When compliance dashboards and annual audits are not enough

Originally posted: October, 2017

Compliance officers can review data, search audit logs, and monitor areas of concern with most IAM products on the market. In fact, in 2015 it was reported that 82% of organizations undertake enterprise-wide compliance risk assessments and two-thirds of those organizations conduct assessments annually, if not more frequently. [1] However, risk assessment processes can be labor-intensive, complicated, and expensive, while barely breaking the surface of vulnerabilities and risk. Without the right tools in place, it would be a nearly impossible task for a compliance officer to know the intricate details of every position in the hospital and, further, every position’s dependencies on medical software applications.

Imprivata Provisioning Identity Management is more than just a compliance and identity management dashboard. It also offers the checks and balances to manage and protect a hospital’s infrastructure, as well as the staff’s and patient’s PHI. Using Imprivata Provisioning Identity Management’s compliance task feature, a review task can be scheduled or run ad-hoc to generate a real-time data report. The report can be assigned to managers across the organization to confirm their direct reports’ access permissions within assigned applications. Imagine taking any set of data you wish to have reviewed – orphaned accounts, mismatched access, inactive users – and assign it. The process is simple, intuitive, and deeply connected to the existing needs of the IT infrastructure given that it is all built into the same tool.

Drawbacks of periodic access reviews

There is still a gap left in this periodic review process: “If access reviews are performed every six to 12 months, as is common in most organizations, what happens in-between the reviews? People change roles or leave the organization. Projects end. Yet those privileges remain longer than is necessary, even if good certifications result in accurate revocations every six months.” [2] With the ability to see user creation, modification, and removal, review tasks can be created and assigned to managers to confirm inaccurate or lingering permissions and accounts that are no longer necessary. If a manager forgets to complete their task, reminder emails can be automatically sent. If a manager cannot review all tasks at one time, he or she can simply save their progress and come back to complete it at a more convenient time. Further, the compliance task administrative view will let IT and compliance staff quickly determine which managers are out of compliance on their review. Tasks can easily be reassigned and escalated if necessary to ensure all are completed in a timely manner. In the future, if access needs to be reviewed, a manager can simply search for the review task and pull up the audit, comments, and complete access for a user.

Compliance dashboards for faster audits

Who has time to set aside months to prepare for auditors and their requested documents? With Imprivata Provisioning Identity Management, a compliance team can grant auditors access to read-only compliance task administrative dashboards and let them review full historic audit logs, user access reports, and entitlement records, including the data output of review, comments, timestamps, and acknowledgements for the report in question. This information can be easily shared and accessed, without any additional work by staff – allowing hospital teams to stay focused on their workloads and daily responsibilities.

Imprivata integrated access and identity management

Pairing the information revealed by Imprivata Provisioning Identity Management and Context Management audit data, a user can find mismatched access privileges, unauthorized access to patient data, and inactive accounts. The power of an integrated identity management and access management solution allow compliance and security officers to have an easy view into potential risk areas within the organization and allow remediation with just a few clicks. Healthcare IT is rapidly changing to support continual risk assessment tasks, such as monitoring for protocol breaches, maintaining role and application access, and facilitating frequent managerial review across the organization. A hospital’s IT compliance teams should seek and support the integration of tools that provide stronger monitoring and protection across the organization, saving them precious time in the process.

[1] https://www2.deloitte.com/content/dam/Deloitte/us/Documents/regulatory/us-aers-reg-crs-2015-compliance-trends-survey-051515.pdf
[2] http://techspective.net/2016/05/24/closing-loopholes-identity-governance-minimize-risk/