This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● Thought Leaders

The risks of legacy processes in a changing ecosystem

In a cloud-based world, a new approach to identity management is necessary. By Paul Calatayud

considered. T e changing landscape of identity management and how credentials are being issued within the EHR space should dominate security conversations across healthcare. Key questions need to be asked in order to determine whether a company has certain credentialing policies that need to change or technology that needs to be supplemented for those processes to still be considered credible and meaningful. T ere are many constituents that should have a stake in


credentialing. T e natural ones are the parties that are respon- sible for issuing credentials on their ecosystems. T is is usually the hospital’s IT department that is accountable for having a suitable process in place to assure that the credentials that they are issuing are legitimate. While these departments need to be mindful of this process, technology vendors that support the ecosystem should also be mindful of ways to support these credentialing services within their platforms and services. If this occurs, the burden does not always have to be on the end point, in this case, a hospital. Finally, the facility’s management should be very interested in the development and implementation of its credentialing systems. T ey need to be mindful of the risks and how to ensure that, as they do business with other parties, the credentialing responsibilities are being properly transferred. Historically, credentials were issued to employees of large hospitals or some sort of primary care facility, so access to EHR systems was a partnership between Human Resources and Infor- mation Technology during the hiring process. As IT ecosystems move from digital into mobile and into more of a cloud-based or Web-based service provider, and as the EHR architecture opens up to be more Web-facing, this process needs to change. I think certain relationships change and create new challenges that need to be considered. It is important to establish a level of trust in determining who is truly requesting the access to those credentials as well as the ability to securely distribute those cre- dentials and maintain trust. T e requestor may be a contractor, not a full-time employee, and especially with a Web-based HR system, it’s important to understand if they are who they say they are, if they are a licensed practitioner, and if they have all

24 March 2014

s healthcare IT ecosystems move from digital into mobile cloud-based solutions, thus becoming more of an extensible ecosystem, certain relationships change and create new challenges that need to be

Paul Calatayud, Chief Information Security Officer, Surescripts

the credentials to be able to access the information or input the information into the system. What is really changing is the standard process of identity

verifi cation. In most circumstances, a hospital may validate an employee’s identity with a driver’s license presented in person, but consider the new architecture that changes that relationship to a remote Web-based model, which could prevent those same in-person interactions from occurring. When coupling these new technologies and interactions with legacy processes, one could easily introduce risk with simple solutions like requesting that the employee’s driver’s license be faxed in order to bridge the relationship. A driver’s license, from a physical perspective, has a lot of fraud prevention and detection built in, but the minute you fax that image, you are now susceptible to manipulation and fraud, and that is a real challenge. T ere is signifi cant risk of having individuals operating on your ecosystem and able to take advantage of the information or the services that are being ex- posed, without you knowing that they are who they say they are. But government regulation, without industry input, isn’t the

answer. As an industry, we need to drive our own set of creden- tialing standards, much like the Payment Card Industry Data Security Standard (PCI DSS) which is an industry-led joint eff ort by leading credit card companies to develop their own industry standards, which are now being supported by state regulations. In fact, because of PCI DSS, there are now laws being created, at a state level, that back the credit card industry’s standards. At the end of the day, the most traction any standard can gain, whether it involves credentialing or any other vital process, is when the in- dustry comes together to adopt and lead with their support. When this occurs, the results help drive the adoption of the agreed-upon standards proactively. When standards and practices originate outside the industry, there is a tendency to have more instances of misinterpretations and noncompliance. When developing standards, the healthcare industry needs to be mindful of patients needs, considering what technology is best suited to meet those needs. If the healthcare industry takes this leadership position, it will experience fewer pain points and friction. It is critical to our collective success that the healthcare industry seizes control of the issues surrounding credentialing before outside entities and regulators step up and fi ll the void.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28