The risks of legacy processes in a changing ecosystem
In a cloud-based world, a new approach to identity management is necessary.
By Paul Calatayud, Chief Information Security Officer, Surescripts, March 2014
As healthcare IT ecosystems move from digital into mobile cloud-based solutions, thus becoming more of an extensible ecosystem, certain relationships change and create new challenges that need to be considered. The changing landscape of identity management and how credentials are being issued within the EHR space should dominate security conversations across healthcare. Key questions need to be asked in order to determine whether a company has certain credentialing policies that need to change or technology that needs to be supplemented for those processes to still be considered credible and meaningful.
There are many constituents that should have a stake in credentialing. The natural ones are the parties that are responsible for issuing credentials on their ecosystems. This is usually the hospital’s IT department that is accountable for having a suitable process in place to assure that the credentials that they are issuing are legitimate. While these departments need to be mindful of this process, technology vendors that support the ecosystem should also be mindful of ways to support these credentialing services within their platforms and services. If this occurs, the burden does not always have to be on the end point, in this case, a hospital. Finally, the facility’s management should be very interested in the development and implementation of its credentialing systems. They need to be mindful of the risks and how to ensure that, as they do business with other parties, the credentialing responsibilities are being properly transferred.
Historically, credentials were issued to employees of large hospitals or some sort of primary care facility, so access to EHR systems was a partnership between Human Resources and Information Technology during the hiring process. As IT ecosystems move from digital into mobile and into more of a cloud-based or Web-based service provider, and as the EHR architecture opens up to be more Web-facing, this process needs to change. I think certain relationships change and create new challenges that need to be considered. It is important to establish a level of trust in determining who is truly requesting the access to those credentials as well as the ability to securely distribute those credentials and maintain trust. The requestor may be a contractor, not a full-time employee, and especially with a Web-based HR system, it’s important to understand if they are who they say they are, if they are a licensed practitioner, and if they have all the credentials to be able to access the information or input the information into the system.
What is really changing is the standard process of identity verification. In most circumstances, a hospital may validate an employee’s identity with a driver’s license presented in person, but consider the new architecture that changes that relationship to a remote Web-based model, which could prevent those same in-person interactions from occurring. When coupling these new technologies and interactions with legacy processes, one could easily introduce risk with simple solutions like requesting that the employee’s driver’s license be faxed in order to bridge the relationship. A driver’s license, from a physical perspective, has a lot of fraud prevention and detection built in, but the minute you fax that image, you are now susceptible to manipulation and fraud, and that is a real challenge. There is significant risk of having individuals operating on your ecosystem and able to take advantage of the information or the services that are being exposed, without you knowing that they are who they say they are.
But government regulation, without industry input, isn’t the answer. As an industry, we need to drive our own set of credentialing standards, much like the Payment Card Industry Data Security Standard (PCI DSS) which is an industry-led joint effort by leading credit card companies to develop their own industry standards, which are now being supported by state regulations. In fact, because of PCI DSS, there are now laws being created, at a state level, that back the credit card industry’s standards. At the end of the day, the most traction any standard can gain, whether it involves credentialing or any other vital process, is when the industry comes together to adopt and lead with their support. When this occurs, the results help drive the adoption of the agreed-upon standards proactively. When standards and practices originate outside the industry, there is a tendency to have more instances of misinterpretations and noncompliance. When developing standards, the healthcare industry needs to be mindful of patients needs, considering what technology is best suited to meet those needs. If the healthcare industry takes this leadership position, it will experience fewer pain points and friction. It is critical to our collective success that the healthcare industry seizes control of the issues surrounding credentialing before outside entities and regulators step up and fill the void.
Tags: Thought Leaders