Healthcare institutions globally are seeking to increase efficiency in communication between hospital staff, physicians, and patients. These changes will enable:

  • Improved patient care
  • Faster response time as diagnostic and other patient information can be shared at a moment’s notice between physicians and hospital staff
  • Reduced costs resulting from NOT having to repeat diagnostic tests

Enabling these interactions, while maintaining user access controls and patient privacy, requires a robust Identity and Access management (IAM) solution. The IAM solution in the context of healthcare must address specific requirements including:

  • Role and Attribute level access - ie. a radiologist may have a certain level of access, but a nurse may have a different level of access.
  • Provision identities across systems that are on-premise or in the cloud
  • Provide single sign on (SSO) to applications on-premise and in the cloud while enforcing access control rules
  • Multi-tenancy - when supporting multiple organizations it’s critical that users in one institution cannot see data belonging to another institution.
  • Model Organizational affiliations and identities where hospital staff may have a primary place of employment but N levels of affiliations with other institutions
  • Regulatory requirements such as HIPAA

OpenIAM provides a comprehensive IAM solution that has been successfully deployed in complex healthcare environments. OpenIAM provides healthcare institutions and service providers with the following benefits:

  • Solution that can scale to support millions of users
  • Unified view of user identities and their attributes
  • Robust access control model where custom roles and their access privileges can be defined
  • Comprehensive identity provisioning solution that can manage the user life cycle for applications that are on-premise or in the cloud
  • Templates to model workflows
  • SSO solution that support multiple protocols and provide a reverse proxy allowing users to SSO to both on-premise and cloud systems
  • Comply with regulatory requirements such as HIPAA
  • Multi-tenancy to allow a single deployment to support many institutions and maintain a segregation of data between institutions.
  • Advanced authentication options such as embedded OTP.
  • Rich self-service interface to minimize help desk calls.

Use Case: Diagnostic Image Repository (DI-r) Service in Canada

Health care costs in the US and Canada continue to rise. A shared Diagnostic Imaging Repository (DI-r) provides a way to reduce the costs resulting from physicians ordering duplicate tests. A shared regional DI-r provides clinicians with access to patients’ diagnostic imaging results, including CT scans, ultrasounds, MRIs and x-rays acquired at partner healthcare facilities. A prominent Tier-1 systems integrator in Canada was contracted by a group of 20+ hospitals in Canada to deliver an end-to-end solution for a DI-r. The solution consisted of a number of components from various vendors to achieve the above objectives. The solution also needed the following functionality, which fall into the realm of IAM:

  • Provision users provided by each health-care facility into the IAM system and the systems that it manages
  • Self-service functionality for users to manage their profiles and reset passwords
  • Delegated administration so that administrators at each hospital can manage users associated with that hospital
  • Selectively export audit events to an ATNA compliant repository in near real time
  • Single Sign On into business applications
  • Federation from the participating hospitals network into this service
  • Maintain patient privacy

Solution Overview

OpenIAM was selected to provide Identity and Access Management for this solution. Source data for this solution comes from a number of different sources. These include data in Active Directories or CSV files provided by each institution. The Identity Manager’s synchronization engine was configured to support multi-source systems and business rules were defined to process the source data and associate the users the appropriate business roles, which were then used to drive provisioning into various systems. The solution was configured in a multi-tenant mode where access for hospital staff was limited to their institution, but access for the System Admin at the service provider would span across institutions.

The overall solution consisted of a number of applications that did not support federations standards. These applications were protected by the OpenIAM Reverse Proxy and users could SSO into them. Hospitals also wanted their users to be able to SSO into this solution from their own internal portal. To support this model, OpenIAM was configured as a Service Provider (SP) allowing users to access the DI-r without further authentication.

Given the strict compliance requirements in Healthcare, the solution architecture created by the systems integrated required that select audit events would be published into the ATNA audit repository. To achieve this, the OpenIAM audit service was extended to publish the selected events. The solution was resilient in its ability to detect if the ATNA repository was down and queue messages till the connection was restored.

The OpenIAM solution has been running in production for over three years and has met both its business objectives and high SLAs that OpenIAM must adhere to. The solution allows over 10,000 users to securely access the DI-r solution. During this time, business requirements have continued to change and OpenIAM has been evolving at a rapid rate to allow the service provider to deliver new services in a timely manner.