business

Extending CIAM to Enable Modern Healthcare Applications

Customizing identity flows by stacking no-code integrations allows dev teams to innovate efficiently

Nov 15, 20229 min read

As healthcare delivery models evolve and digital information unlocks new possibilities, a vast array of ecosystem participants face pressure to:

  • Build and manage consolidated patient portals that link patients, patient advocates, and extended healthcare teams and that extend across multiple service providers.
  • Empower patients with convenient self-service options and quicker access to appointment information, test results, diagnoses, forms, documentation, and their healthcare providers.
  • Provide rapid virtual care and assistance, overcoming distance and time constraints and increasing accessibility of healthcare (and related) services.

From established healthcare providers to newcomers aspiring to dominate entirely new markets, the organizations best positioned to succeed will be those that are best able to implement fundamental identity capabilities and extend beyond the identity basics.

All the while — and in everything they do — healthcare organizations have to comply with complex regulatory requirements (e.g., HIPAA, GDPR), which vary by jurisdiction and are often layered (i.e., state laws versus federal laws).

But with developer resources already in short supply and with a healthcare organization's primary applications rightfully commanding the lion's share of attention, engineering organizations need to satisfy identity requirements as quickly — and with as little custom code to write or maintain — as possible.

For example, Jay Anslow, Senior Software Engineer at Babylon Health, shared with us that, "We estimated that it would take a team of eight staff at least a year to meet our new requirements with a home-built solution. As well as the cost of having that team, it would have delayed our timeline, so we wouldn't have been able to get our functionality out the door as quickly."

Identity Enables the Healthcare Ecosystem

Identity, particularly as it relates to securing sensitive data and complying with privacy regulations, has been a foundation of healthcare since long before the digital revolution — but as healthcare delivery organizations (HDOs) embraced new information formats and leveraged the Internet for collaboration, communications, service delivery, and other functions, customer identity and access management (CIAM) systems became essential elements of healthcare organizations' technology stacks.

On top of the transition that was already happening, the COVID-19 pandemic "caused a seven to ten-year acceleration in consumer and digital trends," according to Richard Schwabacher, Senior VP of Digital Health and Chief Digital Officer at BioReference. The result is that "Securing, transmitting, and authorizing patient access to health information digitally is now critical to the practice of medicine and core to what is needed from a modern digital health solution."

And CIAM is vital to this functionality. Out of the box, leading CIAM solutions include many features that can help healthcare organizations meet new needs, allowing even small engineering teams to:

But while out-of-the-box functionality is important, the real world is a complex and dynamic beast (as anyone who's ever done a year-over-year roadmap comparison understands). Being able to accommodate change and tailor identity to your unique needs — and doing both without drawing too heavily upon developers — is the difference between CIAM as a necessary component of your application stack and CIAM as an operational and competitive advantage.

Actions Integrations and the Auth0 Marketplace

A modern CIAM solution can tackle the healthcare identity basics (e.g., signups, logins, account updates, password retrievals, etc.), but satisfying advanced use cases often requires transacting with other business systems and third-parties to execute complex conditional flows.

However, identity is a very difficult and specialized domain. Here's a quick exercise: think of a subject that you know a lot about, something where you're truly an expert. And now, think about how non-experts oversimplify the problems in that area and are overconfident in their ability to solve them. Sure, it's not impossible for them to do so, but it will likely take much more time and effort than they imagined, and the implementation would potentially fail to address corner cases and other complexities.

Identity is like that! An in-house developer team could drop everything else and focus considerable effort on extending an identity implementation by building (and maintaining) a custom solution to every new use case — or they could leverage a straightforward way to make identity work with other business systems quickly and effectively.

And that's where extensibility comes into play.

Since launching in late 2020, the Auth0 Marketplace has helped developers quickly find and install third-party identity solutions for their applications and APIs.

Actions Integrations make it even easier to extend Auth0 with partner-built innovations, often with no-code, drag-and-drop ease; in fact, you can even 'stack' these integrations like building blocks to keep up with new needs and address advanced use cases.

To illustrate, let's look at some examples of how identity proofing, mobile device verification, customer data platforms, and consent management integrations can be combined and conditionally employed to contribute to a strong security posture and create positive experiences for customers.

Registering, logging in, and scheduling appointments

To meet growing expectations for convenience, healthcare organizations must make it easy for patients to register and schedule appointments — but at the same time, the signup process must be secure and must address compliance requirements.

Here's how third-party integrations can help satisfy these simultaneous needs:

  • The patient initiates the registration process/account creation
  • The sign-up flow within the identity engine calls upon an identity-proofing solution to verify the patient's identity
  • Next, the flow calls upon a consent management solution to ensure the patient understands and agrees with how their information will be handled with respect to regulations
  • Finally, the identity engine encourages the patient to enroll in multi-factor authentication (MFA) as an added security measure; if the patient agrees, then the flow walks them through the process

To simplify future logins, the identity engine can employ mobile device verification when the patient attempts to access healthcare services via the organization's mobile app.

Once logged in, a patient can schedule an appointment:

  • The patient selects "schedule appointment."
  • The identity engine uses MFA to verify it is indeed the patient attempting to make the appointment
  • If the patient passes the MFA challenge, the appointment is confirmed

Note that this process can be augmented by employing Adaptive MFA and limiting MFA's use to when a risk threshold is exceeded.

Changing/updating personal information

Healthcare organizations handle an enormous volume of sensitive data, including personally identifiable information (PII) and protected health information (PHI). Consequently, it's vital that only authorized users can access and modify information.

Here's a potential identity flow for patient self-service:

  • The logged-in patient clicks on "update my profile."
  • If the patient is using the mobile app, then the identity engine can call upon a mobile verification solution; otherwise, the identity engine can employ an identity-proofing solution
  • With the patient's device or identity verified, they are now authorized to change their information
  • If the information being changed is of sufficient sensitivity (e.g., relating to financial or insurance records), then the identity engine can engage MFA as an added layer of security/confirmation
  • The patient's information is saved
  • The identity engine passes the updated information to the CDP

Securely accessing healthcare documents and services

Delivering healthcare services requires holding and managing access to huge numbers of documents, from information forms to lab results. Enabling patients to access their healthcare documents eases the workload for staff and can accelerate care.

In addition, telehealth reached new levels of adoption during the pandemic to help protect vulnerable people and reduce the spread of COVID-19 — but with healthcare fraud a real risk, it's important to verify that a patient is who they say they are.

Here's how identity can help. Suppose a logged-in patient clicks to access a particular health document or service. Depending upon the situation, the identity engine can conditionally branch into a number of paths:

  • If the patient is using the mobile app, then the flow can call upon a mobile verification solution.
  • If the patient is using a new or different device, then the identity engine can initiate an MFA challenge.
  • And for especially sensitive information, then the identity engine can call upon an identity-proofing solution.

With verification complete, the patient is now able to access the document or service.

Note that these flows can also incorporate risk scoring and behavioral validation. For example:

  • The identity engine can check the patient's device posture against a third-party risk service: if a risk threshold is exceeded, then a higher level of verification can be employed.
  • The identity engine can check behavioral data against the patient's CDP profile: for instance, if the patient usually accesses their healthcare portal from a particular geography but in this attempt is somewhere new, then additional verification may be warranted.

Paying bills

Healthcare organizations also hold vast amounts of financial records — including bills, bank account details, and insurance information — that must be safeguarded. But at the same time, making it easy for patients to view and pay their bills is important.

Fortunately, identity flows can allow patients to view, download, and pay invoices remotely through a third party or an in-house app:

  • The logged-in patient navigates to a bill and attempts to open/view it
  • The identity engine calls upon mobile verification to confirm the patient's device; alternatively, the identity engine can upon a CDP to confirm the patient's location
  • If the device is not recognized or the patient is logging in from a new location, then the identity stack can initiate an MFA challenge
  • With the patient's identity verified, they are able to open the bill and access the billing/payment system

A World of Extensions and Opportunities

Extensibility is a core Auth0 principle. Our identity platform is designed to be easy to deploy and even easier to tailor to your unique business needs, so you never have to choose between customizability and ease of deployment.

Plus, with a long list of security and privacy certifications and the option to deploy the Auth0 Identity Platform in a private cloud, healthcare organizations can be confident that their identity implementations help meet their regulatory requirements.

We're excited about the potential unlocked by the rich ecosystem of third-party integrations, as they allow our customers to continually add new capabilities as needed.

Whether you prefer the pro-code approach of Actions or the no-code convenience of Actions Integrations found within the Auth0 Marketplace, we encourage you to explore the options to see which of your identity and identity-related use cases already have a ready-built solution just waiting to be integrated!