In a survey we conducted of CHIME members, 65 percent of those surveyed didn’t have a long-term strategy for Identity Governance and Administration (IGA). If you’re feeling the same, you can rest assured that you’re not alone. IGA is often mistakenly viewed as a technology project, but it’s really a business transformation program. In fact, this is likely why many organizations struggle to get IGA deployed. It should be a strategy that is built based on an organization’s challenges and an ongoing program that evolves with an organization.
The goal of this post is to help you prepare for a successful IGA program by considering where it fits in your organization and how you can prioritize getting started. This includes identifying a clear vision, evaluating your current setup and users, knowing who should play a role, and selecting the right solution partner.
1. Identify your priorities for today and the future
IGA should be viewed as a journey, not a destination. We like to compare it to filling in a mosaic piece by piece. It’s not necessary to tackle everything at once, but an overall vision and understanding of your top priorities is important.
Examples of possible priorities for your organization:
Operational lifecycle rfficiencies: A student nursing program that creates hundreds of new identities which must be removed on a quarterly basis.
Compliance & audit: An audit risk noted by an internal or external auditor emphasizes a need for improved auditing and compliance reporting.
Cloud first strategy (SaaS): A cloud first/SaaS strategy that is driving all technology decisions to eliminate on-premises applications and/or infrastructure.
Access certifications (periodic access reviews): Clinical Users, whether owned or affiliated clinics, need periodic access reviews.
What are your top three priorities and how do they fit into your plan for the next 3-5 years? It will be necessary to look at your organizational priorities for today as well as the future. Do you have a static identity population? Or do you have many joiners, movers and leavers creating an abundance of provisioning and user lifecycle events that require an organized, repeatable, and automated workflow to handle those events? Defining your priorities will help you tackle the most important accepts of IGA and gain value from the beginning.
2. Take a deep dive into your organization
The next step in your IGA journey is to identify all your networks and applications to help determine where PHI is located and who should have access. We recommend the following steps:
Identify and categorize
Networks and applications that are accessed by users
User communities (employees, non-employed physicians & staff, vendors, contractors, and volunteers)
Where sensitive data is located
Identify and review
On-premise and remote access methods & opinions
Access review processes
3. Identify who needs to play a role
Who needs to play a role in your IGA program, and how do you engage them?
Primarily, the CISO (Chief Information Security Officer) or CIO will be driving the strategy; however, they will need collaboration from other department heads.
Compliance will want to provide input on the frequency and depth of periodic access reviews because they are the ones reporting findings to internal and external auditors.
Human Resources should be involved because employee job codes are components of role-based access, and new hires and/or role changes need to flow through the system in a timely manner.
Of course, other key decision makers at your organization like finance, the CTO and the CEO may need to be consulted to make sure your goals and strategy are aligned.
Understanding who has access, the level of access, and how often their access is reviewed is a team effort. Ultimately, it’s critical in modern healthcare delivery that the entire organization understands the security of access and information.
4. Find the right partner
The most successful IGA programs start with a vision and are built by prioritizing current challenges. Continuing to reinforce that IGA is a business transformation that evolves as goals and risks change. After determining your vision and key challenges, look for the right partner or partners who can accompany you throughout your IGA journey. It’s their role to look at the broader picture and recommend the right fit for what you are trying to achieve.
Many vendors offer IGA services and solutions, but many of them offer solutions across a wide variety of different industries and even have expertise with integrating with different applications. Another issue to consider is the organizational complexity and regulatory demands that an IGA vendor will need to understand when implementing a solution. Vendors with healthcare experience and knowledge of the applications used at your organization will be a key success metric.
As a critical industry, healthcare organizations are particularly vulnerable to data breaches. As mentioned in our last post, it’s not if a data breach or cybersecurity attack will happen, it’s when. The best time to start preparing is now, and the good news is that IGA has been around long enough for us to identify the best approaches for success:
Evaluate your current environment
Define your priorities and where you want to be in 3-5 years
Identify the key players
Team up with an experienced vendor who understands healthcare
Forward Advantage has been in the Identity and Access Management (IAM) space for well over a decade, and we branched into IGA to support our customers’ changing needs. As an authorized reseller and implementer of leading IGA solutions from Imprivata and SailPoint, we can help you select the right solution and approach for your unique organization.
Watch our on-demand webinars to learn more:
If you're ready to get started with implementing one of our IGA solutions, reach out and contact us!