Providing A Nationwide Hospital System With The Right IAM Foundation For The New Healthcare Era
A major healthcare system with more than 85 hospitals and hundreds of ambulatory facilities across the country had a problem with their Identity and Access Management (IAM) program. The program found itself needing to address three specific challenges urgently. For one, their existing IAM investments were not performing in meeting stakeholder expectations or yielding any meaningful returns. Despite considerable technology and consulting expenditure, they had not made meaningful progress in solving the day-to-day operational IAM problems. Second, the organization was growing rapidly through acquisitions across the country but the IAM program wasn’t nimble or effective at handling the growing needs. Third, the IAM program had inadequate vision, strategy or plans to support the current and emerging dynamic and competitive business as well as regulatory risk management era in healthcare.
The client selected Tueoris to review the current state, propose “quick-win” changes to IAM operations and set the IAM program on a stronger foundation for the future. As part of our work with the organization lasting more than two years, we helped establish a stronger foundation and capabilities across a variety of IAM areas including Identity and Access Governance (IAG), advanced authentication for “enabling” clinical workflows and risk based strong (adaptive) authentication of remote as well as internal access.
What We did
Our work with the client over the two year period included the following specific tasks:
- Review the current gaps and issues in IAM operational capabilities and propose certain quick-win changes to people, process and technology aspects of the IAM program.
- Develop architecture, strategies and five year program roadmaps for the three IAM areas in close collaboration with the organization’s Business, IT and Clinical leadership as well as leaders of specific verticals within security (e.g. SIEM, DLP. Risk management and compliance).
- Lead three separate product vendor selection efforts for the three IAM areas based on the developed strategy and roadmaps criteria. This included preparation of detailed RFI, assessment of the RFI responses and consultation with Research Analysts (Gartner and Forrester) regarding their opinion on the vendors relative to the client requirements.
- Shortlisted the vendors further to two vendors for week-long (for each vendor) on-site proof-of-concept (POC).
- Developed detailed use cases covering specific client requirements. The detailed use-cases included not just the traditional IAM use cases but also use-cases pertaining to facilitation of clinical workflows, use of mobile devices, security risk management, regulatory compliance and integration with other security verticals such as DLP, SIEM, safeguards for unstructured data etc. The number of detailed use-cases ran into a hundred or more for the vendor PSoC.
- Organized and conducted the vendors PSoC efforts involving appropriate clinical, business and IT stakeholders.
- Upon completion of the PSoC, we provided the client sponsor with the detailed evaluation of the vendors’ performance at the PSoC as well as the vendor ranking in other areas such as vendor viability/capacity, suitability of the vendor relative to the client culture or other organizational aspects, vendor performance at clients (based on reference calls) etc.
- Provided the implementation teams with the appropriate guidelines and handover for implementation of the selected vendor solutions.
IAM strategy and development efforts have traditionally been performed by IAM specialists who have risen up the IAM ranks (as it were) by implementing specific technologies. It is often the case that these IAM specialists do not nearly have the insights or experience in the larger security and privacy areas – areas that need to be leveraged in order to formulate sound and sustainable strategies for today’s IAM programs.
It is also important to note that not all IAM problems need or can have a technology solution. Even if some problems are best solved using a technology solution, traditional IAM technologies may not be the best fit in some cases. For instance, security or privacy incident detection and response solutions could supplement or help meet specific needs of a IAM program but IAM specialists often do not have the insights or experience outside of the traditional IAM technology space.
At Tueoris, we have the breadth and depth in our insights and experience required to formulate solutions for today’s IAM problems. Also, since we do not partner with any specific IAM vendors, we are able to maintain true independence in evaluating and selecting vendors based on a sound IAM strategy.