Many health systems turn to identity and access management technologies (IAM) to better address the workflow needs of providers. An IAM system is only as strong and complete as the processes in place to support the system and the staff who implement the policies.
A critical challenge to the implementation of health information technology (HIT), including electronic health records, is providing simple, efficient ways for providers to use HIT in the fast-paced workflows of healthcare. As more and more health systems from Australia to Europe implement HIT, projects stall and even fail because physicians, nurses, and other providers demonstrate that certain technologies slow them down or become too distracting for safe and efficient use while treating patients. Many health systems turn to identity and access management technologies (IAM) to better address the workflow needs of providers.
The IAM lifecycle is a continuous loop of: identify,provision, authenticate, control, and audit. Identify means to make sure that the individual who presents to a health system is who they say they are. Once identified, the individual is provisioned privileges, possibly a role, which typically permits certain functions and restricts others. The individual is then authenticated, through security protocols such as passwords, photo IDs or even fingerprints. Once the individual has been identified, provisioned, and authenticated, his actions within the health system must still be controlled, or limited to a range of actions. Once an individual is properly identified and authenticated, the actions taken within information systems must also be able to be audited.
From this lifecycle, we can derive three main components of IAM:
Security and privacy are healthcare IAM requirements by law, but efficiency is a healthcare IAM requirement for busy physicians, nurses, and other providers who care for patients in the fast-paced and high-stress world of healthcare. The trained healthcare professional must be able to focus on patient care without the burden of encumbering technologies that introduce confusing or slow workflows, including IAM solutions. The deployment architecture of HIT in most contemporary health systems, involving multiple applications, shared thick and thin client workstations, and task-focused, short user-sessions, prevents many non-healthcare IAM solutions from meeting these criteria.
An IAM system is only as strong and complete as the processes in place to support the system and the staff who implement the policies. Of critical importance is creating IAM policies and processes that support the care of patients by providers; a flexible IAM approach which enables, or enhances, quality healthcare delivery while safeguarding patient information is more important than a foolproof IAM approach that overburdens providers.
The Patient – A key differentiator in healthcare, unlike other industries, is that the customer really does come first. On a regular basis in all health systems, policies and procedures are broken to address a critical need for patient care—IAM is no exception. If a physician needs emergent access to patient information that would not be available under routine processes (i.e. access to psychiatric notes or medications during treatment in the Emergency Department), there must be a way for the physician to access this information. Effective IAM solutions will, in balance, create an event log for later review.
The Staff – Health systems often depend on employed staff, affiliated staff, students, and even volunteers for many tasks. Usually, many different offices maintain different databases to track these varied individuals, which impedes the monitoring of all persons who deliver care and access patient information. Additionally, some staff may be transient (i.e. students and trainees) and others might start on minimal notice (i.e. new hires and temporary nurses). An IAM system must be flexible enough to support the staffing requirements of health systems, easy enough to be used by transient staff, and robust enough to be effective.
The Workflow – Unique workflows are the failure point for many HIT projects. As more HIT projects require providers to enter documentation or orders for a patient, rather than just reviewing results or information about a patient, applications and systems need to link the provider to the work performed. Signing on to multiple applications and searching them all to find information on the same patient slows down a busy provider and can be confusing. Spending 30-60 seconds to sign on to an application is not feasible when the provider only needs to use an application for 1-2 minutes to check a test result or enter an order, before moving on to another computer at another patient bedside.
The Culture – The healthcare focus on patients and team care contribute to the shared access to patient information that occurs in many health systems. Providers share access to patient records with colleagues to facilitate care, usually so a colleague can save time and avoid having to sign on to an application. Once providers enter computerised orders or documentation in applications for patients, sharing access creates new problems. Privacy regulations in most countries also prohibit such practices.
Implementing IAM in healthcare is similar to implementing change and technology in other environments—the likelihood of success is directly related to how much pain the original problem causes the targeted user as well as to the user’s perception of the value of the new technology and processes being introduced. Technologies that will be used by providers, especially those that change how providers interact with patients or patient information, must be championed by providers for broad adoption. Whether individual providers, Chief Medical or Nursing Officers, or Medical Informatics Officers should lead IAM efforts depends on the health system’s local needs and culture. Effective implementation of IAM will enable better hospital management, improve workflows, and ultimately improve the quality of care provided.
Note from the author: The content is based on my chapter in " Medical Informatics: an Executive Primer" and other talks and articles I've authored, with some additional commentary.
Jonathan Leviss is the Director, Clinical Solutions, for Microsoft Health Solutions Group, and an internist at the Thundermist Health Center in Rhode Island. In his current role at Microsoft. Dr. Leviss leads a clinician subject matter expert team to develop and deliver marketing and sales support for technologies and services that are core to the Health Solutions Group.