Access Management , Electronic Healthcare Records , Governance & Risk Management
Healthcare Case Study: Identity and Access Management
Robert Siebenthaler of PeaceHealth Describes Strategy for Massive Delivery SystemHow can a large healthcare delivery system efficiently handle identity and access management for thousands of clinicians and other users of patient data? Robert Siebenthaler of PeaceHealth explains how his organization, which operates 10 medical centers in the Pacific Northwest, has developed a fine-tuned, role-based approach.
"Today, we have 24,000 caregivers actively accessing our medical records, and about 5,000 roles because we have so many facilities - so we break them down by ... department and their specific job roles," says Siebenthaler, PeaceHealth's manager of identity and access.
"We have 100 percent role-based access for all of our Epic [electronic health record] users," he says in an interview with Information Security Media Group.
Now that granular role-based access has been established, the delivery system is working on implementing role-based access for up to an additional 300 clinical-based applications, whether they're software-as-a-service or on-premises, he says.
New Hires
PeaceHealth has also dramatically reduced the time it takes to onboard new users for role-based access, he says.
It formerly took about 25 days to provision a new physician or nurse practitioner, he says. But that time has been significantly cut as a result of PeaceHealth integrating an identity governance system from SailPoint Technologies, with credentialing software from Visual Cactus and PeaceHealth's human resources system, and some other internal database software, he says.
"Once we get the word to hire someone, within two or three days we can have a provider have full access to applications and birthright access that they need," he explains.
In the interview (see audio link below photo), Siebenthaler also discusses:
- How PeaceHealth authenticates its on-premises and remote users;
- How the organization provides system access to vendors and others who are not part of the organization's workforce;
- Efforts underway to help prevent falling victim to phishing and other cyberattacks.
Siebenthaler is manager of identity and access, security investigations and compliance at PeaceHealth, a healthcare organization in the Pacific Northwest that includes 10 medical centers and 250 ambulatory services clinics. He has more than 30 years of IT and engineering experience. Previously, he worked at Stanford's Lucile Packard Children's Hospital and Southwest Washington Medical Center. Before entering the healthcare industry, he was the director of technology assurance at IBM/FileNet for 16 years.