Managing Non-Employee Identities in Healthcare

It’s not just malicious cyber-attacks or criminal activity that companies need to prepare for. The majority of data breaches originate within companies due to human error or negligence, and in many cases, this can be traced back to the lack of proper access controls. One of the biggest access challenges? Securely and efficiently managing non-employee identities. Managing employee identities is fairly straightforward because we can rely on and HR system of record (an authoritative people data source). Yet those same systems of record are rarely created or used for a large part of a business’ population — non-employees or third parties.

Why is securing and managing a non-employee identity a challenge?

Lack of authoritative source: while most large enterprises invest in deploying an authoritative HR source for employees, setting up a similar resource for non-employees is uncommon. Often this is due to the lack of a centralized management function or department (like HR) for non-employees.

Different privileges: contingent workers’ needs for access privileges are different than that of employees, therefore a typical employee joiner process/workflow may not work for them. For example, employees need a mailbox to be created as part of their joiner process. Non-employees don’t usually maintain multiple mailboxes (i.e. they have a mailbox for their primary employer but not for network partners or temporary positions). So, creating a contact for non-employees in an enterprise directory may be sufficient, provided it doesn’t violate corporate policy.

Directory for external users: in order to run marketing campaigns, the marketing team within an enterprise needs to manage the email IDs of their target audience. This is maintained either in a CRM system (e.g. Salesforce) or (at worst) in enterprise Active Directory.

IDMWORKS solves this challenge for many of our customers through our Non-Employee Identity Suite (NEIS), an Identity and Access Management system designed specifically to manage non-employee lifecycles. NEIS supports the joiner, mover, and leaver processes for non-employees.

NEIS Case Study:

We recently deployed a non-employee identity suite for an integrated network of physician clinics, outpatient centers, and hospitals. The network consists of more than 1,500 physicians and 26,000 employees at more than 500 locations across multiple states, including 15 medical centers and hundreds of outpatient facilities and physician clinics.

Our healthcare client uses Oracle PeopleSoft as the authoritative source for employees. However, there was no such equivalent for non-employees. As a part of their IT initiatives, the client deployed an IAM system and was able to bring in the employee records from the authoritative source, however, the lack of such an authoritative system for non-employees made it impossible to manage non-employees from within the IAM system.

The client deployed IDMWORKS NEIS as the system of record for non-employees. Using the simple NEIS admin and user interface, the client was able to quickly add and update non-employees in the NEIS directory. From that point, setting up a connection between the IAM system’s directory and NEIS directory was done using a connector. As a result, the non-employee records were added to the IAM system’s directory. This architecture enabled the client to manage both employees and non-employees within a single, centralized IAM system saving time and resources and strengthening their security posture.

If you are having challenges securely managing non-employee identities and would like a better understanding of different approaches and solution sets, you can learn more here.