Webinar Recording

Patients, People and Things - Managing Identities in Healthcare


Log in and watch the full video!

Digital transformation is a game changer in the health sector and a core requirement is better identity management. The need for improved security in modern medical facilities, the growing reliance on monitoring devices and support for millennials in their health outcome management, all require improved healthcare IAM. This will eliminate administrative expense, implement up-to-date governance and facilitate the exploitation of known trends in healthcare.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good afternoon. My name's Graham Williamson and I have here Ann sing, and we're going to be talking about the healthcare industry industry and in particular in the healthcare industry. So welcome for those in Europe. I guess it's a good morning to you. Welcome to those in Asia Pacific and good evening to those in New Zealand.
Okay. I want to just talk, go through the little bit about call. The company was founded in 2004. It's headquartered in Germany and we support companies and users across many industries with the focus on identity and access management, particularly looking at information, security issues, governance issues, risk management issues, and those sort of things. In 2013, we commenced operation in Asia, Pacific headquartered in Singapore, and we also have operations in United States, headquartered in Seattle of our expertise. It's in three areas. First is research for those of you who are unaware, please go into the KA Cole website and look through the research. There you'll find a wealth of information going back many years on identity and access management issues. So there's a lot of information there. Then there's events can talk about a couple events in, in a moment the, but the KA call provides thought leadership in this area and provides that in a number of events on a worldwide basis.
And then there's the advisory services. If you would like any assistance with your identity and access management and in planning your development, please let us know. We would love to help you in that space. And we have Analyst around the globe with specialties in various areas in terms of events, the consumer identity world tour is happening again this year. It commences in September and Seattle in Europe. It's in Amsterdam this year in October, and we are back in Singapore in November for the Asia pack, do also go to the website and look through the cybersecurity leadership summits. And if you would like to attend those, we would be very pleased to have you participate in terms for the webinar, your everybody's muted, just simply for, for logistics reasons. But we do encourage your questions. So we will have a question, a session at the end. So as we go, if a question pops up, please type it into the questionnaire in your screen on the right hand side. And we will endeavor to answer those questions as they come up, the webinar will be recorded. And so you will have it that available to you to, to download.
I just want to start with transformational digital transformation. I know we hear a lot about it these days, but in terms of healthcare, there's some things that I just like to point out first is there are external drivers. Okay? So there's things happening in terms of rapid innovation, there's things happening in terms of additional regulation. So transformation is something that we must cope with. Then there's the building, the capability we need. And if there's one capability that as healthcare organizations we need to build is agility. And I know it's not easy. In some cases there's healthcare facilities can be less than agile, but we do need to embrace innovativeness these days in terms of key topics, a smart manufacturing of course, is driving a lot of interest, internet of things. And we're gonna be talking about that in a minute and also know your customer.
And in this case, it's know your patient in terms of the enabling technologies. There's multiple, but the specific focus for this webinar is on identity. How do we manage and leverage our identity and how do we keep it secure and private in terms of the agenda. And Sing's going to be commencing with introduction to the strategic issues that we need to be concerned about within healthcare. And then I'm going to be talking about some of the tactical issues that we can, that we need to address in the, in, in three specific areas in our workplace identity and access management in the information, internet of things issues, how do we manage information from devices and in public access, which is becoming increasingly important when it comes to healthcare. And as I mentioned at the end, we'll have a question and answer session that I hope you'll all participate in.
Thank you, Graham. And I'd like to start here with Digna grants and the lobby of digital transformation to the healthcare industry. We increasingly see that everything and everyone is becoming increasingly connected. Traditionally, all the healthcare organizations, the hospitals, the clinics, they have been operating in silos. They have been individual, it systems, clinical systems, medical systems. What we see the need in the industry is about having better connectivity between these organizations is also need for healthcare organizations, healthcare providers, to expose services and other kind of user related services to the customers and people, patients who want to control their own information, who want to be better engaged with these organizations and want to dictate as to how they want these operations to control their information. So I think consumerization is a big aspect of, of this digital transformation as well. These people want to obviously access this information and have, have an engagement with these organizations through their devices.
That could be their PCs, mobile phones, tablets, even variables. And again, there is another aspect of smart things. I would say, medical IOT, where you have got sensors, monitors installed in smart homes or other supervised premises. We have got various emergency vehicles, which needs to be physically interconnected to hospitals. For example, if there is emergency alert, how the emergency staff is going to monitor or diagnose a person who's in transit to the hospital, that the hospital authorities can be better prepared when he's arrived, same time, how they can operate or remotely, how you can provide instructions for them and staff to operate on a person who is being transported. So all these various things which are becoming important and increasingly interconnected dictates certain requirements for IM everything becomes important, but unfortunately, all of this is being done without understanding how the data is flowing between various entities, without understanding what's the risks of mishandling of personal hands information. If that goes in wrong hands, what are the risks of unauthorized access to some of these mission critical medical systems. But I think it's very important for us to understand how I am is going to be an increasingly important technology for you to manage identity and access in the healthcare industry. And that's probably we going to discuss in the next few slides here.
We like to call it digital distill healthcare landscape. And as Graham mentioned, I will talk through some of the strategic directions of digital healthcare landscape. I will like to talk about the challenges that we see in the he industry relevant to identity and access management. I will also talk about some of the important considerations that one should look at while trying to design and develop in IM for healthcare ecosystem. And finally, we'll talk about what kind of technologies, vendors and other issues which are applicable for healthcare industry. Graham definitely will then talk about the tactical aspects of the digital healthcare landscape in terms of challenges. They are very unique challenges that we see in the digital healthcare world is specifically related to management. There is limited it budget available for he industries. Most it leaders in healthcare, they are struggling with getting sufficient budget for their it initiatives.
And so it drills down to limited budget for security. And so for IM. So I think that remains a constant challenge for healthcare industry, which talks about the priorities and the focus of C levels on, on the security. And obviously on the IAM that is also related to the lack of skilled it resources in industry for healthcare domain. So healthcare domain still struggles with resources and skilled resources in the in industry. There is also increased thought adoption. In fact, if you look at some surveys, healthcare industry is one of the top most industries who are, who are adopting cloud-based services, that applications and infrastructure and platform service kind of elementary models, which makes it very important for healthcare organizations to ensure that they have the right people who are accessing right resources the right time, which means right, I am controls for, for managing access and identities.
Obviously there are legal systems which I'll talk about later, but yes, a hybrid it environment and access within a hybrid it environment for healthcare. Operations is becoming important. Workforces are very fluid for healthcare organizations as well. So if you look at the type of audience or type of for users, we have got patients, we have got doctors, nurses, technicians, temporary within doctors, for example. So there are really different types of workforces that we have within and healthcare ecosystem. And it's important for us to ensure that how is going to manage them, their access, their identities, their authorization, all of that is according to security previously, as well as regulatory requirements, healthcare industry is also is also struggling with legacy systems. You talk about managing electronic health records, Phi there are various types of vendors available in the market and things like, I would say vendors like Allscript epic, Cerner Meditech, probably these various EHR record management applications are very complex in itself.
And these systems are not designed to manage. I would say that entire Analyst life cycle of users. Yeah. We should just point out EHR is electronic health records. That's right. Which are basically the replacement of paper based health records in industry. And it's so important that that we have right regulations and right controls to manage EHR. And obviously we have got various regulatory requirements like HEPA and other, I believe well Hightech, which are, which are governing requirements for managing these information in industry previously regulations. I think we talked about EHR and real time health systems. There's also increased interest of government as well as citizens who want to control their health information in industry. And obviously that also becomes, becomes a challenge because our common systems are not equipped to, to address these interests from government and citizens pretty well. So one of the primary considerations that I am leaders or security leaders should consider when they're trying to develop a, a roadmap for their access management or a strategy for access management.
First thing, which is important is to look at how you can manage the entire patient verification and life cycle management, this something which has been ignored for, for a while. We have to ensure that you just don't focus on managing patient record, but you manage the entire audited life cycle of a patient through various hospitals, through various institutions. And it could synchronized and consolidated across all those various visits, as well as the various centers manage several profiles and relationships. Obviously that comes as part of a consumer IM but yes, how can you manage their, a profile and their relationships? For example, if are you going to allow Kim or, or a son to, to approve a medication or receive medication for their parents, for example. So all these various relationship profiles that are important as well to, to, to be set up as part of IM profiles, consistent use experience across the multitude of medical and clinical systems is something which is also missing and increasingly the medical staff, as well as people are demanding that we don't want to use various different types of authenticators access information, credentials to access different types of systems.
So obviously we want to make sure that we have, we have the consistent use experience for people across all these various types of D systems support for support, for regulatory requirements, regulatory obligations, compliance requirements in the health industry, based on the based on the region is also important. So how can you make sure that there are good support available for regulatory applications and compliance requirement in the health industry for the region or the country that you're operating in I'm controls compliant to, to those, to those healthcare, you know, specific regulations as well, management of segregation of duty risks is again, very important aspect. So for example, there are different type of roles that can be created in your int access management system. Things, roles like a doctor or a resident doctor who might have access to doctor's profile, as well as, as a student in a union university medical college who might have access as a student as well.
So obviously there are segregation of duty risks, which can be infused very easily in these kind of systems. And we have to make sure that we address these kind of this kind of access violations of policy violations while provisioning the users or giving access to some of these users in the systems Federation with citizen ID schemes, government IDPs is also something which consumers are looking for. So they want to log on, for example, to hospital website, to book an appointment doctor using their centralizer national identity is something which is increasingly being asked by these people. And they can track what appointments they have been done. They can go and schedule that and all of those services, which increasingly consumers are expecting today, and finally single sign on with large party vendors, ecosystems. So increasingly, you know, we need to have better single sign on with third party vendors, ecosystems as well in this industry.
So coming to the identity and access management technology landscape in that digital healthcare industry. So what type of technologies and vendors that are playing in the industry, primarily there are two type of systems that can help you to manage access management. And this is obviously generic across all the industry verticals, but yes, we have got primarily the IGA solutions, identity governance and administration solutions, which help you to manage the identity life cycle, both for the workforce, as well as for consumers and citizens. These solutions also help you to manage policy and role management. So you can have policies defined how you want permission users across systems. Also you can combine and element of these users enroll, and how can you manage roles of these users, create groups of these users to access systems and, and information. And these solutions also help you to segregation of duty risks across all these various application systems, especially how you can manage segregation of duty, centrally across all these, all these various systems define centralized policies, which can govern segregation of duty policy violations across systems, both on premise, as well as applications in the cloud is becoming very important.
And finally, we have got other type of solutions, which are the access management solutions. So, so I think this is more common across this healthcare industry. Not many industries, not many healthcare providers have been able to gain a good maturity level in deploying and implementing IGA, but access solutions have been there for a while. And so I believe if you try to segregate or obviously separate the maturity levels for two access manage solutions have got a better maturity in additional healthcare space. Obviously there's authentication authorization solutions available, which also help to manage privacy and disclaimer, policy management, especially for consumer initiatives, profiling of users and also personalization, which is increasingly being asked by these customers and finally medical IOT device management profile and relationship management. We talked about that, but yes, all these waste types of devices, sensors, monitors, variables, which can collect information, analyze information and act is also, is also very important for you to consider as part of your access me solutions. So with that, I like to hand it over to Graham again.
Yeah, it's good that we keep in mind those high level issues that we need to, to be concerned about. And thank you for pointing out the difference between the identity governance solutions and the access management solutions. So that two, two separate components of identity and access management. Now we're just gonna talk about three areas over the next few minutes. First is in the workforce. What do we need to do for technical and non-clinical staff in the part of the healthcare facility, what do we do need to do about public access? And then finally what we do about devices. And we've had a comment here and thank you for the comment. Please put in your questions when we are talking about devices, it's not just the devices that we might think in it, it's now the operational devices like the infusion pumps and, and, and devices like that.
So we will actually talk about the various types of devices that we need to be concerned with in terms of workforce IAM, the, the, the clinical and non-clinical area have some distinct characteristics I want to go over, but I think it's useful when you consider workforce IAM to think of three things. First is how efficient are you? I've seen a number of healthcare institutions where there's can there's double entry or triple entry of, of data is very costly to do that. Particularly since mistakes can creep in, then there's the effectiveness. I've seen situations where very expensive healthcare personnel or can't get access to the systems they need. And so that's, that's a major problem in some healthcare facilities, we need to make sure that when somebody comes in first day of work, they can access the systems they want, and then the cybersecurity space, what I am good identity and access management is going to raise your, your profile in terms of cyber security and, and remove attack vectors that that might exist in, in the system.
So, and as said, the tasks, both provisioning and in the access management space. So clinicians, clinicians are mission critical. They're very expensive people. We don't want to waste their time. I observe that they tolerate passwords. In fact, in one study, I saw that the healthcare professionals were inputing passwords up to 20 times a day. We don't need to do that anymore. Folks, we can, we can do better than that. Mobile devices of the future in terms of the security mobile devices give you very, very secure access. In fact, I would prefer that over desktop device in, in, in a, within internal hospital network, the, the devices now have capabilities that we only dreamt about a few years ago. The provisioning task is, is re can leverage that. And, and here, what we we need to do is recognize that the activity of provisioning a clinician to a system can be automated.
I mean, in, in one healthcare facility that I was in, they, they said, no, is that in a way that if you're not a medical person that you could provision a clinician to various systems has to be done by the hospital administrator? Well, we then went on and proved that by answering, asking three questions, we could do 80% of the provisioning automatically via an identity management system. So take a look at that provisioning task and make sure that it meets the efficiency that you want in terms of the data stores, is that this is a major issue. We're seeing lots of changes happening now. So Amal mentioned how legacy systems have not been very good at supporting external data stores. Well, that's getting better, particularly with, with the electronic master patient index, where it's not just patients anymore. It's also practitioners that applications are supporting in terms of financial seven protocol.
In terms of the non-clinical, what we're talking here is the administrative systems, the accounting systems, the HR management systems. And again, they they're typically closed they're big E R P type software offerings and often maintain all of that data internally. So we need to make sure that our provisioning system can write to those databases and make sure that we can set the access management that staff should have correctly. The number of situations I've been in where ad is considered the enterprise directory, and of course an active directory is far different from an enterprise directory. An active directory is an authentication directory, and quite rightly an ad admin person should be able to shoot anybody that gets in the way an enterprise directory is a directory where your storing information that's necessary within the organization and you, and you need to be able to extend the steamer if there's another attribute to be added.
So we're talking two different things there. You need to think through what that data store should be in terms of the provisioning tasks. The biggest issue I've observed in, in hospitals is role explosion. So the people that are particularly in finance systems, the people that are designing the finance systems have hundreds of different roles that they want to, to, to, to put in place. And that course makes the provision task more, more of a challenge. So we need to manage that roles that we adopt within a healthcare facility. And finally, the governance channel challenges. The biggest one is not auditing things on a regular basis, not having attestation records that we can, that we can send out to managers or notify managers of. So, so these days, what we need should all be done on screen identity management system should automatically notify managers say, this is the access your staff has, is it correct? And if they indicate, no, it's not correct, then the identity management system should correct that entry. If it is correct, it should timestamp it. That has been test checked at this point in time at this point, Graham, I just like to also
Bring in increasingly, we're also looking at, in fact, there's a need for a dog or micro certifications at PO as well.
This is true.
And even based certifications that can in booked, if someone is requesting access in addition, or some, some even which has been defined by policy to, to invoke an ho certification should also be,
This is very good point. And, and I do recommend that there's a self-service facility to allow somebody to request ad hoc access, and then a manager would review that and say yes, for this week, this person's acting in that role. Yes. And then grant them that access
That's right. Good
Point. Okay. In terms terms of public, there's a lot happening in, in this space now, and I've observed some very in solutions that are being put forward. So in one, one healthcare facility, they they've developed mobile app cuz everything's happening in the mobile environment now. And this app did three things. It allowed people to go in and, and look at information on drugs and pharmaceuticals to find out what side effects there might be, was all there available to them. It also allowed them to make appointments within the institution and finally let them go into their electronic health record and actually see the diagnosis from that has, that has happened for episodes that they've been involved in very, very impressive. But when you're giving access to the public, those issues that you must be aware of, okay, you've gotta make sure that you design the system.
So you are properly catering for that patient journey. You've gotta make sure that you adhere to privacy regulations as well. When it comes to healthcare records, that is very sensitive information and it must be protected. And this ways of doing that, I'll come to an example in a moment, in terms of the, the specifics, one thing I've been I've really, really getting enthused about these days is what millennials want. And I've observed that. I mean, obviously they want everything on the smartphone seems that you know, anything over about six inches is too big. They've gotta have it on a, on a smartphone and they want to own their health records. I mean, I, I would experience that. I, you know, I just take what the health industry gives me not. So the millennials, they want to say, what's the issue here? How do I manage it?
And how do I access the information that I need? And then they're putting in, in place, all of the other things that go around that, the exercise routines, the Fitbits and things like that's the registration piece of it. If you can't give access to somebody that you've not registered. So you need to make sure that the registration process that you put people through matches what you are providing them. So if you're just providing them to side effects of drugs, then you don't need to really identify them. If you are giving them access to the health record, you be darn sure they're the right person. So the registration process must match the assurance level that you want more on that in a minute. The final component of the public access is this identity data store. So what we are, what we, we, we are seeing here is some significant movement.
The, when it comes to public access, the, this the, the, the public members of the public is a very wide, very large cohort that you've got to deal with. But it's shallow. It's not like in your healthcare facility for the, where you had to in a workforce IAM system, look after what's that clinician's role. What access should they get? All of that detail. Now we're talking about a shallow access, but very wide. So it's a different ballgame to identity access management. And, and I, again, I had an argument with one clinician, one time, he says, well, we already got all. We got all the information we need is in our patient administration system. Well, that's wrong on two counts. One is the patient administration system is protected data store that's for that clinical application. It's not something you should be hitting with an LDAP request.
For instance, the second point is the people outside of that patient system that you also want to cater for. In fact, you want the pre patients, the more you can do to keep people out of your hospitals and clinics the better. So the, the public access systems go beyond your patients. I hope relationships. And also already mentioned that increasingly we are being required to manage access or, or, or just the, the, the we've got remote. We've got a cap. We need to have capabilities where people can delegate authority for health activities, to their son's daughters, other relatives, and again, that needs to be recorded. So we're increasingly seeing the use of bra DBS and, and no SQL databases where we, we are looking, we're able to track relationships in a better way than we've ever been able to do in a structured scheme of based data, data store. Federation's very important. If you're gonna deal with the public access you need to look at well, where else might that information be? Okay. So if there's already a government database that you could use to register your, to, to use for giving public access, again, you better make sure that the registration process, the government's gone through in setting up those records matches your requirements. But if you can leverage someone else's work, do it, it's, it'll make your job so much easier
In terms of Federation. It's important for us to look at the enrollment identity proofing activity, make sure that it matches our, our particular requirement. Make sure that when it comes to the Federation, if we are federating IE, we actually, our system is going out to a, a separate database to authenticate somebody to, to one of our systems. We need to have gone to that remote site and said, what do you do when you register people? If my requirement is a highly sensitive as it is for electronic health records, then the registration process that that federated environment has gone through must match your requirements. So the identity insurance level must match authentication requirement in this,
Right? But I, I think, yeah, this is important on the slide here. We talked about the registration, how can we prove an identity of, or a new user with customer consumer, or even an employee? So I think it's important for us to look at all the various levels of enrollment and it proofing, which are being proposed by the I S D national technology guidelines within their SB 863, 3 guidelines. And this is just, just a showcase of those guidelines, which are very relevant. When you try to register person across all the various use cases. For example, you might have requirements to register a person who comes in person to the clinic person. Who's trying to register online. You might going be trying to register a person at the health camp. So all these various use cases, they have got different assurance requirements as part of the entire I assurance level, which are defined by I SST.
We try to authenticate these users, these people with workforce, with consumers, again, based on the use cases, the devices that they're using access information, and obviously the medical devices, which are not the user devices. How are you going to use these assurance levels and authenticators to authenticate people on, on these systems? Again, there are three different types of levels which are proposed by I T, which provides whether you should be on the user to use single user password. You want the user to, for example, use cryptographic mechanisms to authenticate, or you want the user to have do authentication. That's probably the level three. Similarly, the federated moms, where we talk about F the Federation assurance level. So how we going to provide security for the assertions, which are being provided for, to the party to authenticate a user in is also important. And there obviously there's three levels proposed to level one. I believe where the party can simply have an assertion to act on it, to where you need to have a cryptographic mechanism to encrypt assertion and level three, where you need to provide an evidence that only the line party can decrypt the assertion and other physical physically encrypted mechanism to, to store the keys. So I think, yeah, those are, those are important aspects of environment for, for the assurance levels, if you're looking at providing.
Yeah. And my observation is that with the mobile devices these days, we can, we can do that to a very high degree because of the facial recognition capabilities within mobile device. And if you compare facial recognition with, for instance, a government. So for instance, in Australia, they're looking at using the state based driver's license pictures to provide access into the federal governments past system in Hong Kong, they're looking at potentially using the immigrations, the Hong Kong it card. So those ways that it could, can be done to very high level in terms of verifying that somebody is indeed who they say they are before you give them access to electronic health records, which is obviously level three
Security requirement, okay.
Onto devices. And as has been pointed out, when we're talking about devices, we're talking all sorts of different things. So the vital sign monitoring systems that are in use in many acute care facilities are we need to manage the data coming from those and make sure it gets to the right, right spot. Increasingly healthcare organizations are, are looking at home monitoring. Why bring somebody into a hospital and undergo that expense. If it's a chronic condition that you can monitor remotely. But again, you better make sure that that incoming data stream is properly identified. And of course, encrypted, then there's the wearables, what are we gonna do about Fitbits? Like Fitbits have saved lights. And I got into a bit of an argument with one of the state
Based medical
People I was talking to in Australia who said, no, we, we won't like, we won't let any device that we don't own attached to our network. Well, no, that, that's, that's a very shortsighted approach that we have the technology in terms of making sure that we can support these, these other devices and they're gonna become increasingly more important. So we, we need to think through how, how we're gonna do that. And of course, there's the nonclinical stuff too. It's how about the, the medical gas supply that's hooked up to, to the ward? How do we know that? That's right. How do we know that it's, that that's that facilities there? There's what about temperatures, environmental conditions, all of this, as it type of, of information as well. What I I like to do is look at it in terms of the CIA model. Okay. What confidentially confidentiality issues are there, what integrity issues are there and what availability issues there are.
So for clinical information systems, we're talking now a, a device that's monitoring something, let's say a bedside monitoring device. Well, we have anode now where this patient is in this bed for a period of time. How do we make sure that Datastream gets to that the, the, the correct place? How do we make sure that the, the clinician looking after that patient gets access to that, that data stream, and how do we make sure that any diagnosis from that gets into the patient record? My observation is the that's done manually when the machine is hooked up, there's, it's entered in the episode, numbers entered into it. And, and, and there's a potential for error there. So you need to think through what can, what, what, what can be done in terms of confidentiality, integrity, like really, we, we need to encrypt all data, data streams in terms of availability.
We need to make sure, obviously that this, the devices is high, high availability, then this in-home monitoring devices. So this is now where there's the actual monitoring devices are remote location and transmitting back over internet or tele telephony to the, to the healthcare facilit. So again, we gotta make sure that we, we correctly match that stationed ID with the, with the patient, again, encryption of the data and transit, and making sure that we had some mechanism to make sure that the right people get that data at the right time, in terms of personal wearable devices. The seems to me, the trend these days is to use platform. And we are seeing multiple platforms coming on the market capital health, Samsung health, Google fit, and potentially integrating with these platforms will be give you the solution for secure access to personal devices. In terms of integrity.
There's gotta be management of the application, programmable interface there, and we've gotta make sure that we, we correctly apply the security controls. They want availability is not really much of an issue. We need to think through this. So, so as you go through the various IOT devices that you're using in your healthcare facility, think through the CIA model and suggest how come up with the ways that you want to actually manage what you're doing. Okay. In terms of takeaways, what, what have we gone through? Let's just do a quick, quick recap here in terms of the workforce, we need to prioritize what we're doing. We need to know what applications that we're providing access to. And we need to ensure that we correctly handle governance correctly provision. And we're typically going to use an identity manager solution where we are provisioning into the various applications that are used within that healthcare facility to do that.
We need to know that we've got the entitlements, right. And as I mentioned in this one study, we did, we, we looked at how we actually would come up with the entitlement and we proved that we could actually do 80% of the entitlements we could do automatically. So from, from clinicians point of view, we had seven types of, of doctors. We had nine types nurses, and we had 15 types of allied health professionals. And depending upon the, the type of role they were in, then we, and, and the facility that they were working in, we could provision into the systems that they needed. And that course could be done for zero day provisioning. So on day one, when they came in, they were able to access the various systems that they needed to for the anomalies. As, as mentioned, those can be handled through a request mechanism, whether it's a, self-service, where we go into and indicate what we want, that goes through an approval process.
And then we get access to the, to those other devices. We need to define what our enterprise directory requirements are. We need, we need to know what document attributes we need. Now we need to document the attributes we need. Okay. So we need to know within the system, what are we going to store? What information we need to store, and it's all there. I mean, we just query our applications and we can see the information we need, terms of protocols. It's good. Old elder. That's been around a long time SAML for a federated environment. That's the, the approved, shall we say, protocol in that space. But increasingly we are seeing that healthcare applications are exposing APIs that we connect to in order to provide the identity information to them that they need. And in terms of managing, when API does two things, it manages the data stream and it also provides the security.
So it makes sure that that application has no sessions connecting to it that are not appropriate for what's being exposed in terms of public access. As we mentioned, looks through the application, you wanna provide you under privacy legislation cannot require people to identify themselves at a higher level than they need to in order to get the information that you're providing. So it's just, you know, it's just overdose issues. Or if it's in terms of pharmaceutical or you wanna provide information on, you really don't need to ask the person's name, but obviously when it becomes a health healthcare record, it's critical, you know, exactly who's accessing that information. Public registration makes sure that the identity registration meets your meets, your insurance requirements and what sort of electronic ID identity integration you're going to provide. If you can do it through somebody else's data store, do it in terms of the public data Federation is, is indeed a way to go.
It's tried and true technology device management, define the policies, make sure that you say exactly what you want, tell your vendors what you want and vendors will comply. Vendors want to want to comply with the policies there, cuz that's the only reason they're gonna sell their product. So make sure you write it down, make sure you communicate what your requirements are when it comes to communications, make sure that you encrypt everything, please. That does mean you're gonna have to solve the certificate management issue, but it's, there's many solutions in that space. Now, did you want, just do the
Recommendations? Sure. Thanks again. So I think we come to end of this discussion. It's like to take you through some of the recommendations that we we think are important for you to, to start building your I program. The first thing which is, which is really important is to understand who are your stakeholders and what their current priorities are. I think this is applicable across the industries, but it's become very important for healthcare providers as well to understand what other ways, types of stakeholders, which were traditionally not very important for them. But as we said, with the consumers, with millennials, they're all asking for better services, you already understand their requirements, their practice as well, and build services around those priorities. You also look into how you can develop an IM strategy, which doesn't only support your recent initiatives, but also also honors the legacy. All medical systems still have got these very independent systems, medical devices, which run on very proprietary operating, operating and month.
So how can you integrate these systems into your entire IM strategy, make sure that you have provisions for accessing these systems, provisioning users to these systems, as well as ensuring that they are operating at the right security level as well, building an enterprise in infrastructure with adaptive capabilities to meet varied assurance requirements. So obviously we talk about how you can bring context adaptive capabilities to, to dynamically understand that short requirements of all the various users without burdening them with the security controls and decide on what kind of assurances they would need to access a particular information or system. So things like dynamic ization, or even I would say step authentication to, to build that level of assurance in the process is something you might want to consider building a consumer I infrastructure that ensures data previously and puts the users in control of the information.
I think we talked about it, making sure that you have a consumer IM initiative or a controls, which ensures the privacy of users you have got right consent management controls. We have got right data disclosure policies and also provide user preferences controls for them to control their own information and manage how they would like to control that information as the business value of workforce and consumer ID use cases before designing IM controls for IV devices. And finally also consider IM vendors and professional providers who have got knowledge and expertise in the healthcare domain. So not all of professional service providers or vendors, they provide expertise in healthcare domain. They are a number of those, however, which are very much aligned to healthcare services. So they have got expertise and they have better knowledge how your processes should be, for example, tailored for a better, for a better access management controls is, is something you should also consider as part of your overall I strategy.
Okay. Very good. Thanks for that. I'll just put on some, some of the research reports that you might want to go into with a couple of questions here. What do you do about data in multiple locations? Okay. I think this, this is probably referring to the fact that different medical applications tend to store their data internally and therefore it makes it harder to integrate well, I guess there's two sides to this first is I, if you've got a single identity access management system, it can feed multiple applications. So, so you, the application can stall it out, but it needs to be provisioned centrally. And so you've got central policy control over that data. So, and then, then of course the, an identity management solution can then provide governance over that. It could look at the access that that application says somebody has, it can compare with, with what that person should have in terms of what it's provisioned and, and it can flag any problems.
So that's the, the governance component that an identity access system can provide. Now, I guess another, another, I guess, I don't know how you read that. I'm not, but it could also be that we need to take data from applications and put it in one location to, so, so in some cases we might want to build like a patient admin system typically does this. So it's pulling data from various applications within the healthcare facility and using it as terms of a patient record. If your patient record's fragmented, then it there's the EMPI, something like that we've got a master patient index can, can be, can be used. So how you would read
That in terms of managing data across multiple locations. I, I think you're right. We have to look into there two things which vendors can do basically organization of data, as well as how they can index the data based on different locations and what the priorities are in terms of managing the medical data. So concerns and data privacy concerns based on location. So what for example, a lot of consumers are doing, are they managing of customers data based on ions and policies? So I think if you want to manage the data across verifications, I think it's talk about medical data, but yeah, those controls can be well applied to, to this case as well.
Okay. One another question here. What mobile platforms should we support? Okay. That's it depends where you are. So if you're in China, it'll be very different than if you're in Australia. So monitor what your, what your cohort is saying. Like I found that if you just ask your patients what they use and, and then build your support around that, I think that's, that's probably the, the way to go. I have, I've been very impressed with what I've been reading in regard to Sam health. They're doing some, some pretty impressive stuff, Google fit. And there's multiple platforms that we see we're seeing coming up and thinking through how to interface to those and how to provide information through that. Through those platforms gives a lot of benefit because it means you don't have to develop the platform somebody's done for you. It's just a matter of making sure the regulations put in place.
I, I think that comes back to the first recommendation that we talked about to understand your stakeholders, understand the priorities. So, you know, you might want to do a, for example, a quick survey to understand who your users are, what kind of devices they're using, what a demographic of your users, what kind of applications that they're using on their devices. And based on that, you might only take a decision as to what kind of mobile platforms are, are more popular amongst certain, certain audiences. And based on that, you prioritize the adoption of these mobile platforms in the, in your technology.
Okay. One other questions come in. How do you manage user identities, access controls and its governance, especially in the new hybrid environment with both cloud. And on-prem, that's a very good one. The cloud is becoming increasingly more important, increasingly important. And we are seeing that the healthcare institutions are beginning to say, yeah, the security's alright, I'm putting it there. If you can go a hundred percent of the cloud, then that will very much improve your, your ability to come up with, with common access controls and governance. If you can't be dealing with, with, with two environments, have some mechanism that pulls that together. So a directory, for instance, that's pulling information from the on-prem systems and from the new cloud systems and exposing it for some purpose. So you're gonna have to build something that does that integration in, in a hybrid environment. But as you acquire new software applications, they're probably going to be running in the cloud, either a public cloud or a private cloud, or, and sometimes manage service. If you've got somebody that's managing the service for you, increasingly you need to go to them and say, this is the information I need. This is the integration I need with, with some other systems, because typically this it's more than just one, one system that you're you're dealing with. I dunno whether I properly answered that.
I think that's right.
Do send in the question and, and, and if we can, we can
Elaborate fine as well. Yeah, you're right. I think if you are looking at ING your hybrid, it reality as we talk about, it's also important for you to understand the composition of systems and applications that you have OnPrem as well as the cloud. So let's say mostly strategic direction to go on cloud in next five years. If you think you're going to be pretty heavy on cloud adoption, then looking at a vendor that provides cloud based identity and access management services would make more sense for you. If you think that your on premise systems and applications that you have host hosted on premises are very complex in nature. They require pretty detailed entity controls in terms of authorization, et cetera. Then on-prem based. I solution to make more sense for you. I think both on premises solutions, they provide connectors for you to connect to applications in the cloud, as well as now, the solutions which are based in cloud. The IM the, I guess, providers provide in the cloud, they have got connectors to connect to your on-prem systems. So it's, it's about for you to decide what kind of integrations and connectors, which are in the market from these vendors and can satisfy the, the depth of your functionalities, which you require out of these systems. So that definitely will require a pretty, pretty extensive analysis of the right composition and systems and integration of your systems and applications.
Super thanks very much for your participation today. Our time has gone. If there's the, the recording of the webinar will be up on the website shortly. If you want to, to have go through it again, and the slides will be there too, if you would like to have a look at those good day,
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00