IAM in healthcare for improved consumer experiences
The ongoing COVID-19 pandemic has placed healthcare systems and their efficiency (both operational and technological) under greater scrutiny. The healthcare industry has some of the most valuable, high priced information sold on the dark web.
By Johann Nallathamby, Associate Director - Solutions Architect at WSO2 and Sherene Mahanama, Senior Technical Writer at WSO2.
Since they are a prime target for cyber criminals, it is vital for healthcare organisation to use a strong and secure Identity and Access Management (IAM) system to protect this information, while also ensuring that this extra security does not hinder the time-sensitive nature of healthcare work.
Regions across the UK with good centralised healthcare management systems share patient information and medical records across hospitals, to ensure quick access to patients’ medical history.
Sharing information this way requires a solid IAM platform as the central backbone such as NHS Identity to connect, authenticate, and provide quick but secure access to healthcare professionals and patients across multiple systems. Local/ regional systems require a way of mediating with NHS Identity and this can be done using an IAM product such as WSO2 Identity Server.
Let’s take a look at how this can be done easily, saving valuable time for hospital staff.
Health data requires a high level of security, however, it is tedious for healthcare professionals to constantly go through 2-3 levels of proving their identity when they barely have the time to do it once.
Adaptive authentication can be configured to only prompt extra steps of authentication when the authentication is abnormal in some way (e.g., authorising a high risk medicine, logging in from a different location/device etc.)
Login analytics can be used to gain insights into potential security risks and configure risk-based adaptive authentication. For example, if a doctor logs in from within the hospital network, this might require only one factor of authentication whereas a doctor logging in from home might require two-factor authentication.
Identity Federation and Just-in-Time Provisioning
The NHS identity federation service supports OpenId Connect, SAML or WS-Federation Federated Identity. Using one of these standards, WSO2 Identity Server can federate user accounts of patients/doctors over to the local system, saving countless hours that administrators would spend creating user accounts for hospital employees.
When we factor in the increasingly fluid staff that includes visiting surgeons, residents, part-time doctors etc., who require limited privileges and access to the hospital’s data in real time, access control becomes an even bigger nightmare. Fortunately this can be handled with Just-in-Time (JIT) provisioning where visiting specialists can be authenticated into the system in real time, using their existing NHS credentials, and can gain limited access to resources.
Furthermore, approval workflows can be set up for provisioning or granting access to certain applications for trainee or part-time doctors. NHS Identity supports six deployment patterns as detailed in NHS Identity: Authentication and Authorisation Deployment Patterns. WSO2 Identity Server can represent the local/regional AuthN or AuthZ server in any of the six patterns to support the local system to authenticate and authorise with NHS Identity.
One of the primary reasons for healthcare vendors and hospitals to require a good, stable IAM solution is to authorise users securely according to the different levels of access they require. A pure Role-Based Access Control (RBAC) model will usually not be scalable in a health institution considering the different types of roles and specialisations in each of those roles.
Instead, we could use permissions-based-access control to assign permissions to roles on a more granular level by defining exactly which actions are allowed for a particular resource depending on the role.
However, most practical real world scenarios in the health industry would have more complex requirements and may require authorising access to certain resources based on attributes such as time of access, assigned patient ID, location, etc., in addition to the roles/permissions.
Therefore, usually the most appropriate form of access control would be to use a fine-grained, attribute-based authorisation policy language like XACML to define these complex and detailed authorisation rules. WSO2 Identity Server can be used as a XACML engine to securely handle authorisation rules and access control.
APIs and microservices are used to collect and update patient data efficiently and securely. Healthcare APIs are an essential part of centralised healthcare management. Using APIs, hospitals and medical offices can share data within local systems in the UK to gain quick access to patient information, reduce errors, and improve overall efficiency.
The WSO2 Healthcare Integration Platform is a solution built on top of our open-source integration platform which allows you to quickly transform your data and expose secure APIs to meet interoperability requirements mandated by governments.
In NHS Identity deployment patterns 5 and 6, the user identity is sent from the NHS system to the local service provider to authenticate the user but the authorisation rules are handled by the local system. WSO2 Identity Server uses OAuth2 and can support the token exchange from NHS services to the local system and from the local system to NHS.
Using WSO2 as the authorisation server for the local system, enables complex authorisation rules/policies, application of security to verify the API calls, and throttling to regulate the number of authentication calls.
Furthermore, all six of the NHS Identity deployment patterns highlight token exchange with a local/regional authorisation server. WSO2 Identity Server can also play the role of the local/regional server to accept incoming token requests in an API Manager ecosystem.
Progressive Profiling For Better Patient Profiling
Treating the healthcare platform as a CIAM project (Customer Identity and Access Management) can be a good approach to gain insights and a 360 view of a patient's activities.
APIs can help towards providing better patient care by capturing every part of the patient’s journey in that hospital. A patient may enter the hospital for a simple appointment that later escalates into multiple tests and scans, medications, surgery, post-care appointments, etc.
With standardisation of APIs across all these services, the medical industry or at least hospitals in the UK, can avoid all this data being isolated among different, disconnected data silos and instead, use all of it to get a full and detailed collection of the patient’s healthcare story.
A unified view of a collection of patient information that is this big can be used to help profile or categorise patients. This is helpful in order to improve patient service in a variety of ways including alerting them when a doctor they were trying to channel is available or to do targeted marketing and promotions for patients depending on their interests.
User Managed Access
Patients increasingly wish to share sensitive health data extracted from IoT devices and wearables such as smart watches but struggle to do this in a secure and controlled manner. Enabling patients to do this would contribute towards improving health outcomes and providing quality patient care and patient satisfaction.
IAM solutions can provide ‘user managed access’ mechanisms to enable this level of controlled data sharing between patients and healthcare providers.
These are just a few ways that an IAM solution can help healthcare organisations protect the sensitive nature of the information they are dealing with on a daily basis without introducing a burden of bureaucracy that could get in the way of delivering a quick and seamless healthcare service to patients.