Welcome to my first article of two about Identity Management in the Aged Care industry. The industry is a particularly challenging one – with greater life expectancy and an ageing population, there will be ever increasing demand, and a declining workforce to retiree ratio will place a burden on revenue models to supply this demand. As such, there is an expectation of reduced cost of supply for greater benefit realisation.
As we are talking about a patient care industry, and not a technology industry, there is no danger of commoditisation. Care outcomes and reputation are paramount – unlike other industries facing similar growth and revenue models which have been commoditised, the capital required to be risked to be a supplier in the industry doesn’t permit on mass market shifts. The February 2017 deregulation of the Home Care sector and the future deregulation of Residential Aged Care may change this scenario.
Innovation and technology are likely to be part of the equation. In my articles, I will talk about a field of IT security which is important for two main reasons: compliance and digital engagement.
This field is Identity Management, which transcends mere technology and becomes a business issue, and one that you may or may not already be aware you are addressing.
Identity and Access Management, in its simplest form, is well described in Wikipedia as:
Identity and access management is the … discipline that “enables the right individuals to access the right resources at the right times and for the right reasons”
To give a real world analogy – you don’t just let anyone in the front door of your house, either you vet them by identifying them and the purpose of entry into your home (someone to read the electricity meter, for example), or you trust them explicitly by giving access at any time by giving them a key to the front door.
To bring it closer to home, imagine a scenario where your aged care service had weak passwords on a service protecting resident data, and someone targeted this service, infiltrated it and held this data to ransom for $30000. What if an ex-employee still had this password? With the right “keys” and “locks”, this scenario is far closer to a non-zero chance of happening.
The two parts of identity I will cover in these two articles are Corporate Identity, and Consumer Identity.
Corporate Identity Management relates to the control of employee/contractors (known as internals) access to digital assets within the organisation. There are two fold reasons for wanting to manage this:
- Adherence to corporate governance, regulation and risk profiles
- Reduced cost of business
In an ideal world:
- Employees/contractors would have the right access to the right systems from day one
- You could trust your employees to understand EVERY risk of their behaviour
- You could trust all of your employees all of the time
- Terminated actors would no longer have access to systems
- There would be no external risks, such as attempts to compromise system security or steal resident data by external parties (hackers)
Unfortunately, this isn’t the case! Without careful planning:
- Employee time is wasted as manual workflows provide access to corporate systems
- Sensitive data could end up in the wrong hands:
- Resident care information supplied to the individuals who shouldn’t have it
- The ability to affect supply to patients, or goods/services from suppliers without the correct authorisations
- Poor password or “privileged account” protection increase the likelihood outside actors can penetrate your systems
- Ex-employees may still have access to systems, and could use that access to commit fraud against the organisation.
- Multiple accounts can lead to decreased security and productivity (and increased help desk calls) as staff deal with password fatigue.
Of course, these are just cursory examples – there are any more risks.
As your business may be attracted to Cloud-based computing, the risk profile changes. Most reputable Cloud computing suppliers have exemplary security practice, but the attack vectors for poor password management and accessibility of systems mean you might not notice that an ex-employee is even accessing the system.
Talking about this at a board level is no picnic either. There are so many nuances and technical things to consider, that it can end up sounding like mumbo-jumbo. Indeed, the previous points, even though I’ve tried to keep the language tech-neutral, might have you rolling your eyes and thinking “I don’t want to think about it!”
However, it needs to be taken seriously, or otherwise you might find yourself as a headline. The Target data breach occurred due to a lack of good Privileged Account Management practices. Whilst that is a different industry, health records are an increasingly attractive target for thieves.
Like most systems, the best approach to this is to assess and treat the risks accordingly. Appoint an executive responsibility (or create a Chief Information Security Officer). At a high level, the responsibility needs to report on:
- Untreated risk profiles – what exposure do you have to potential security breaches?
- Process improvements – do you know who is working for you at any point in time? Can you leverage your compliance and increase productivity through the implementation of an Identity Lifecycle Management system? Knowing who works for you at any point of time is a clear requirement passing a security audit. Your Human Resources Information System is the most natural place for this, but are your HR department ready to provide a guaranteed service level of quality data to the rest of the organisation?
- Engage independent expertise to assess your readiness and help you map through.
- Understand the regulatory restrictions you have – for instance, aged care health records for Australian suppliers needs to be kept in Australia. But do you have the expertise to keep this secure in your own IT infrastructure?
- Utilise best-of-breed solutions. For example, for Australian providers, use something like Microsoft Office 365, which is hosted within Australia, to keep your office productivity and communications secure.
Good Identity Management resources are scarce, so I highly recommend partnering with a supplier with a proven track record in your industry. General System Integrators will offer Identity Management, but rarely have the understanding of how this discipline transcends technology into the business and human behaviour space, so at the very least the supplier should have a specialist Identity Management practice.
In my next article, I will cover a far more visible (unless you’re unfortunate enough to suffer a breach!) and exciting field of Identity Management, which covers customer identity and digital transformation. Thanks for reading!
Shane Day is the Chief Technology Officer of UNIFY Solutions, a world renowned Identity and Access Management specialist company.