Forward Advantage recently held a focus group with CHIME CIOs to learn what today’s health IT leaders think of Identity Governance and Administration (IGA). It’s clear that we are in a technological growth period in healthcare, bringing more users, applications and data together than ever before. More connections bring great value to care providers and their patients, but they also make healthcare organizations more vulnerable from a security perspective. Forward Advantage’s expansion into the IGA market leverages our expertise from helping over 250 hospitals implement identity and access management solutions. We recognize the challenges faced by our customers, and entering the IGA market allows us to assist with developing and/or implementing personalized strategies for long-term success. We approached this focus group with a goal to learn about the challenges CIOs and CISOs face as they implement a strategy around IGA, so we can continue to refine our offerings to meet those needs.
Our commitment to customers means continually educating ourselves and you, so we regularly engage with industry leaders to improve our offerings. The focus group members proved to be a valuable learning opportunity for everyone involved. Participants shared their experiences with IGA, implementation challenges and concerns, the requirements they think are necessary for success, and where they see opportunities for new solutions and services.
What Exactly Is IGA?
In a nutshell, IGA centralizes the management of identities and the applications and data they access to reduce business risk while gaining operational efficiencies. Many in healthcare mistakenly view IGA as synonymous to Identity & Access Management (IAM); however, IGA should be viewed as a vital component of a successful IAM program. Forward Advantage has been in the IAM market for years – with nearly two decades of experience implementing single sign-on and advanced authentication solutions. While these solutions are invaluable to healthcare, they hold a related but different role than IGA.
An effective IGA program should be considered part of an overall IAM strategy that encompasses single sign-on; two-factor/multi-factor authentication; and centralized, role-based identity management.
Identity and Access Management
A Cultural Shift
An effective IGA program brings a cultural shift to healthcare organizations – one they are not always prepared for. Our focus group participants recognized this cultural shift from their own experiences, because IGA impacts all departments. Hiring managers to Human Resources and everywhere in between must be included in the IGA program for its success. In fact, one CIO stated that the members of his organization know they need to do more from an IT perspective, but the culture shift to adopt the practices are what holds them back from fully realizing a true program.
Additionally, decision making and overall buy-in for the program is cross-departmental which can present unique challenges. IGA’s value must be looked at differently than other investments. The return on investment is not typically immediately apparent, because IGA provides a proactive (rather than reactive) approach to security. CIOs, CISOs and other healthcare IT leaders seeking buy-in for IGA must communicate the value of a proactive approach, rather than waiting for a security event to demonstrate value savings.
Our focus group identified some common challenges when implementing an IGA program. It’s important to be aware of these challenges as you explore IGA for your organization. IGA projects are time and resource intensive, and this commitment doesn’t allow much room for error. In most cases, identifying roles was one of the biggest hurdles to overcome before even getting started. IGA involves multiple areas across the company, including HR and other management staff. Often, a lot of work has to be done up front to look at who has access to what, and what access they really need. In fact, one CIO participant shared the following:
“We made the mistake of starting with nursing and ended up with 492 roles for 600 nurses. Ultimately, we redesigned the levels of access and simplified down to 11 roles.”
Common challenges identified by our participants include:
• How do you gain buy-in?
• Who owns it? (Often shared by IT, Leadership, HR, Compliance, etc.)
• Lack of internal resources (IGA requires dedicated staffing)
• Lack of education on IGA
• Lack of implementation know-how and training
• Creating roles and managing exceptions
• Managing employees with dual roles
•Managing remote employees
What do CIOs & CISOs Want?
Our focus group made it clear that IGA is a complicated program. CIOs and CISOs want organizational buy-in to help address cultural shifts and quickly reach business value.
On a broader scale, our focus group also identified that there is more to IAM than just single sign-on and two-factor/multi-factor authentication. According to our discussion, they agreed that a successful IAM program would include:
• Single sign-on
• Role-based access
• Faster onboarding
• Centralized management, governance, and compliance
• Upfront guidance on roles and policies
It is important to note that IGA is not a one-size-fits-all solution. Everything from culture, budget, security priorities and what’s already in place will determine a strategy and solution to fit an organization’s needs. Organizations of different sizes, budgets and priorities can find and manage an effective program. The key word here is “program,” because a successful IGA initiative is looked at as an ongoing program rather than a one-time project.
IGA is still a relatively new focus in healthcare, but it has generated a lot of buzz for good reason with insider breaches on the rise. IGA has the power to centralize and simplify identity management for healthcare organizations during what is a particularly vulnerable time for many. It provides a proactive, rather than reactive, approach to security which is vital for the success of today’s healthcare organizations. However, IGA's success hinges on organizational buy-in which requires demonstrated value. IGA, as part of a complete IAM program, requires a large cultural shift for organizations, because it requires cross-departmental involvement. A substantial time commitment and dedicated staffing are required, so it’s important to understand the ROI from other departments and relay value early in the process to secure buy-in. Although we look at IGA as a long-term program to be nurtured over time, short-term projects can be tackled early on to show immediate value. Be aware of these buy-in challenges up front so you can create an appropriate strategy from the start.
The first step for any organization is to evaluate your current strategy.