Top 5 healthcare best practices for managing non-employee identities
Recently, SailPoint came together with identity leaders in the healthcare industry for a Healthcare best practices for managing non-employee identity risk webinar where the discussion covered the challenges in managing healthcare non-employee identities such as affiliate clinicians, travel nurses, flex nurses, medical/nursing students, and contractors.
Healthcare’s increased reliance on non-employees creates an added challenge on how to best balance appropriate clinical access and security. Non-employee healthcare roles are vital to providing patient care, but risks associated with third-party identities can also expand the threat footprint in a health system.
Discover some of the common challenges and best practices summarized from the conversation between Deanna Miller, Identity and Access Management (IAM) Manager for WellSpan Health; Matt Fitzpatrick, IT Director for the Geisinger Health System; and Rob Sebaugh, Healthcare Identity Strategist with SailPoint.
1. Onboarding an influx of nursing students
Rob Sebaugh, SailPoint
We see in healthcare that non-employees are a large challenge almost everywhere. We’ve seen a drastic influx of travel nursing and contracted physicians, especially coming out of the pandemic. Managing those identities is critical because we don’t want those non-employees to leave our organization and still be able to access clinical data.
Deanna, could you give us information on the challenges or pain points you were experiencing with your non-employees?
Deanna Miller, WellSpan Health
One of the main challenges we had that moved us towards a solution was nursing students, which was a big challenge for us because we’re a teaching hospital. When nursing students came in, previously, we were getting information from schools via spreadsheets and emails, and it required a significant amount of manual effort.
It took them a long time to onboard, and then ensuring they were off-boarded when they were done working a rotation at the hospital was a challenge. So, when we moved into Non-Employee Risk Management, one of the main points for us to look at other solutions was to improve those processes.
2. Lack of visibility increasing audit risk
Deanna Miller, WellSpan Health
We were also having auditing challenges. How do we manage these non-employees that are accessing our systems? How can we make sure that their access is removed when they are done working? We needed to confirm that their access was removed in the right timeframe, making sure we were meeting our policies, handling expired accounts, and deactivating accounts timely.
3. Manual processes and a lack of automation
Rob Sebaugh, SailPoint
How did you identify a need for a non-employee solution? What were the criteria to meet and what were your challenges?
Matt Fitzpatrick, Geisinger Health System
For us, the challenges were parallel to WellSpan. We were managing non-employees with a spreadsheet or a list that evolved into an access database. But the issue was we didn’t consistently have all those non-employees managed. We weren’t engaged with the internal managers, so we didn’t know when the non-employees left. Our system wasn’t automating that for us, so we would fail audits internally. That initiated our search for this system.
4. Ease of deployment
Rob Sebaugh, SailPoint
Okay, so what did it take to get Non-Employee Risk Management up and running? Did you need a big team? Did it take a long time to implement? Was this good speed to market? What was the learning curve?
Matt Fitzpatrick, Geisinger Health System
We have one engineer who owns the system, and he could probably have had it up and running in a week because he’s already gone through the learning curve. There’s a bit of getting to understand how the system operates, but as far as the actual use of the system, no programmer, and no advanced technical team were needed. It’s quite easy to use.
If you want to create a new field, you can just through the graphical user interface (GUI); if you want to create a different workflow to trigger something like notifications, you can do it right through the GUI. That doesn’t mean we don’t have a few things that we would like to see improved and submit an idea for, but you can get up and running very quickly on this system compared to others, in my opinion.
Deanna Miller, WellSpan Health
I would agree with Matt. It’s fairly easy to get up and running once you get familiar with the system. We had an architect and a technical analyst who took it on. Even your external partners who will be using the collaboration portal — that’s fairly simple as well. You don’t run into too many challenges. It’s easy to provide them with brief documentation, and they’re up and running and ready to go.
5. Importance of internal stakeholder collaboration
Rob Sebaugh, SailPoint
Do you have any recommendations or anything you want to leave with the group to think about as they go on their journey?
Matt Fitzpatrick, Geisinger Health System
As Deanna mentioned earlier, work with your HR team. Make sure you are in sync. If you don’t know who is managing what types of employees, that would be very problematic. Think about a transition plan when people are moving from a non-employee role to an employed role. Also, think about standard data; I’d suggest standardizing things like locations, departments, and those common points of data so they aren’t difficult to manage later.
Deanna Miller, WellSpan Health
Really embrace the Non-Employee Risk Management collaboration portals and get the most out of them. We’re all asked to try and save time and resources. Use the portals and save both your time and your partner’s time. Replace partners putting details in a spreadsheet and then sending it over to you and waiting for you to do the same. Have them directly input details about the non-employees. They have more visibility and control with this solution. It makes a good partnership all around, so I would say that was a big win.
To learn more best practices and watch a demonstration, register for SailPoint’s on-demand webinar, Healthcare Customer Webinar – Healthcare best practices for managing non-employee identity risk.
You can also see how easy it is for a healthcare organization to onboard a new travel nurse by taking a step-by-step tour.
Discussion