Dang, wish I’d have had a good automated IGA system…

Wes Wright
May 07, 2020

I’ve worked in almost more places than I can remember and, believe it or not, I’ve never had an automated Identity Governance Administration (IGA) system. I had some pieces, mind you, but never had the whole, integrated thing at any of the places I’ve been before. Which is kind of ironic since Imprivata has the best automated IGA system for healthcare available — Imprivata Identity Governance (IdG) — and I work here now. 

There are three major pieces to a good automated IGA system: provisioning, governance, risk and compliance (GRC), and de-provisioning. A good system has these integrated together where one feeds the other, and another feeds the other. That is, when you provision a new identity it’s reported/recorded in the GRC piece, the GRC piece tells you what the identity did during its life, and then it tells you if you caught everything when your de-provision happens.

It occurs to me, because I have some friends in the field who still, surprisingly, talk to me, that not having an automated IGA system during these times is particularly irksome. “Why?,” you may ask. Well, let me tell you. If you’re anything like my friends, you’ve been adding, subtracting, and moving a ton of people around during this crisis.

If I was still in the field, I would have used brute force, simply adding FTE’s to staff up whatever process I had in place. And, inevitably I’d have missed a new clinician coming on to staff and she/he wouldn’t have access to systems/shares/applications needed do their job on day one. We’d have scrambled to make it happen once we knew about it, but the reputational damage for IT would already have been done. Then, I’d have probably missed someone that should have been deprovisioned (heck, that happened to me in real life, before these times!). Then when my financial auditors did their yearly thing, they’d find someone still had access to the ERP—someone who left months ago—and I’d then have to report to the Board every quarter about how I wasn’t going to let that happen again.

The less obvious issue that I’d have, and most folks do, is around the departmental movement of folks. Personnel are getting reassigned all over the place to help with the crisis; ambulatory nurses are down in the ED or Isolation Ward, revenue cycle folks are doing transport, and PM’s are helping build out new bed capacity. Inevitably, when people move to these new locations, they need access to the systems and applications used in their new departments. So, you give them access.

Now — here’s the rub — most organizations aren’t keeping super great track of those moves, adds, and changes (and I wouldn’t have either given the lack of systems) so when they have to be unwound, they sometimes aren’t. That leads to a condition I called “stacked shares.” That’s where the person that’s been working at your organization for forty years and has moved around to almost every administrative or clinical area within the organization has access to about 80% of your network shares because she/he was never deprovisioned from ANY shares; the network shares just kept getting “stacked,” one on top of the other. That’s probably what’s happening in today’s environment as people move around to adapt to the crisis.

At the beginning of the crisis I thought it was going to be a surge in provisioning new folks that would make an automated IGA system almost mandatory for folks, but since we mostly, thankfully, didn’t get that surge of new patients and providers, we didn’t have to deal with that. Because of that, I think the angst is actually going to come from the movement of FTE to new locations within the organization and the subsequent movement of those folks back to their old organizations. 

The other thing that’s going to cause some angst are furloughs. What are you doing with them? Are you disabling and then re-enabling accounts? Re-provisioning when/if they come back? What if they come back in new roles? Then you’re back in the stacked shares situation. If you don’t (and I didn’t) have an automated IGA system to help you keep track of these movements through an integrated GRC system, I’d bet dollars to donuts you’re going to be saying, “dang, wish I’d have had a good automated IGA system…”