Identity and Access Management: HCA Healthcare’s Big-Scale Approach
Bobby Stokes is assistant vice president, enterprise systems and identity and access management at the Nashville-based HCA Healthcare. The largest for-profit hospital company in the United States, HCA Healthcare encompasses 165 hospitals and 115 freestanding surgery centers, as well as 204,000 employees, in 20 states and in England.
The size and scope of the organization are further reflected in the fact that its enterprise systems professionals must maintain 120 corporate applications, ranging from identity services, through provisioning services, mobility development, collaboration platforms (Intranet capabilities and search engines), security initiatives, and general development initiatives, among others.
Naturally, supervising such a broad range of activities and technologies requires strong identity and access management policies, protocols, and procedures. Stokes, whose staff includes over 70 professionals, and who reports to the corporation’s vice president of product development, works assiduously with his team to ensure both optimal availability and optimal security. Within that area, he and his colleagues have been partnering with the Seattle-based Caradigm USA. Stokes spoke recently with HCI Editor-in-Chief Mark Hagland. Below are excerpts from that interview.
You have a vast organization to help manage, when it comes to identity and access management. Have you implemented a single sign-on strategy?
As far as Caradigm goes, we have the whole identity life cycle management. The touch points with Caradigm are single sign-on and provisioning. Provisioning is the process of managing resource deployment for new employees, giving them access to applications, etc. When you join us, we want you to have a computer on your desk and applications at the ready. We also need to make sure that when you leave, you no longer have access.
So now, for example, you’re a nurse at one of our hospitals, and we notice you’re looking at the patient records of somebody who lives three doors down, and is that OK or not? We need to find out, and if something inappropriate has happened, we need to address it immediately. That latter part is not a Caradigm piece per se, but a downstream event. If you can give them access when they get there and then shut down access when they leave, that improves security.
You can’t get rid of risk, but you can minimize it. It goes back to giving the right people access at the right times. With employees, we can take them through the HR [human resources] process. Among our physicians, 6,000 are employees, but the rest are our customers.
What made you go for a comprehensive solution in these areas?
The Caradigm SSO product is fairly comprehensive; and ProVision does a good job in provisioning. But I don’t know that anybody has a total solution. And our HIS is Meditech, but there are many other systems out there, and you’ve got to be able to deal with all of them; and one of the things that makes Caradigm an interesting and viable player in this area is that they focus on healthcare. A lot of single sign-on solutions tend to be very generic. And Meditech is a very proprietary, fat client. And Caradigm has had to figure out a way to work with Meditech. If you’re talking about Epic and you say, we need to interface with Epic, they’ll know what you’re talking about. But it’s harder with Meditech.
What are the couple of biggest healthcare-specific challenges involved in developing a strong, enterprise-wide identity and access management program?
The security side of it is the biggest challenge; we’re so focused on security breaches. Yesterday, something I came across that was interesting, is that if you have a person’s SS number or credit card number, is worth about $1 on the open market, according to the FBI. But a person’s EHR [electronic health record] information is worth at least $50.
Yes, experts are now concluding that the identities of healthcare consumers and patients are worth $50 or even $75, which is extraordinary, in context. Why do you think the differential is so strong compared to, say credit card identities?
One reason is probably that the EHR is going to have a lot of information—the patient’s Social Security number, address, family members, insurance information; and if it’s somebody famous, you can imagine what that’s worth. Community Health Systems lost 4.5 million patient records a month or so ago, and it’ll probably cost them $75 to $100 million. They have to notify all the patients and pay for monitoring services.
When did you go live with these solutions from Caradigm?
About four or five years ago. About 130,000 people use the single sign-on every day. We track utilizations through log-ins avoided. Every time they click a button and access an app, that’s a log-in avoided, and we average about 17.5 million of those a month. That helps employees, but it especially helps physicians. Some of them may have 10-12 apps they’re working on. And if they’re not integrated—just imagine trying to keep up with your own personal passwords. These physicians are working different passwords at different hospitals and sites. And if you’re at HCA, you’re logging on with one name and password. Our goal has been to make things easier for them. It’s a small thing for them individually, but those things add up. And this affects their staffs as well. We have about 80 applications integrated with the single sign-on.
Have there been any broad lessons learned so far from the way that this program has been implemented?
Certainly. For us, the majority of the hospital business out there is individual hospitals or groups of two, three, or four hospitals. And nobody’s scaled up to deal with 165 hospitals. And so what’s important is to develop a consistent approach. At the end of the day, there’s still flexibility in systems that doesn’t help much, but adds complexity. So we test solutions and then deploy nationally. We try to minimize variability. If you’ve got three hospitals, it’s one thing to have variability, but with 165, it’s another deal.
Another thing is, they always talk about non-functional requirements. What happens if there’s downtime? What you’re doing is that you’re taking the 10 applications for physicians—if you do a good job, they’ll forget their passwords; they’ll have one. And if they’re using this password to get into your EHR system, and that system goes down, they might not be able to get into any of those systems. And then if something were to happen, the help desk won’t be able to get things fixed fast enough. Fortunately, we’ve made downtime nonexistent, and have made things highly available.
We haven’t absolutely eliminated downtime, but we haven’t had any downtimes. You need to plan for high availability whether you think you need it or not, and have good procedures in place in the event something does happen.
What your advice be to other healthcare IT executives around all of this?
Two things: one, the root technology between Caradigm’s single sign-on and the ProVision solution is very similar. Single sign-on is more of a technical play. You spend time putting it into place, and it turns into an operational thing. Provisioning is 180 degrees different; it’s a people and a process problem. And to be fair to all concerned, the issues we have with the product are really the result of people and process issues. If your enterprise has not embraced the notion of role-based security, you’re going to have a hard time, because the whole premise behind provisioning is establishing strict roles, with exceptions.
We’ve got 200,000 employees and 120,000 roles, which means there’s a role for every 1.6 people. And when you define things, that’s even more important than designing it for an individual. And if you say it’s OK for everybody in a particular role can have application X, you’d better be pretty sure, because that means 50 people will get it. So it’s really defining roles and having a mindset within an organization to live and die by them. And some organizations are way more mature than others; I suspect that we’re all over the place, across the spectrum, in terms of our component hospitals and organizations. It’s like saying you can have an active directory group or distribution list, but you can only have two people in the distribution list; well, that kind of defeats the purpose, right?
The other thing is, we’re inheriting a lot of transactions for employees out of our HR system, which was never really intended to help provision applications. So we’ve had to put a lot of things in place to make that work. And we’re in our second or third iteration around this, and the HR people realize that if they don’t manage a termination in a timely fashion, that will cause a problem. And we’ve got people coming and going from Nashville to San Antonio and San Antonio to Dallas, and you’ve got people leaving the company and becoming contractors, and coming back; so when you mix all that together, it gets to be rather complex. And what we’re doing is what a lot of hospitals are having to do in sharing data with competitors; we’re doing that, too. And with the mergers and acquisitions and divestitures, your greatest ally might be your competitor of today. So it makes doing this well more important.