If your hospital emergency room is in beautiful downtown Burbank, California, chances are you are going to have some pretty well-known people walk in from the various movie and TV studios that populate the town. And, if you are the System Director of Enterprise Security for the company that owns that hospital, you have a lot of worry on your hands. At the SailPoint Navigate conference, we heard from Eric Cowperthwaite, who works in that capacity for Providence Health & Services and runs not just the Burbank hospital, but 31 others across the western US, along with more than 400 clinics, labs and other facilities. His hospitals care not just for the celebrities, but more than 20 million patients who walk into his facilities, and have to handle 65,000 employees and an extended workforce reaching approximately 100,000 when physicians and other healthcare providers that are affiliated with Providence are considered. .
Now imagine running your IAM using many different systems and manual spreadsheets. These spreadsheets are used to track the access granted, in some cases, to extended workforce that is not directly employed by Providence. And spreadsheets are used when having employee’s managers perform recurring access certifications. Gulp. “In the words of the guys in the movie ‘Armageddon’, I have the worst identity governance environment you might imagine,” he said. “It isn’t easy dealing with this, and on top of this we are adopting electronic medical records and a new IAM system too,” he said.
When Providence was first looking at IAM, they started with a technology centric view, but it wasn’t very satisfactory. “We needed to fix that from a policy perspective to make sure we could manage our user base spread from Alaska to California,” he said. And to make matters even worse, they had to deal with lots of temporary workers that were input into their system as “ER Nurse #1” rather than specify the person’s real name. He explained that this is common practice in a hospital environment with many contract and/or temporary workers, but that doesn’t make it any easier to deal with.
Cowperthwaite shared some advice on how he improved his Identity and Access Governanceplatforms. “Before you ever talk to SailPoint or your SI provider, know your objectives and requirements, and make sure both of them understand these goals.” Here were some of his:”We needed to protect the patient privacy and integrity of their personal information, and provide business visibility into our security with appropriate dashboards. And, oh by the way, comply with a bunch of new federal health regulations.”
Next, Providence needed to align policy and process across the enterprise and prioritize attention on higher-risk users, applications and access such as accounting, IT and compliance folks. And finally, they wanted to consolidate their ID repositories into a single authoritative source. In addition to the aforementioned spreadsheets, they had two different ID stores (Active Directory and their ERP system), and the two had differing pieces of identity information depending on whether the person was a full-time employee or a contractor.
Providence ended up with IdentityIQ and has been building the next generation of IAM systems across their enterprise. He didn’t have a too tough a time convincing his board to pay for it either. “Our financial audit was costing us more because we had a high level of privileged accounts and they had to double or triple their audit sample size to investigate things. Cutting down these accounts will help pay for our SailPoint implementation.”