Streamline healthcare processes with better Non-Employee Risk Management

The SailPoint Blog
| SailPoint | Market Views

Authored by Michael Conti, Product Marketing Manager

I recently had a chance to sit down with two of our customers in the healthcare industry to discuss the increasingly important challenges of managing non-employees within their organizations and how they’re solving that critical problem.

For most organizations, there’s no doubt that strong identity management is a critical part of overall corporate security, improving security and compliance, making IT more efficient and effective, and improving the user experience.

However, managing the identities of non-employees is rapidly becoming just as important, especially in areas such as healthcare, where there may be a rotating flow of traveling nurses, contractors, students, volunteers, and more.

Giving non-employee contractors, vendors, nurses, and others access to IT resources is a critical security risk that shouldn’t be managed manually or taken lightly. A survey by SailPoint showed that 54% of executives stated that inappropriate access granted to a non-employee or non-human had resulted in severe security issues such as loss of control of resources, data loss, and other direct security breaches.

“Our overall non-employee populations are really diverse: contractors, temp agencies, vendors, and even international traveling nurses from the Philippines,” said an Information Security Manager at a large nonprofit hospital group in the Pacific Northwest. “It all adds another layer of complexity because we’re onboarding them while they’re abroad. Each of the different users has different requirements and needs to work with different teams. It was chaos before implementing a non-employee risk management solution, with every department doing their own thing.”

With thousands of third-party non-employees to manage, it’s easy to see how complex the situation was for the healthcare company. For example, onboarding was done with emails and PDF forms. Every department had its own HIPPA forms. The whole thing was just messy, time-consuming, and painful to manage—both internally and for the external organization. On average, it took 20 emails back and forth between both internal and external stakeholders for one new non-employee to be onboarded.

The situation was similar at the second major US healthcare company I interviewed, where they were managing nearly 2,000 non-employees on an ongoing basis.

“We have to manage a wide range of non-employees within our system,” said the Identity and Access Manager for a large mid-western U.S.-based nonprofit health system. “We have affiliate physicians, volunteers, students, clinicians, subcontractors, and people in small rural healthcare organizations that leverage our EPIC system. We tried to use ServiceNow to help, but it was never intended to be an HR identity source.”

Instead, to solve the challenge of managing non-employees, both healthcare companies deployed SailPoint Non-Employee Risk Management.

Non-Employee Risk Management allows organizations to define and manage risk-based identity access and lifecycle strategies for non-employees. The solution increases operational efficiency while keeping complex relationships as simple as possible, increasing compliance and reducing security risks.

When the mid-western healthcare group moved from its homegrown solution based on ServiceNow to SailPoint Non-Employee Risk Management, it undertook an enormous cleanup effort that paid off. “We’ve really improved our security posture by moving individuals out of ServiceNow, doing a complete audit review, and engaging with the core stakeholders for that population of workers,” said the Identity and Access Manager.

The Pacific Northwest hospital group’s move to SailPoint Non-Employee Risk Management has also paid off. By leveraging the solution’s automation capabilities, the company transformed the onboarding process, which used to take up to six weeks and 20 emails, into one that mainly happens within the application and will take an average of one to three days unless there’s an extraordinary situation.

Another significant benefit has been eliminating the free text fields, such as job titles, in the company’s previous system. Instead, all fields, such as position, department, and location, are now selectable from pre-defined data choices, ensuring consistency and dramatically improving data quality.

As with any significant deployment, it’s helpful to step back and learn what made the project successful or what tips other organizations should be aware of.

“One of the strategies that really helped our deployment was working closely with our seven different onboarding teams across the organization,” said the hospital group’s information security manager. “We engaged them and pulled them into the project to understand their needs and how they wanted the process to work. It’s critical to engage with your business users and end users.”

While healthcare organizations may have a larger percentage of non-employee users because of the structure of their business, all organizations need to take a close look at how they handle non-employee resources within their IT system and define a strategic solution to avoid potential security, compliance, and efficiency risks.