Managing Digital Identities During and After a Pandemic: A Thought Leadership Roundtable

By Candace Stuart

Introduction

The COVID-19 pandemic accelerated the shift in digital healthcare from its traditional boundaries of hospitals and other healthcare facilities to a new frontier that now includes employees’ home offices and patients’ residences. Clinicians, often serving in multiple roles, can access multiple devices from multiple locations, making the management of their digital identities exponentially more complex at a time when the security threat has never been greater. Using the Health Information Sharing and Analysis Center (H-ISAC) “Framework for CISOs to Manage Identity” as a foundation, Imprivata offers a digital identity platform to help healthcare executives and their organizations navigate this challenging environment.

Members of the College of Healthcare Information Management Executives (CHIME) joined Imprivata CEO Gus Malezis and Imprivata CTO Wes Wright to discuss digital identity management strategies in a virtual thought leadership roundtable. CHIME President and CEO Russell Branzell served as moderator. CHIME participants included:

• Tamra Durfee, Director, Technical Services, Enloe Medical Center
• Steve Eckert, CTO, Cook Children’s Health Care System
• Steve Hess, CIO, UCHealth in Colorado
• Dave Lehr, Chief Strategy Officer, Meritus Health
• Shafiq Rab, MD, Chief Digital Officer and CIO, Wellforce

Adjusting to Telehealth and Telework 

RB: It’s safe to say the traditional boundaries of healthcare and the health system don’t exist anymore; the walls have come crumbling down. The players in the hospital and health system have dramatically grown and changed. Data and information integration requirements are multiple factors more complex. The equipment, devices and systems have grown and changed; some are old and legacy, some are brand new and in the cloud. Along with that there’s this expectation that it all will be secure. How do we make sure we have the right people, the right device, accessing the right data, at the right time? Is that the environment you have to deal with every single day?

DL (referring to his experiences as CIO at Luminis Health): We’ve been growing the number of users dramatically. Patients logging in and having digital access to their records and their care has long been our fastest growing segment, and that’s taken off even more since people started social distancing and doing more care via telehealth. The tools that they use are getting more complex. The remote workforce has been a surprising challenge for us because even though we had a group who were remote before, now they’re remote all the time. Even simple things like their machines getting regular updates when they’re attached to our network, we’ve had to rethink.

TD: It has been a cultural shift for us at Enloe. Information Services were already working from home due to being on-call, so we have that capability, but that was not the cultural norm. On the provider side, we now have radiologists who want the ability to read images from home, so we are deploying radiology reading workstations into homes for radiologists. More and more providers want those capabilities to do their work remotely.

SH: From a virtual health perspective, family members and their identities and their relationship with the patients are also important. They are part of the care team, so making sure that that appropriate proxy relationships are established and have the appropriate access. Also, with hospital-to-home remote patient monitoring, connecting wearables to patients and making sure it’s the right one on the right patient through some kind of digital fingerprint is going to be really important.

SE: We’ve opened up telehealth; we’ve opened up work from home. In many cases at Cook, people who now work from home aren’t coming back. There are complexities all the way across the board of new communication methods that have to be put in place, and new assurances to be certain that patients are getting the right access. We’re coming to terms with the realization that our world has changed and we have to make sure that we’re communicating effectively and in different ways.

Multiple Roles and Multiple Devices

RB: Now there’s maybe 10, 20 devices attached to one person’s identity. How do you manage the complexity?

SR: It’s not easy. Digital transformation has begun, and we are moving out of the main cathedral of the hospital to everywhere, and everywhere there is some data point collected for something. There are APIs (application programming interfaces) to access that data on behalf of or for the person collecting. Now we are becoming customer focused.

Digital identity has become very important, not only to identify but to authenticate to understand we are getting the right information from the right device for the right patient, at the right time, every time securely. Then, on the back end somebody is synthesizing it, somebody is de-identifying it, and somebody is doing research on it. I wish we had a national patient ID, but we don’t.

DL: You have to have processes that manage and take into account all the different scenarios. One example is an anesthesiologist. When you log in, your identity associates you with an anesthesiology workflow, which is OR driven. Our OR shut down at the beginning of the pandemic, and we had these clinicians now covering for ICU because we tripled our ICU capacity. We needed to be able to identify them as now clinicians who were going to be presented with ICU workloads and ICU tools. On a dime we had to attach to their identity a whole new set of privileges and reduce a set of privileges. We had to change our processes to respond better to people who are working different jobs in new scenarios.

GM: You don’t really see this multiplicity of roles in many other places outside of healthcare. In healthcare, you could be doing one role in the morning and something different in the afternoon in a completely different part of the care delivery environment.

Advanced Technologies and Artificial Intelligence

TD: Looking forward, I know that there are technologies out there, especially AI, where you can really look at someone’s identity and what is normal for them. Does an IT person log in at 2 a.m.? They do, because there’s an outage. Should a nurse who only works during the day be logging in at 2 a.m.? No. From a security standpoint, looking at someone’s digital identity and tracking what’s their norm and more important what is not has a lot of potential.

SH: Our dilemma from a 600-bed academic hospital down to a 15-bed critical access is a nurse is not a nurse is not a nurse. As we set up the EHR and access identities, we have to have very different roles. That’s because a nurse in a critical access hospital could be doing L&D (labor and delivery) in the morning and ICU in the afternoon. Having some flexibility in your security profiles to be able to take care of both of those situations is going to be important.

We’re in this world of so much complexity, so many different devices. You could be using a BYOD mobile phone in the morning and a company-provided desktop in the afternoon and everything in between. It’s going to come down to behavioral analysis and fingerprints. Everybody has a fingerprint. And it might be a fingerprint by day of week, it might be a fingerprint by location. We see your normal fingerprint and we see when your fingerprint’s abnormal and intervene. That’s the only way we’re going to survive in this increasingly complex world.

SE: The thing that excites me most about the analytics of being able to look at things that are outside the norm and behaviors that seemingly should not happen is being able to quickly act on them. If we can’t act on them, or we don’t act on them, then they’re no good.

SR: If you want to go into the digital world, you have to solve it digitally. You can’t solve it with the old way of thinking. It’s not humanly possible because the data points are so many. Keep experience and ease of use as the guiding principle.

A Strategic Framework

RB: How do you approach this from a strategic perspective?

SR: There are a multitude of solutions out there. You basically need an architect. You need a team of people to surround you to build out your architecture.

DL: A lot of it comes back to the processes. For instance, if somebody keeps billing after their credentials have expired, or after they’ve lost their credentials, we would want the process to inform the system that things have changed. A lot of times, that process breakdown is where we get in trouble. Somebody gets terminated or a contract is up, or a contractor leaves the vendor or is replaced. Those things require the process to be there to inform whatever system is in place to change the expectation. Just watching what’s happening and making sure it’s consistent, isn’t a silver bullet.

RB: There is so much complexity here, at some point you have to have a framework.

WW: Identity is about the organization’s entire ecosystem and not just FTEs (full-time employees) and providers. What about your contractors? What about your nursing students? What about your locums? What about those non-human entities? You know those administrative accounts that you set up in (your EHR) that have to talk to the radiology account? That’s a digital identity and somebody could steal that digital identity just as much as any other digital identity. You really have to make sure to get that into your management process as well. That’s the H-ISAC framework and we’ve done some work on top of that.

Streamlining a Complex System

RB: Do you approach this as a unified platform? Is that an approach that works?

TD: Having a single product that can do it all from end to end is a big advantage. Every product that you have has overhead that goes with it. Not just from the technical teams that support them, but there is contracting, payment of invoices, training and upgrades. That is one of the benefits of having less systems, less overhead. There are times though where it makes sense to go with the best of breed. I think you just have to evaluate each scenario and determine what’s right for your organization.

SE: For me, it’s simplicity. Being able to go to a single platform, being able to have a very limited number of partners in this game is really key. Bringing down and narrowing the number of firms, so that you can work with people you trust and rely on is going to be the key to success.

SH: What we’ve done at UCHealth is find innovation partners who can integrate well with an EHR and take intelligence and innovation machine learning AI to the next level. I don’t think anybody can always be everything to everyone. Where do you allow innovation, where do you allow integration, where do you allow FHIR API and so on, versus when does it have to be that core transactional IAM (Identity and Access Management)? The other piece of information security strategy is that we have multiple external parties do our risk assessment, our pen test, our application reviews, and our security event management so that we have some checks and balances.

Having one IAM is the right thing to do, but then maybe having others who do the risk assessment or the vulnerability testing on top of that might not be a bad thing. This is a very complex world and thinking through the innovation play but also the risk assessment play, you don’t want to have all your eggs in one basket.

DH: We had a fellow whose biggest project was looking at the processes around identity management. He called me in at one point and said, “OK, I’m pretty far along and I have a lot of it built out. Let me show it to you.” It wrapped around the walls of the conference room. It was amazingly complicated. All the opportunities for failed handoffs, and the issues that could arise and were arising, he circled in red. They were almost all related to multiple systems being used in the process that weren’t quite perfectly integrated together and so a human had to do something to make sure that the handoff between systems worked well. A single system approach is attractive to me because I’ve seen all the ways that it can go wrong in this particular arena.

GM: We believe that digital identity is a platform. It’s not just a component. You really want to pick a good platform and a good platform vendor and that serves 90% of your needs. If we can get to 90% and take away the cost of integration, interoperability, and the complexities that come with you being the system integrator, then we can deliver a ton more value. That system also cannot compromise provider performance, provider efficiency and usability. It has to work anywhere, anyplace, anytime, with anything.

Conclusion

H-ISAC released a white paper titled “Framework for CISOs to Manage Identity” in 2020 as an identity-centric approach for CISOs and other digital healthcare executives to protect their organizations against cyberattacks. The framework outlines the different components of a comprehensive program that includes customers and external partners as well as the internal workforce. Imprivata has developed a digital identity management tool that aligns with H-ISAC’s framework. The complexity of managing the identities of a growing number of people – some with multiple roles who use multiple devices – and machines that range from state-of-the art to legacy raises the potential for errors. A unified digital identity management platform that streamlines and simplifies the process offers many advantages, but each organization must decide which strategy is right for them.