, PeaceHealth brought in internal and external auditors, the risk team, and the office of integrity to help with the process.
Through the evaluation phase, PeaceHealth decided to begin a long-term partnership with vendor SailPoint, and from there the next-generation identity program took shape.
“One of the reasons we saw a future with SailPoint was its ability to manage all users,” Siebenthaler explained. “Granting entitlements to healthcare workers with multiple personas can be very tricky. PeaceHealth has employees, community providers, hospice, volunteers, contractors and external providers that all need differing types of access.”
With the SailPoint technology, PeaceHealth would be able to grant entitlements, complete with access approvals and certifications that allow the organization to remain compliant, he added.
There is a variety of identity and access management technology vendors with products on the market. Some of these vendors include Centrify Identity Service, Digital Persona, Forefront Identity Manager, ForgeRock Identity Platform, Intermedia AppID Enterprise, Okta Identity Management and Oracle Identity Management.
MEETING THE CHALLENGE
With the new technology, PeaceHealth now has 100 percent role-based access for all users: employees, community providers, hospice, volunteers, contractors and external providers. It integrated SailPoint with its credential system from Visual Cactus; its human resources system; Azure, since the organization is an Office 365 shop; and a couple of internal databases that it has to track providers.
“To achieve this, we did extensive business analysis evaluating the existing workflows with our HR department and addressing the current gaps and worrisome areas to mitigate future risk,” Siebenthaler said. “The first phase of this program focused on using SailPoint to grant providers access to systems more quickly, prioritizing access to Epic. Providers no longer wait 28 days for access to Epic and other systems, and now receive full rights within two days.”
Reducing the manual labor involved for provisioning access was also a goal for the team. Twenty-five contractors were responsible for granting access. Now that this process is automated, these contractors no longer are on staff, saving PeaceHealth hundreds of thousands of dollars.
“I’ve managed to save hundreds of thousands of dollars by reducing the manual labor involved for provisioning access.”
Robert Siebenthaler, PeaceHealth
“We’ve also been able to bolster all our provisioning processes, including the revocation of access when someone moved within or left the organization,” Siebenthaler added.
With the legacy and homegrown tools, the identity and access management team had not been able to track user access in compliance with audit requirements or run certification campaigns. Compliance was not addressed, and PeaceHealth knew it was a problem but did not have the solution or processes in place to manage it properly.
“With SailPoint in place to now support managing compliance, certifying access to Epic became the first priority to address,” he explained. “The various roles a provider can have make the certification process rather complicated. Some of PeaceHealth’s locations are deemed critical access hospitals, where the identity of a provider or staff can change depending on the day.”
At the critical access hospitals, someone can be front desk staff, later in the day they are a nurse, and two days later they are a medical assistant. Tracking these complex and changing roles is critical for proving compliance. PeaceHealth also wants to enable its employees to operate in the capacity they need without slowing them down.
“On the initial Epic certification campaign, we worked with the audit team to decide what was important to report on and to make sure they were providing all requirements,” Siebenthaler said. “This helped us establish sound certification campaign processes, setting our team up for future success. We now run yearly campaigns and are incorporating additional applications beyond Epic.”
With the new technology in place, provider satisfaction has improved drastically, he added.
“The identity program is now a business enabler aiding the IT department, providers and security team to better serve the organization,” Siebenthaler said. “Medicine is automated now, with all information in the medical record. Giving our providers the right access to the right information at the right time allows them to give our patients top-quality, compassionate care. When providers can’t access information in a timely manner, we are not treating patients in a continuous way.”
The identity and access management team has also benefited from the improved identity program. Siebenthaler now encourages his team to look for ways SailPoint can be used to drive increased efficiency.
“Next on our roadmap, we plan to manage the bots in our environment and run certification campaigns on their access,” he said. “We also have plans to investigate our privileged users and add more controls and security around their access to mitigate any potential risk. Our success with SailPoint is just the beginning, and bringing these two areas under our purview will only drive more automation and increased security.”
It previously took about 25 days to provision a new physician or nurse practitioner. That time has been significantly cut short as a result of integrating SailPoint with the credentialing software from Visual Cactus, the human resources system and some other internal software. Providers no longer wait 28 days for access to Epic and other systems, and now receive full rights within two days.
“Additionally, I’ve managed to save hundreds of thousands of dollars by reducing the manual labor involved for provisioning access,” Siebenthaler explained. “Previously, twenty-five contractors were responsible for granting access. Now that this process is automated, I no longer have these contractors on staff.”
ADVICE FOR OTHERS
“We learned several things along the way to implementation and after,” Siebenthaler advised. “First, identify and access management systems are not static and therefore an ongoing investment is required. IT organizations need to treat identify and access management as a core business function.”
Whether one works with a vendor or maintains an identity and access management system internally, every year the program needs to be funded and staffed, he added. Identify and access management systems are an evolving technology that need to be adapted to one’s ever-changing business requirements and systems, he said.
“Before implementation, when you are reviewing workflows and processes, take the time to ask yourself if there is a better way to do this and how you could achieve a better outcome,” he suggested. “Question every process, just because that’s the way you are currently doing it doesn’t mean there isn’t a more efficient way. We included HR, medical staff office and other partners in our reviews and received tremendous value from including them in the process.”