Saturday, April 12, 2008

An Interesting Identity Management Use case for Healthcare

I've been meeting and talking with a number of healthcare customers, and thinking about common scenarios that identity technologies could be applied to. And of course, you have the run of the mill common scenarios that address HIPAA (like ESSO, deprovisioning, etc...which are useful, but let's face it - common). But one scenario peaked my interest because it was pretty unique to healthcare, and really provided significant value to Healthcare IT in general, and in specific to Compliance.

Remote physicians' offices often have access to a slew of clinical apps, such as applications that allow a physician or staff member of a remote office to view patient data, x-rays, lab results, etc. In order to demonstrate compliance, some hospitals hire contractors to get in their cars, drive to each remote office (which could be in the 100s), and 'attest' which users still exist at that office, note changes to hires/fires, and each user's application access requirements. Then they leave and drive to the next office. This happens every 6 months or so as a part of the institution's compliance recertification efforts.

Federation would be able to provide remote offices the capability to control authentication of accounts on their end, allowing the hospital to manage authorization profiles...but some (many) of these offices are just 2 or 3 people. A doctor or two, maybe a nurse and a secretary. The only thing you could guarantee regarding their infrastructure is internet connectivity, let alone the skills and infrastructure to deploy a federation server. Anyhow, this falls more into the control category than the audit category.

On the other hand, Attestation fits perfectly here. (Nishant wrote a good entry on attestation here.) Instead of having a person drive around gathering a paper trail of access levels for accounts belong to remote offices, provide the remote offices a web interface to attestation workflows, which allows them to periodically 'attest' to who is still there, who is new, and what they have access to. Simple, not technically complex, but darn useful. Clients love it because it addresses a real scenario with real benefits. Sometimes the coolness of a use case has less to do with the technology, and more to do with how it makes otherwise painful tasks a little more bearable.

1 comment:

sexy said...