Subscribe to more awesome content!

Why Identity Management Matters in Healthcare

Ready to regain IT productivity? Securely provision and deprovision users with ease using Single Sign-On.

What is Identity and Access Management?

According to Gartner, Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments.

Enterprises traditionally used on-premises IAM software to manage identity and access policies, but nowadays, as companies add more cloud services to their environments, the process of managing identities is getting more complex. Therefore, adopting cloud-based Identity-as-a-Service (IDaaS) and cloud IAM solutions becomes a logical step.

Beyond Username and Password

Building modern authentication goes beyond usernames and passwords and provides a framework for managing identity.With healthcare clients, security is critical and every minute counts. Typing in a username and password to gain access to a web service may have worked in the past, but has significant drawbacks today.

  • Security: Users tend to reuse the same credentials across multiple logins leaving them susceptible to hacks outside of your control. Modern security means adding additional measurements like multifactor authentication and breached password detection.
  • Administration & Governance: Managing access to web based services can be a logistical nightmare for services that don’t have single sign on capability.
  • User Experience: Having to remember and manually enter another set of credentials costs precious time that users simply do not have to spare. Single Sign On provides your users with a seamless authentication experience to all of the applications they need.

Why Healthcare Organizations Need Modern Authentication

Modern authentication goes beyond the login screen. Enterprise federation and single sign on gives administrators a piece of mind as they’ll be able to easily provision and deprovision users. Auditing, monitoring and enforcing security policies is another major benefit with modern authentication systems.

In the past, each service a company subscribed to required a separate set of credentials. These credentials were scoped to the service, which presented a logistical nightmare for administrators when provisioning and deprovisioning users. This also presented a number of security risks and other headaches.

Enterprise federation, most commonly referred to as single sign on (SSO), solves many of these problems by:

  • Establishing a single source of truth for user identity
  • One set of credentials allows a user to login to many services
  • A user only needs to authenticate once to gain access to all allowed services
  • Centralized provisioning and deprovisioning of users and services
  • Granting governance of the user store to the company, rather than a third party
  • Ability to add and manage extra security features, MFA, password policy, etc.

Harvard Medical School

The pre-eminent school provides medical identity secured by Auth0.

“I’m a big proponent of letting experts do what they do best. If you get identity management wrong, it falls apart horribly, and you get put on the front page of the newspaper as having exposed a large number of people to really bad things. I didn’t want to rely on building it ourselves.”

— David Bernick, Harvard Medical School

The Advantages of HIPAA Compliance

Using HIPAA standards opens you up to new customers in a growing market. 67% of healthcare organizations are currently using a SaaS service in their workflow, with 92% of healthcare providers saying that that they can see a future use for SaaS in their organization. By applying HIPAA standards, you can tap into the $3 trillion healthcare industry.

By working towards HIPAA compliance, you are able to market yourself to 3 new customer bases:

  • Covered Entities
    • 80% of physicians and 60% of hospitals are now using electronic health records (EHR). These companies require HIPAA compliance for any cloud service they use.
  • Business Associates
    • As well as the covered entities, other business associates who process PHI can be assured that your service will also protect any data. As the cloud market grows for healthcare, 3rd party solutions for business associates will be able to market themselves as business associates.
  • Wearables & Health Technologies
    • Though wearables don’t have to be HIPAA compliant currently, the trend towards sharing personal health data from wearables and apps means that these companies blur the lines between what does and doesn’t need to be HIPAA-compliant. For instance, Fitbit is now HIPAA compliant so that B2B companies can share the data from their Fitbit Wellness program with covered entities.

Compliance and Certifications

Auth0 is SOC 2 Type II certified – an independent auditor has evaluated our product, infrastructure, and policies, and certifies that Auth0 complies with their stringent requirements.

Auth0 offers HIPAA BAA agreements to companies in the healthcare industry that must comply with HIPAA regulations for safeguarding patient privacy and sensitive health information.

Auth0 conforms to the OpenID Connect protocol, and our products are certified by the OpenID Foundation, of which we are active members. We strive to use open standards and specifications to deliver excellent interoperability for our customers. Auth0 helped in defining the protocol and are sponsoring OpenID Connect.

Auth0 conforms with the brand-new EU-US Privacy Shield Framework for regulating privacy in data flows between the European Union and the United States. This Framework replaces the EU-US Safe Harbor Framework repudiated in 2015.

Identity Management Done Right

Auth0 can authenticate your users with any identity provider running on any stack, any device or cloud. It provides Single Sign-On, Multifactor Authentication, Social Login, and several more features.

In terms of authorization, you can use the power of the rules engine to define coarse-grained authorization — that is, rules that dictate who can login (for example: at what times, from which locations and devices, and so on).

Auth0 also has a group memberships feature that can be exposed to the application (for example: group memberships in Active Directory, in Azure Active Directory, in the user’s metadata, and so on); based on that, you can do more fine-grained authorization (where only users in a particular group can access some applications).