How to Mitigate Identity Risks By Managing Access for Contractors & Other Non-Employees in Healthcare

By John Racine, Managing Director, Core Security, a HelpSystems Company
Twitter: @CoreSecurity

Many healthcare organizations have started relying on contingent workers for a variety of reasons, including responding to talent shortages and addressing the rising costs of hiring full-time healthcare employees. Contracted employees, known as non-employees, are frequently hired for a short-term or on-demand basis. And their numbers are continuing to increase across the healthcare sector. The American Staffing Association estimates that nearly 1.6 million temporary and contract employees now work in the healthcare industry.

This reliance on contingent workers creates a highly mobile workforce, where professionals are rotating across an expansive network of systems. Because many healthcare organizations lack a centralized process to manage user accounts, they often have little visibility into access levels users possess. It is also common for contingent workers not to be incorporated into a system of record, like an HRIS. These factors significantly increase security risks and create a compelling business case to invest in intelligent identity governance and access management.

The Ongoing Challenge with Contingent Healthcare Workers
With varying levels of access required across the contingent workforce, which includes medical students, interns, and non-employee clinicians, healthcare organizations must ensure they can first view information centrally related to these identities, so they can then intelligently create, manage, and remove access efficiently for their user accounts.

They must also create processes that recognize contingent worker identities come from multiple sources and then make the data readily available to be managed. These disparate sources can include a flat file of input for interns or student nurses, credentialing data from the medical staff office, or ad hoc requirements for data input. Once there is visibility into contingent worker identities, access can then be properly managed.

When contingent workers have more access than they need, there is increased opportunity to target users with elevated access levels, resulting in increased risk. This risk becomes greater if excess privileges are unused because nefarious access can go undetected. Combined together, these factors make it difficult to limit risk within the health system, especially as non-employees join or leave organizations during a compressed time period.

The Priority on Healthcare Information Security
Information security is a leading priority in healthcare today—and for good reason. Healthcare organizations are primary targets for attacks with the amount of sensitive data they protect. A recent study published in the Annals of Internal Medicine found that 70 percent of breaches targeted demographic or financial information rather than medical information only.

Unfortunately, when accounts are not managed properly, they can be more easily compromised and potentially lead to costly data breaches. According to the 2019 Cost of a Data Breach Report by the Ponemon Institute, data breaches across healthcare organizations cost an average of $6.45 million, higher than any other industry. With the rise of electronic health records, healthcare organizations must continue to pursue strategies and programs that protect sensitive information. So what can healthcare organizations do to mitigate identity risks for contingent workers?

#1: Automate Provisioning Processes Around the User Lifecycle
Mitigating risks associated with contingent workers starts with automating provisioning processes around the user lifecycle. This begins with their first relationship in the health system and all the complexities mentioned on identifying multiple sources of truth. It concludes with contingent workers separating from the organization. In between these events are multiple changes that must be closely managed.

Within the user lifecycle, onboarding is typically the first step, where new contingent workers receive initial access to appropriate systems. Once onboarded, they may need different access, particularly if transferred. This occurs when healthcare professionals change job roles or need to perform different duties within a separate department. Frequently, these workers need access to a certain set of resources when performing one role and a separate set of resources in another. It is essential that this ‘multiple persona’ requirement is not overlooked.

Another key consideration is to develop roles that can be easily applied as contingent workers arrive and acquire new job requirements. Granting too much access by copying users or applying a broad user template introduces risk. Leveraging modern role design means easily seeing access that should and should not be included. This is done visually by examining clusters of access across individual users to see commonality for establishing a clearly defined role.

The last stage occurs when a contingent worker leaves the organization, either voluntarily or involuntary. For the latter, accounts should be automatically disabled, preventing opportunity for users to retain access to data upon their departure. Automating the disabling process through connector technology can help speed up this process.

#2: Simplify the Review Process for Contingent Worker Access
Health systems that view regulatory compliance through the lens of identity governance recognize they should monitor access continuously. Within the climate of compliance, it is imperative for healthcare organizations to review non-employee user access as well. Access reviews must be easy, so managers do not ’rubber stamp’ approvals to all contingent workers.

While many healthcare systems use a manual process, a more intelligent approach is a must-have to start grouping like-access privileges together and speed the process. This enables managers to understand which users have access to specific systems and which are outliers. This is especially important for contingent workers, where access levels may be more difficult to identify because HR categorizations, like job code, department, and location, may be lacking.

Since the time between new provisioning and the next review process can be fairly lengthy, it is also important to have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. Micro-certifications allow managers to be alerted when a contingent worker may have changed access or if access is gained through an outside process, referred to as out of band. This allows appropriate personnel to perform an immediate review associated with the event.

#3: Ensure Strong Password Management and Authentication of Contingent Workers
With so many applications and devices, it can be difficult for healthcare organizations to ensure non-employees are adhering to password policies. It is essential to have a strong password management solution and maintain password policies that enforce complexity and non-reuse rules. For the clinical worker, ease of use and 24×7 self-service availability is necessary to avoid interrupting patient care.

But this must be done in a way that leverages secure and flexible authentication methods. A variety of password reset authentication options, including mobile reset applications, telephone-based keypad resets, or voice biometrics increase user adoption rates, while maintaining a secure reset channel. Healthcare organizations seeking to mitigate potential risks with contingent workers should enforce strong password management across the organization and look for a solution that delivers authenticated self-service password management.

The Journey to Intelligent Identity Governance
There is too much at stake for healthcare organizations today to ignore the importance of mitigating access risks for the contingent workforce. Investing in intelligent, efficient identity governance supports regulatory compliance, increases operational efficiencies, and enables healthcare organizations to safeguard valuable personal health and financial information. And this keeps professionals focused on providing quality care to patients.