Healthcare’s Secret Identity Problem: Identity & Access Models in a Digital Ecosystem

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:19] Hello and welcome to the CyberPHIx, your audio resource for information security, privacy, risk and compliance for the health care industry. I'm your host, Brian Selfridge. Each episode, we bring you pertinent information from thought leaders and health care information, security and privacy. And in this session, we'll be speaking to Wes Wright. Wes is the CTO at Imprivata, a leading digital identity company for health care. I'll be talking with Wes today about all things identity and access management for health care entities. We'll discuss patient identification challenges and solutions, as well as digital identity lessons learned. There's also a surprising amount of discussion about plumbing, so hang in for that part. So now let's get on to another great episode in conversation with an amazing guest, Wes Wright.

Brian Selfridge: [00:01:10] Hello and welcome to CyberPHIx, your leading podcast for cybersecurity, privacy, risk and compliance, specifically for the health care industry. I would like to welcome my guest Wes Wright. Wes is the CTO Imprivata, a leading digital identity company for health care. Wes is one of the health care industry's most experienced technology leaders and has held prior roles as CTO of Sutter Health in California, CIO of Seattle Children's, Executive director of Information Services for Scripps, and much more. We're excited to have Wes as a guest on the CyberPHIx in our session today: Healthcare's secret identity problem, identity and access models in a digital ecosystem. We're going to be discussing industry challenges with patient identification and access control models as they relate to a rapid move into a digital health care model. We'll talk about trends, reprocesses standards and technology to address emerging patient and workforce identity challenges, as well as the implications for patient privacy, identity fraud, enterprise security, and much more. Wes, thank you so much for taking the time to be here with us today. We're really excited to have you on the CyberPHIx.

Wes Wright: [00:02:12] Hey, Brian, I appreciate you asking me to come on board.

Brian Selfridge: [00:02:16] Excellent. So I want to start with this idea of patient identification. We'll talk about the the behind the scenes identity access management challenges and all that in a moment. But from what I understand, there's a lot of fuss about needing to find better ways to identify patients and across these different electronic platforms. Otherwise, what what can happen when we don't get patient identification? Right. Why is this such a big deal?

Wes Wright: [00:02:42] Well, as you might suppose, you know, really bad things can happen. You know, there's a lot of John Smiths in the world, actually, a use case that we did it. Everybody at one of our clients, there were three hundred and forty one, Maria Garcia's. So when Maria walked into the Ed or something and you know, the chances of somebody pulling up the wrong Maria and by the way, 12 of them had the same birth birthdates. So, the chances of pulling up the wrong record are pretty actually pretty decent, decent in a bad way, mind you, but fairly high. And what happens then is, you know, maybe Maria Garcia one is allergic to penicillin. Maria Garcia, too, isn't. And Maria Garcia one walks in and it's nonresponsive and maybe has some kind of some kind of something. We'll let the doctors decide some kind of something that that normally a doctor would have would administer penicillin. Well, they're looking at Maria's Garcia number, news record that says penicillin is OK and they administer penicillin to Maria Garcia one and and and and causes a probably a life threatening or at least a bunch of complication of that. So get in the right record associated with the right patient is you know, it seems like such an obvious statement to say. But, you know, that is the very first step in administering high quality health care.

Brian Selfridge: [00:04:26] Well, what's so difficult now about identifying Maria Garcia #1 from #2? I mean, we provide our Social Security numbers and driver's license. Do do we have enough information to make the correlation now? Is it a process thing or is this we don't have the right data?

Wes Wright: [00:04:40] It's a combination of all those, Brian. You know, we oftentimes or people and oftentimes a registration clerk can't find somebody's record. And so they'll just make a new record. And and you'd be maybe you wouldn't be, but a lot of people would be surprised at when John Smith comes in and their Social Security number has zero zero zero zero zero zero zero zero in it because the registration clerk to say, I just need to get you registered and get you on to your appointment or something like that. And so there's that that the old adage, garbage in garbage out. So next time a John Smith shows up, will the real John Smith record is there, but then that one with a zero zero zero also comes up there. So, you know, then you have a you know, a minimum wage or sometimes a little more clerk that decides which John Smith record I'm not going to assign to the patient today. So it's there's a there's a garbage in, garbage out factor there. And frankly, health care, health care is really expensive. And there there there are a lot, not a lot, maybe five percent. There are some cases where people you know, here's my I've got my health care card from Blue Cross. Oh, you're sick today, my son, my you know, my uncle or something like that. Here, just take. My card and go go to the go to the hospital and they pull up whosever cards, that's the record they pull up and and you got no one. There's fraud going on but to. Then again, we go back to the penicillin story. The cardholder may or may not be allergic to it, but the person who's presenting that card may be allergic to it. So there's just a little there's a there's a lot of factors. All the factors that you ask is the data. Is it what? Yeah, it's all those. It's it's a. It's a it's a it's a manual process that actually really begs for automation, especially in the days and these days of biometrics, you know

Brian Selfridge: [00:06:52] You know, we're going to talk about automation for sure. So I do want to get into that with you. Although just a quick anecdote. When when I was a security officer for a health system, we had all nines instead of zeros for the patient records, it was nine nine nine nine. And so, you know, that was it was pretty similar problem. So. How does this problem. It sounds like a tough enough problem with just a single electronic medical record in a health system, for example, and now we've got the 21st Century Cures Act. We've got health information exchanges, APIs popping up everywhere that are mandated to to, quote, unquote, unleash health care data across these ecosystems. How does this how does that changing of the tide impact this situation and I suspect exacerbate the identity identity issue?

Wes Wright: [00:07:38] Yeah, you suspect it correctly. I mean, it's it's it's an. It's an exponential multiplication of the garbage in, garbage out factor. So, again, that's the very first start of providing high quality health care is getting the record right? Well, if you if at that very first step is like building a house on sand, if if that very first step is wrong, well, any information that you send to across town health system, that information is going to be wrong. And then that cross town sends it over to a radiology group and that information and it just keeps compounding, compounding, compounding the wrongness of the original sin keeps compounding. So it's a it's a vaccine. It's a vexing problem, I mean, they're all well, well, well intentioned. But I think it's just we're pushing the same problem around when we're pushing the data, you know, with duplicate medical records. If you've got, you know, less than 10 percent duplicate medical records in your organization, you think you're doing pretty decent. I mean, think about that. Only 10 percent of my records are duplicates. I mean, and that's that's where we're starting. And that's all that's that's all right. That's the up front. That's right up front. Right at that beginning piece. So when we when we start out with the, you know, five percent, let's say five percent, when we start out with the thought that five percent of duplicate medical records is good, well, take that five percent and then it gets added to the other health care facilities, five percent and multiplied and multiplied and multiplied. And then all of a sudden we've got a real mess on our hands, which I think we do right now, frankly.

Brian Selfridge: [00:09:36] Well, our job is to fix everything. Right. So that's or maybe it's your job. I don't know. I'm just here to talk about it. So we promised to talk about technology. That's your that's your world has been for forever and a day. So what technologies are being created or maybe envisioned at this point to help with patient identification, in particular in the coordination of records across these different platforms?

Wes Wright: [00:10:00] You know, I'd like to say that there's a lot of work going on around a universal patient idea, and we talk about it a lot. But I think the late 90s, somebody passed a law, said, no, we can't have a universal patient ID. And that's that's been on the books. We've tried to overturn that a couple of times. So until that happens, I don't think you're going to see from a patient ID perspective any kind of universal patient idea like the UK and Australia and Canada, too, has. A little silver lining, though, is not in health care, the patient or the idea. Now, coalition, I think that's what it was, a congressional group sponsored. The states are actually the feds have asked the states to develop a system by which their drivers, the driver's licenses are ID and correlated between states kind of the way I think about it. You know, you've got your California your California database that goes up to the mothership federal database and that mothership federal database to the IDs are aligned. And so there's this work going on from from a from a department Department of Motor Vehicles perspective that actually might at some point lead to some kind of national I.D.. Now, that's really great for people that are 16 years and older, but the ones that are under that, we still there's still a black hole to us, but at least that's a start. So there's a little silver lining to it. But, you know, there's never a silver bullet in health care or or in technology, as you know, Brian. But I think development of some type of universal patient identifier would be at least a bronze bullet maybe.

Brian Selfridge: [00:12:16] I remember in the early days of HIEs, we were standing one up. this is probably 13, 14 years ago now. There was there was some effort made and I won't call it artificial intelligence, but some sort of correlation engine between the Maria Garcia is to be able to make some some and I would say decision support type of technology for those patient registration people to understand who's who were behind the scenes, glue the right records to the right duplicate record. Is there any AI, anything like that being built that was really rudimentary back then. But is there is that a part of the conversation anymore? Is that just doesn't work?

Wes Wright: [00:12:51] You know, from an HIE level, I'm not really sure. But but the the the the empties that are coming out now, we we partner with a group that does use some AI kind of stuff to help you sort out those duplicate medical records. But you know that again, though, that's contained within a health care system and integrated delivery network or a hospital or something like that. So. It's the. It's the it's the old homeowners associate, you know, in your neighborhood, you can mow your yard and make it look as pretty as pie, but if you go to neighbors down, you can't get that guy to mow his yard and it's full of weeds and stuff. Well, that's the same thing. You know, you can get your health care system, you can use one of these empties and get your data pristine. But if the health system that you're exchanging, the patients move back and forth, if their data is not pristine, then you're not you're you're not accomplishing what you need for for your particular catchment area. So it's I don't see it in the highway, but I do see more and more folks. You know, I think Epic does something that has to be on a roll anymore. I think maybe you have to be less than four percent duplicate med records or something like that. And that's that's that's forcing a lot of this clean up or at least encouraging a lot of this cleanup using that AI type of tools that you talked about earlier, Brian.

Brian Selfridge: [00:14:34] So I want to switch gears a little bit and talk about a different kind of identity challenge for health care entities, so we focus on the patient patient side predominantly there, and that relates to our ability to manage identities and access controls for our own workforce. So this is this is our own our own yard, the lawn in their own yard kind of thing. And, you know, I know just for some background, back when I started my career, way back when, gosh, 20 years ago at this point, at Pricewaterhouse, I was specialized in the implementation of identity and access management tools and technology and provisioning software, which is which is all pretty cool stuff which you guys have been doing for ages as well. It seems to me like a lot of the same issues that we were dealing with back then around provisioning of records, access rights reviews, all this stuff seems to still be a challenge for many health care entities. So so I'm going to ask the question, why? Why is identity and access management such a tough problem for health care entities in particular, from your perspective?

Wes Wright: [00:15:35] Two reasons, one, it is really hard. You've got to you've got to you've got to collaborate with so many of these cross departmental folks within your health care organization. So it's hard. And folks, you know, people are people, like I said before, and people have a tendency to do the easy thing first and second and pardon this phrase. But I think it it's it will identity governance just is not sexy. It's you're not going you're not going to have the clinicians carrying you around on their shoulders saying get be engaged because you put in an automated identity governance system. So it's you know, my identity governance counterparts don't going to like me to use this analogy, but they're not here.

Wes Wright: [00:16:26] So I will know identity governance like plumbing. You know, you just you just you know, you have to have good plumbing and you expect it to be there. But again, you're not going to applaud the plumber. And so that the the project and really I don't like to think of his identity governance as a project. And you probably don't either from your priorities, Brian. But I think of it as a program. Your identity governance is just an ongoing program. It's not a project that starts and stops. And that's also what makes it hard. So those I started out with, too, but there's really three. It's hard, it's not sexy. And it's a continuing program that you have to commit resources to. So you've got to get all three of those stars have to align really before you can really have a successful program. It's just hard.

Brian Selfridge: [00:17:20] Well, that's a big part of the reason why I ran running and screaming from that particular domain 20 years ago, so it was hard then. It is hard now. But what has changed in the last, let's say, 20 years? Have the have the plumbers gotten better tools? Are they are they better trained? What is happening, particularly in technology standpoint, that that might give us hope here, that we can do this better, faster, cheaper, whatever?

Wes Wright: [00:17:44] Yeah, the tools have gotten a lot better. Brian, as you would imagine, the plumbers have gotten a lot better. Let's say, you know, the. One of the one of the big hurdles that you always had to cross when you started one of these identity governance programs was that rolls and rolls are the bane of an identity governance project or program. And the tools that we have now, you know, I know we're not supposed to talk product, but the tools that we have now that we can use that data from other sources, particularly Temporada, that we can use data from other sources to actually help you build the rules based on data. Whereas prior to the advent of these type of tools, you really kind of had to sit down with your H.R. specialist and they'd all want to do their are job code rationalization. So you'd be spun up for a year with H.R. trying to rationalize the job code and then you'd have to kind of OK within the job codes and these kind of demographic information so that when you when you feed it to me, to my identity governance system, I could pull that stuff and assign a role and get the process going. Well, the tools now that that are out there that we have, you can you can kind of short circuit that process and say, look, this person has been signing into this applicant, this this particular an ICU nurse.

Wes Wright: [00:19:24] Let's say there's six or seven ICU nurses, digital identities you can give me and I can look up in this database called one sign, the applications that they've been logging into for the last six months. So then I can go, OK, that's what an ICU nurse's role has to be, because here's seven of them that have all used this application over the last six months on a day to day basis to this level in the application, say any H.R. or something. So then I can actually build the role without having that HR involvement to the job code rationalization and that kind of thing. All I need to know from them is here's a new ICU nurse, ICU nurse. I know what that role is because I got this data to build it from. So from that perspective, the tools have gotten a lot, a lot better. So the role mining aspect is I think is really progressed well. But there's a lot of old timers like us out there trying to stand these projects up. And and we just look we look at it and and we're still a little snakebit on that that first attempt that all of us have tried somewhere to stand up an idea system and gotten our clocks cleaned.

Brian Selfridge: [00:20:41] I've seen that more times than I can count. Is this in terms of spinning up the Identity Access Management Project, the big tool, the roll out the rolls review and all that stuff, and you get one misstep and, you know, it's another five years before you can go at it again? Is that is that you know, do you see that happening as well where it's you know, there's not enough appetite to get back up from from the mat and try it again if it doesn't go right the first time.

Wes Wright: [00:21:05] You know, that's a that's a great point. Yeah. And I do see some of that. I've suffered through some of that myself. Frankly, health care is a is a big "if it ain't broke, don't fix it" kind of mindset. And oftentimes, you know, they've had to health systems have had to have some kind of provisioning, some kind of way of getting accounts to the right people, be it same day access or twenty one days later you'll have all the access you need kind of thing. But they figured out some way to do it. And so they are just pushing it, pushing that can down the road because. No, it's not it's not hard broke. You know, it could be a lot better. Everybody realizes almost everybody I've talked to about digital identity and identity provisioning and provision and all that stuff. They all realize it could be done better. It could be done with a lot fewer FTE. But there is just so much other stuff on their plate that they've got to deal with right now that they just. If it ain't broke, ain't going to fix it and it's not hard broke. Having said that, though, a lot of the. What we're really starting to see is, from your angle, the cyber side of the house, the CISOs and the security professionals out there, they realize, have realized that that identity is the key to everything.

Wes Wright: [00:23:05] As far as the solar winds, attacks were concerned, identities, everything turns out and the security professionals are starting to realize that and they're going, OK. This this provision and provisioning, assigning applications that used to be an operational IoT thing because you had to people have to work new doc shows up, they got to work. So, yeah, that's a operationalized thing. But more and more we're starting to see. Yeah, sure. It's an operational I.T. thing. But you know, even more than that one, once that digital I.D. is established, even more than it being an operational thing, it's a security thing because Microsoft used to say identities the new perimeter. Well, we started at Imprivata. We started saying now is not the new perimeter, it's the new control plane. It's the control nexus. It's your control fabric. And then Microsoft, after we started seeing it, Microsoft did a blog that said the same thing, I'm not saying we influenced in my view, but I'm sure we did. But it really is. It's the new control. That's how you can control everything that happens in your network, in your in your domain, so that the CISOs are the ones that are the ones tasked more than anybody with reducing that risk. And and they realize and the SEC has told them, the identity is critical. It's critical to reducing that risk. So we're starting to see more and more that that identity control coming out of that operational IP and moving over into the security side of the House just because it is the tool for security.

Brian Selfridge: [00:24:54] Just when we figured all that out and there's handoffs and rolls figured out between IoT infrastructure security, everybody is holding hands and playing nice, then come along third parties in cloud hosted systems and you know the rest. So so tell me a little bit. This is this is I'm grilling you this in this interview, usually they're a little easier, but so how are we how are we tackling that whole ecosystem and is there overlap with what we've learned in House of how to get identity write, quote unquote, and now have to sort of extend that model out to to all these different mobile apps, cloud hosted apps, third parties and everything else. What's your take on that?

Wes Wright: [00:25:32] Yeah, it it it again starts with I mean, we talked about the patient record that where it starts is where it starts. And if you get that wrong, you get it wrong. It's the same thing with these third party vendors, the cloud based apps, that kind of thing. If you if you don't get digital I.D., your digital identity strategy, right, right at the beginning, then you're kind of lost. And and really we are starting to see the sisso side and the and the operational side realize that it wasn't hard broke. As we mentioned before, it wasn't hard broke, but it's broken off to where I can't I can't manage things from a cyber perspective. So that digital identity, a lot of people say, OK, my digital identity, my Ph.D., my affiliated docs, my nurse students, some of them have their volunteers in there. But by and large, they forget about this third party contractors. Well, those third party contractors should be in that same identity governance administration system as everybody else, and they should have a role. And part of that role should be that they use usually some kind of a vendor privilege access management solution to come into your network. And when they do come into your network, you should be recording everything that they do. One and then two. If you're software and your tools are sophisticated enough, not only your recording, your keystroke mapping, and you can stop commands that you think are deleterious to your network. So it all starts with digital ID. If you don't if you don't know who's connected to your resources and if they're allowed to be connected to those resources, which is what digital identity does, then you've already lost the battle.

Brian Selfridge: [00:27:34] So we've talked a lot about the operational impact and the and the business drivers to try to get identity correct, but isn't there also potentially the compliance aspect to this, be it OCR or external auditors or others sort of focusing on this? How much of how much of that as a driver for some of these identity projects and getting the digital identity transformation thing going versus just purely an operational play?

Wes Wright: [00:28:00] Yeah, a lot of it is. I mean, guilty, you know, I've had to explain to my board on more than one occasion why this digital identity still had access to this finance system know two weeks after two weeks or a month after they left the organization. So just from that perspective, let's not let's less on the provisioning side, but the deep provisioning side, that's that's really where you get your hands slap on more than anything. You know, those financial audits of your your your H.R. system or your payroll, your employee workday, you know, those are mandated to be audited on a yearly basis. And you'll get your hand, you get you you'll find yourself in a little hot water if you're if you're provisioning isn't working very well and the same way with OCR, they'll get you the same way. So just from. I mean. Of course, it goes without saying that, yeah, you want to be provision folks in a timely manner goes without saying. But on top of that, if you're not doing that right, you can get yourself in your organization and into a ton of hot water from fines and and audit failures.

Brian Selfridge: [00:29:37] So we've talked a lot about a lot of the challenges, I think we've got a very clear picture on how tough this is and some of the ideas of ways to tackle it. But I'm going to put you I'm going to continue to keep you on the hot seat here. And, you know, the the million dollar question is always, what can I do today? What are some people operational things I can do? I mean, there's obviously there's the big build, the big project that becomes a program and that's all road map it and. Sure. But is there anything? What are the first steps to that process that you would recommend? Organizations sort of start at least moving and chipping away at this in the right direction.

Wes Wright: [00:30:13] Yeah. You know, and this is going to sound touchy feely, and we've got a tech crowd that probably doesn't like touchy feely too much, but. Back in the original part of our conversation, the earlier part of our conversation, we talked about how a good identity governance program is kind of like plumbing. Well, you don't see plumbing and it's hidden in the walls. And unfortunately, in your organizations, I would bet there's hardly anybody at the in the sea level suite, this CEO or CFO and so on, that realize exactly how important digital identity is and how important it is from a patient safety perspective, from a cybersecurity perspective. So that's where I would start. I mean, if you're if you're a CTO, brief your CIO about why digital identity is important. If you're a CIO, brief your counterpart, your CEO or your CFO and get in and get an understanding in their minds exactly why this is so critical to the organization. So that if if you're if you're doing nothing else, then then constantly be marketing to to your compatriots in other divisions. Exactly how important digital identity is to the safety, because cybersecurity is a patient safety issue in my mind, to the safety of your organization. That is where you've got to get that that that that executive staff on board with the importance of identity governance. So that's that's where you have to start.

Brian Selfridge: [00:32:09] So we'll assign you another title, you've had many "C" titles. We'll give you chief cheerleading officer to make sure that you're you're evangelizing all of this and shaking your pompoms.

Wes Wright: [00:32:20] Yeah, yeah. And you've got to be that way. I mean, it's, again, back to the original. It's not sexy. And and people people don't get it. I do. But other people don't get excited about digital identity. And you've got to make them excited about how much more safe the house will be if we know everybody who's coming in and what they're doing inside the house.

Brian Selfridge: [00:32:45] That is excellent advice and guidance. Very good information for us. So I'll leave you with one last question. Is there anything else that you would recommend that we haven't talked about that organizations should consider be aware of on the as we move to this and digital identity infrastructure and everything starts sort of going faster and becomes even more more difficult. Any closing thoughts for our folks here?

Wes Wright: [00:33:09] Yeah, you know, I don't think there's anything additive that I'd have to the conversation. I just just reiterate that that that digital identity, it really is the new control fabric. I mean, you can you can see that all the publications say that. And Gartner released a paper on digital transformation. And in that paper says that before you can do digital transformation, you have to do a digital identity governance to to make digital transformation happen. And I'm I'm afraid digital transformation is a lot more sexy than identity governance. So I'm afraid what we've seen and what has happened out there is a lot of people have spent a lot of money trying to digitally transform and they've built. They've built that house on sand and they've got to get in and get that. You've got to have identities right in order to have everything else right. I guess that's the last thought.

Brian Selfridge: [00:34:21] Excellent. Well, thank you so much. It's been a fantastic conversation and insights for our folks here. So my guess has been Wes WRight, the CTO of Imprivata and many other organizations over the years. And Wes, thank you for your insights here, but also all of the work that you're doing in thought leadership in this space elsewhere. So, folks, if you haven't checked out Wes's materials, is he's on the road, he's blogging, he's talking. He's got a lot more to say. And you should definitely check it out. So thank you so much for your time today.

Wes Wright: [00:34:50] Hey, Brian, I appreciate it. I appreciate you having me. And back at you for all you're doing with Meditology there with keeping us safe out there.

Brian Selfridge: [00:34:59] Absolutely. Thanks so much. Again, I would like to thank my guest, Wes Wright, for sharing his perspective on the unique challenges ahead for health care entities trying to manage patient and workforce identification these days, tough challenges. I really like the idea of automating user role ID and Wes's advice for educating leadership and stakeholders about the emergence of identity as really the foundation for digital health going forward. As always, we'd like to have your feedback and hear from you. Our listeners feel free to drop us a note about what topic you'd like to hear about or thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for another session coming up soon.