X

WSO2 SUMMIT 2020   ·   Building an Integrated API Supply Chain   ·   Register Now!

BLOG

May 27, 2020
3 min read

Identity and Access Management in the Healthcare Industry

Image credits: Julia Sowells

The healthcare industry holds onto some of the most valuable, high-priced information sold on the dark web. Due to this reason, it is vital for healthcare organizations to use a strong and secure Identity and Access Management (IAM) system to protect their information, while also ensuring that this extra security does not hinder or decrease efficiency from the time-sensitive nature of healthcare work. Regions with good centralized healthcare management systems share patient information and medical records across hospitals within the region, to ensure quick access to patients’ medical history. Sharing information this way requires a solid identity and access management platform as the central backbone — to connect, authenticate, and provide quick but secure access to healthcare professionals and patients across multiple systems.

Let’s take a closer look at the IAM-specific functionality that is used in healthcare.

Single Sign On

On a daily basis, a healthcare professional uses many different systems within the hospital: to access patient information, authorize the administering of medication, keep track of procedures done on a patient, schedule surgery, etc. Given the busy working environment of a hospital, users simply do not have the time to be remembering passwords and wasting time logging into different systems.

With a seamless authentication mechanism in place and cross-protocol single sign-on functionality, healthcare users can have secure access to the systems they need, without the hassle of having to authenticate themselves again and again.

Maintaining a Single Account With Multiple Identities

One of the most basic features of an IAM solution is to provide users with the ability to maintain a single account with multiple identities. To elaborate on what this means, consider a patient who constantly visits the same hospital but has to register themselves multiple times for multiple different things such as filling out an admissions form, booking an appointment with a specialist at the hospital, buying medication, checking their test results, etc. This results in healthcare providers maintaining multiple records of siloed identities for the same person and requiring different log-ins for common tasks.

By using an IAM solution and a centralized system, this patient could simply provide their information once and have access to multiple systems/applications to do different things using the same account and login credentials.

Real Time Provisioning and Secure Access Control With XACML

One of the primary reasons for healthcare vendors and hospitals to require a good, stable IAM solution is to ensure secure access to information. To understand why all we need to do is think about how many different types of roles there are just in one hospital and how varied their daily interactions with applications are. For example, even if you simply take the role “doctor”, there are so many different levels and different specializations so even this "role" is too generic for a simple access control scenario and needs to be broken down further. Basically, we need fine-grained access control functionality.

When we factor in the increasingly fluid staff that includes visiting surgeons, residents, part-time doctors, etc who require limited privileges and access to the hospital’s data in real time, access control becomes an even bigger nightmare. Fortunately this can be handled with JIT-provisioning where visiting specialists can be authenticated into the system in real time and can gain limited access to resources. A good IAM solution is key to handling this kind of complex role-based access control and having fine-grained permission levels.

To handle the fine-grained access control requirements, XACML policies can be defined to manage access to patient health data. Modern health services generally store medical data in a central health repository that is exposed via a web service. In most cases, this has complex authorization requirements. To give a very simple example, a user with the role "doctor" should be able to update a patient’s medical record but not be allowed to erase it and therefore should have access to the "edit data" and "view data" operations of the web service, but not to the "delete record" operation. Now let’s consider a more complex requirement with some real world restrictions applied to this rule, in order to protect the data more securely. A physician should only have access to the patient’s data for a given time period after they have been assigned to the patient and should not be having access to it indefinitely. Once the patient has been treated and the required after-care time period has passed, the physician should no longer have access.

However, if we consider identity relationship management, we would face a requirement where a general practitioner (GP) AKA a "family doctor" can retain access to the patient data for as long as they are registered as the patient’s GP, but the same kind of access privileges would not be extended to a physician performing a one-time elective surgery for the patient. All these complexities can be effectively handled using a good identity and access management solution such as WSO2 Identity Server as an XACML engine.

APIs

APIs and microservices can be used to collect and update patient data efficiently and securely. Healthcare APIs are an essential part of regionalized healthcare management. Using APIs, hospitals and medical offices can share data within a region or area in order to gain quick access to patient information, reduce errors, and improve overall efficiency.

Another way APIs can help towards providing better patient care is by capturing every part of the patient’s journey in that hospital. A patient may enter the hospital for a simple appointment, that later escalates into multiple tests and scans, medications, surgery, post-care appointments, etc. With the standardization of APIs across all these services, the medical industry, or at least hospitals of a particular region, can avoid all this data being isolated among different, disconnected data silos and instead, use all of it to get a full and detailed collection of the patient’s healthcare story.

Progressive Profiling and Analytics

Treating the healthcare platform as a Customer Identity and Access Management (CIAM) project can be a good approach to gain medical insights. A unified view of a collection of patient information this big can be used to help profile or categorize patients to gain insight into trends regarding patient care. Analytics can also help towards getting measurable statistics and consequently, can also help make better and more meaningful medical decisions.

Adaptive Authentication

Healthcare data is constantly under attack because of the value of this type of information and the consequences of the wrong person gaining access to the wrong information could be critical and even life-threatening. At the same time, it would be tedious and a waste of time for healthcare professionals to constantly go through 2–3 levels of proving their identity when they barely have the time to do it once.

Adaptive authentication can be configured to only prompt extra steps of authentication when the authentication is abnormal in some way (e.g., authorizing a higher dosage of high risk medicines, logging in from a different location/device, etc.)

User Managed Access

An increasingly common requirement is that patients wish to share sensitive health data extracted from IoT devices and wearables such as smartwatches but struggle to do this in a secure and controlled manner. Enabling patients to do this would contribute towards improving health outcomes, and providing quality patient care and patient satisfaction.

IAM solutions can provide user managed access mechanisms to enable this level of controlled data sharing between patients and healthcare providers.

Workflows

A lot of healthcare procedures including the administering of certain medication or scheduling surgery can require approval from multiple people. For example, a single surgery can require approval from a senior specialist as well as consent from the patient/guardian. These kinds of requirements can be easily handled using an IAM solution to set up approval workflows and handle the communication between two different kinds of systems.

These are just a few ways in which IAM functions contribute to better digital operations in healthcare. WSO2 Identity Server is one such IAM product that provides comprehensive support and strong functionality to kickstart building a centralized and regionalized healthcare system in your area. Learn more about how WSO2 offers a robust healthcare solution with our integration platform.