Identity And Access Management Automation Saves PeaceHealth Hundreds Of Thousands Of Dollars

About five years ago, PeaceHealth, a 16,000-caregiver healthcare provider in the Pacific Northwest with 10 hospitals and 250 ambulatory clinics, began a focused effort to meet the compliance standards of the HIPAA role-based access requirements.

At the same time, the provider organization invested $300 million in converting the electronic health records of its ten hospitals and 250 clinics to an Epic system. At the time, the organization was using a homegrown system to help grant access to providers. But with this tool, it took a provider 28 days after they were hired to receive access to systems.

“We then brought in a legacy tool, Microsoft Identity Manager, to help decrease the time to access,” said Robert Siebenthaler, manager of identity, access and security at PeaceHealth. “While this tool was able to automate part of the process, internal and external audits revealed its shortcomings. We evaluated the tool’s roadmap and concluded it was not fit to support PeaceHealth in the long term.”

So the provider organization started the process of evaluating identity governance systems that mirrored its goals for the future: A dedication to identity governance and a strong integration with Epic. During this evaluation phase, PeaceHealth brought in internal and external auditors, the risk team, and the office of integrity to help with the process.

Through the evaluation phase, PeaceHealth decided to begin a long-term partnership with vendor SailPoint, and from there the next-generation identity program took shape.

“One of the reasons we saw a future with SailPoint was its ability to manage all users,” Siebenthaler explained. “Granting entitlements to healthcare workers with multiple personas can be very tricky. PeaceHealth has employees, community providers, hospice, volunteers, contractors and external providers that all need differing types of access.”

With the SailPoint technology, PeaceHealth would be able to grant entitlements, complete with access approvals and certifications that allow the organization to remain compliant, he added.

There is a variety of identity and access management technology vendors with products on the market. Some of these vendors include Centrify Identity Service, Digital Persona, Forefront Identity Manager, ForgeRock Identity Platform, Intermedia AppID Enterprise, Okta Identity Management and Oracle Identity Management.

With the new technology, PeaceHealth now has 100 percent role-based access for all users: employees, community providers, hospice, volunteers, contractors and external providers. It integrated SailPoint with its credential system from Visual Cactus; its human resources system; Azure, since the organization is an Office 365 shop; and a couple of internal databases that it has to track providers.

“To achieve this, we did extensive business analysis evaluating the existing workflows with our HR department and addressing the current gaps and worrisome areas to mitigate future risk,” Siebenthaler said. “The first phase of this program focused on using SailPoint to grant providers access to systems more quickly, prioritizing access to Epic. Providers no longer wait 28 days for access to Epic and other systems, and now receive full rights within two days.”

Reducing the manual labor involved for provisioning access was also a goal for the team. Twenty-five contractors were responsible for granting access. Now that this process is automated, these contractors no longer are on staff, saving PeaceHealth hundreds of thousands of dollars. – Healthcare IT News