Improving Efficiency and Protecting Patient's Information by Automating the Identity and Access Management Process
Credentialing employees and vendors to have access to the appropriate programs in a timely manner and protect access to these systems was imperative for Memorial Healthcare System, especially if some of these systems provided access to personal health information (PHI). From an IT perspective, the additional criteria included time efficiency and agility to provide access to these systems.
The manager or sponsor can validate their current access, request a change, or submit a termination request if the direct report no longer needs the access to a specific application
A few years ago, our provisioning process was done manually. We had to create, modify, or disable access to all accounts for employees and vendors one by one. With this setup, it could easily take an analyst up to 30 minutes to create all requested accounts for each user.
With the lack of standardization, there were delays and inconsistencies when processing access requests for new employees or vendors. We realized it was important for us to find a vendor we could partner with to design an automated process which would standardize the provisioning of accounts and increase our efficiency in providing the correct access needed.
Memorial Healthcare System (MHS) built a role database that defines the applications and level of access each role should have based on the job functions and location of each employee or vendor. Our current Electronic Health Record (EHR) was the main driver when building this role database, ensuring appropriate access to patient information was assigned to our end users. The clinical, business and technical teams, along with our Human Resources Department, collaborated to identify what applications and the level of access required for each job role.
After Identity Governance, our current Identity and Access Management system was implemented. What used to manually take up to 30 minutes, it’s now being processed automatically in seconds for many accounts at the same time. For employees, the creation of the accounts, changes to their role due to transfers or promotions, or account terminations all happen automatically when there is any change in our Human Resources system. For vendors, we use the Identity Governance Portal to enter the vendor information and select the appropriate role. All accounts are automatically created with the appropriate access based on the defined role. By automating the provisioning of user and application accounts, our System Access analysts can now focus on better quality of service, supporting our customers with additional access requests, and making sure they have what they need related to level of access in a timely manner.
Another great feature implemented was the ability to monitor when vendors’ accounts were set to expire. Prior to this implementation, vendors accounts would expire, interrupting business operations and delaying any work the vendor was performing while the access was validated by the sponsor and then reinstated by the System Access team. With this new feature, the sponsor is notified via email 14 and 7 days prior to the expiration date. The sponsor has the ability to easily request an extension of the expiration date if needed, avoiding any access interruption for the vendor, therefore, saving money to the organization.
We also partnered with the vendor to design the Period Access Review (PAR) process for all applications that are part of Identity Governance. This is an automated/online report sent quarterly to all employee managers and sponsors of vendors to verify if the applications and the level of access granted to their direct reports is still accurate.
The manager or sponsor can validate their current access, request a change, or submit a termination request if the direct report no longer needs the access to a specific application. These requests go directly to the MHS System Access Team, which expedite the process and keep a log of what was requested and by whom.
This electronic Periodic Access Review is fast and easy, and has helped us tremendously to keep our patient information safe by removing unnecessary access to critical systems and Protected Health Information (PHI) in a timely manner.
We are constantly adding new applications to Identity Governance and refining our role database to continue improving the provisioning process at MHS.
At Memorial, patient privacy is everyone's responsibility!