In December I attended the Gartner IAM Summit to get an update on the Identity and Access Management (IAM) technology sector. I wanted to understand how other industries outside of healthcare are attacking their identity and access management challenges, so we can continue to bring innovative real-world solutions to our customers and add value around the technologies we sell & implement.
Here were my key takeaways that I think are important for healthcare organizations to be aware of:
1. IAM is Evolving RapidlyAs more organizations proceed with digital transformation, and increasingly move to the cloud and web applications, the IAM space is evolving rapidly from a technology perspective to meet their requirements.
2. There are 3 Main Categories of IAM
The three main categories currently considered the components of IAM are:
• Access Management (AM)
• Privileged Access Management (PAM)
• Identity Governance and Administration (IGA)
3. The Lines are Blurring
Technology providers are increasingly “blurring the lines” between the aforementioned categories with their offerings. This is occurring both by product development as well as acquisition and subsequent assimilation.
4. There are Shared Challenges for Healthcare Organizations
Organizations continue to struggle with enterprise-wide deployments of IAM technologies due to:
• Difficulty demonstrating business value in a timely manner
• Magnitude (real or perceived) of the project and the resource allocation required to implement and maintain solutions
• Culture/resistance to change (IAM is an ongoing program, not a project)
5. Vendors Play a Key Role
The diverse and growing landscape of IAM is daunting. Consultants, Service Providers and Systems Integrators are available to aid in the deployment of IAM solutions. Make sure you pick a partner that can:
• Educate about the larger IAM landscape – not just one or more “point” solutions
• Demonstrate the business value of an IAM strategy
• Guide you through developing an IAM strategy that meets the current and anticipated requirements of your healthcare organization.
What is IAM- Are we all on the Same Page?
Many people think they understand what IAM is, but I’ve found definitions vary widely. While at the conference, I found speakers and attendees challenged with the ever-evolving issues and solutions that are cornerstones for building or managing an IAM strategy.
This is Gartner’s definition, which I think is a great starting point to understanding the IAM landscape and its components:
Now let’s break it down even further with definitions for the three main categories of IAM:
1. What is Access Management (AM)?
Generally speaking, Access Management addresses user authentication to systems and includes functionality (such as analytics, adaptive and contextual information) to determine whether the user should be allowed access, or whether they must proceed with additional authentication steps to gain access.
2. What is Privileged Access Management (PAM)?
Privileged Access Management refers to a segment of network security solutions that control and monitor internal employee privileged user activity. These tools address the vulnerabilities that are introduced when users with high-level permissions require access to critical systems.to systems that manage the access of various types of users who may have access to a different set of systems and resources beyond what the common end-user might have. This might include; internal system administrators, external users such as vendors or trading partners, devices and other systems that may utilize “system accounts”. PAM solutions include functionality to manage, record, and analyze the sessions of the privileged user.
3. What is Identity Governance and Administration (IGA)?
IGA is commonly defined as “the policy-based centralized orchestration of user identity management and access control.” IGA solutions are designed to manage digital identities and entitlements across multiple systems and applications. These solutions include functionality for identity lifecycle management, workflow relating to access requests and certifications, policy and role management and auditing/analytics.
Looking to Healthcare...
So how does all of this apply to healthcare and to you?
For nearly two decades, healthcare has largely and appropriately been focused on the convenience aspect of access management to ensure that care providers can access the systems they need without impacting their focus on the patient. During this time, healthcare has seen the proliferation of different care delivery models, interoperable systems, connected devices, information exchange, and patient engagement technologies. While these developments have provided opportunities for more effective care, they have also ushered in a host of different privacy and security concerns. Absent the commitment to a sound IAM program, these concerns become very real threats and, as recent events demonstrate, the healthcare enterprise can be susceptible to cyberattack.
IAM strategies that include components of the three categories above provide greater assurance that healthcare organizations are able to continue effective delivery of care without undue security and privacy risk. Tackling an IAM strategy isn’t a project with a clear end and beginning. It’s a program – on-going with continued need for evolution to stay ahead of risk. It’s thought leaders, dialogue, research, experts, and conferences like the Gartner IAM Summit that move us all - vendors, consultants, CIOs, providers, patients – forward in our quest for appropriate security and the efficient delivery of quality care.
Other resources about the Gartner Summit from our partners:
Other resources to learn more about IGA:
I’d love to hear your thoughts on the future of IAM and IGA in healthcare. Shoot me an email through the form below: