If you live anywhere near central Pennsylvania, chances are you have received care at one of WellSpan Health’s 200 patient care locations or hospitals. To provide care to that volume of patients, WellSpan relies on 20,000 employees, about 20% of whom are external vendors and employees ranging from visiting physicians to nursing and medical students to custodians and support staff.
While these third-party workers are critical to the smooth running and service of WellSpan, they also present several challenges for the organization. There are many organizational and managerial issues to tackle, as well as third-party security ones. If, for example, a visiting nursing student accesses patient information that should not be available to her, it could cause Health Insurance Portability and Accountability Act (HIPAA) compliance issues – or worse, increase the chance that sensitive data falls into the wrong hands.
In addition to managing a host of security solutions for the healthcare system in general, the IT team already had an identity and access management (IAM) system from Core Security in place to try to manage these identity-related issues. The IAM system provisions accounts and performs much of the automated access provisioning when roles are created.
While the IAM solution was a good start, it didn’t address every issue the company had with managing and providing sufficient security for external workers. WellSpan needed a more efficient and secure way for third-party workers to request access, and to ensure that all information the company needed on every external employee was complete.
“For new external workers, we were getting requests for access through spreadsheets, Word documents, emails and even phone calls,” said Mike Shrader, WellSpan’s director of information security. “Because they could come through so many different doors, we saw a lot of duplicates, incorrect data and missing information.”
Another problem with the existing methods of onboarding temporary employees was making sure that each one had the right access to the right systems and data without under- or overprovisioning. Overprovisioning in particular can be a serious security issue. With unfettered access, data can more easily become compromised.
Complicating matters further, WellSpan has different onboarding processes for different types of workers, and these different processes tend to lead to the under- or overprovisioning of access. That made Shrader conclude that a more consistent onboarding process that included being able to identify roles based on the information provided was the way to go.
Ownership was another problem. When a security incident is triggered by a third party, it’s important to understand who is responsible for the account involved. With the existing system, an external provider who visited a potentially corrupt website or clicked on a phishing link was difficult to identify.
And then there were the security issues related to offboarding third-party workers when they were no longer needed by WellSpan. “If we don’t have a way to track them appropriately, we can’t be sure that they don’t still have access, and that is a security risk,” Shrader said.
Third-Party Identity Risk Solution + IAM = Better Third-Party Security
With the goal of finding a more secure and efficient way to request and manage access, Shrader’s team settled on SecZetta, a third-party identity risk management solution. It didn’t hurt that SecZetta already was fully integrated with the IAM system WellSpan was already using, Shrader said.
Today, external users enter the system through an internet-based portal to request or remove access. Once the information is entered, it passes through WellSpan’s tightly integrated IAM platform and then to the company’s access provisioning system, which creates the access.
The access is based on different types of roles that can be assigned to users. If your role is “nursing student,” for example, you might have basic access to electronic health records (EHRs) along with some basic office privileges. The idea is based on giving users least privilege, which restricts access rights for users, accounts and computing processes to only those needed by the user. Once users receive their access, they can set up their accounts, reset passwords and perform other tasks without having to contact the service desk.
In addition, the tighter path of escalation afforded by the new workflow helps IT staff better understand who is managing the account of a user who might be engaging in risky online behavior.
The new workflow also better secures the offboarding policy by allowing staff to enter expiration dates for accounts. Every user on the platform automatically starts with a one-year expiration date, and as it gets closer to that time, the account’s owner will be notified that they need to either renew a contract or get their HR policies and background checks revalidated. If someone quits or is fired, the manager of the account can immediately revoke access.
The system really proved itself during the COVID-19 crisis, when WellSpan had to onboard many new staff, including volunteers, Shrader said. With the system, the IT team was able to ensure that every volunteer was tracked and that their access would terminate at a specific time.