Identity governance challenges in healthcare, government and education

• Product and technology

Identity governance has now become an established area of focus within organisations. While Identity & Access Management (IAM) manages identities and access rights within the IT environment, identity governance goes one step further. Governance is about maintaining control over identity and access management in a rapidly changing environment with increasingly strict requirements. We therefore want to be able to monitor, evaluate, maintain and improve account and rights management. Who is granted certain access rights, and do we know why? Is that access still needed and what is that based on? These are questions that are becoming increasingly important.

Its importance is increasing rapidly because organisations are digitising at speed. Users constantly switch from application to application, from network to network and from device to device. In that hectic environment, you have to manage rights for dozens or even hundreds of applications, while we sometimes barely know where those applications are hosted in the cloud, which data is being processed, and with whom that data is shared.

This creates significant risks. If we do not maintain control over our applications, data and users, the likelihood of data breaches and other cyber incidents is high. The damage does not only involve lost revenue and recovery costs. It is also damaging to your reputation, and we run the risk of claims and fines. This is one of the reasons governance is high on the agenda for managers and board members.

In this blog, we examine which governance issues are at play in a few important sectors. What role does the subject play in healthcare, government and education? We explore this through a concrete case, an outline of the sector as a whole, and a collection of common pain points.

Identity governance in healthcare

An experienced nurse is scheduled across multiple departments and therefore receives access to the records of patients in those departments. The rights are then not revoked, and ultimately the employee gradually ‘accumulates’ access to treatment data across all departments in this way. Understandable from the perspective that such an experienced employee should be able to step in quickly anywhere, but contrary to the principle of least privilege.

Governance challenges within the healthcare sector

In healthcare, it is crucial that healthcare professionals have access at all times to all the information needed to treat and care for patients or clients. The challenge is that this involves special category personal data, namely medical information, and as an organisation you must keep that information confidential. You therefore need to secure the data particularly well, but at the same time this must never result in it being inaccessible when needed. These are difficult dilemmas.

There is also a large and diverse user group. Not only doctors and nurses, but also support staff and external contractors require access. They often have multiple roles, those roles also change regularly, and duty rosters are dynamic. This makes identity lifecycle management very complicated.

Moreover, healthcare is not delivered in isolation from a single institution. Collaborating professionals, in hospitals, rehabilitation centres and GP practices for example, need access to one another’s systems and data. And this takes place in a fragmented IT landscape, where modern applications are used alongside older systems. This makes central control and visibility more difficult.

Common identity governance problems and risks

• Doctors and nurses retain access to records beyond their treatment relationship, for example after departmental and rota changes. As a result, patient data becomes unnecessarily widely accessible.

• Temporary staff are sometimes not given their own accounts, and therefore use colleagues’ access or shared accounts. This is undesirable and contrary to the principles of information security standards such as NEN 7510.

• The accounts and access rights of former employees, trainees or temporary staff remain active, creating the possibility of data breaches and exposing institutions to risks involving their patients’ data.

• Healthcare organisations have insufficient visibility into who has accessed which patient data, making auditing and incident analysis more difficult.

• Healthcare professionals combine functions, for example doctor and researcher, which leads to unclear authorisations and a higher risk of overly broad access to medical data.

• Authorisations are often arranged via forms or email, which leads to errors and means there is no central registration of requests and their assessment.

Importance of identity governance in healthcare

Within healthcare, we must therefore strictly secure patient data while also keeping it directly accessible for treatment and care. And this within a complex environment with many healthcare staff, changing roles, and collaboration across institutions and systems. Professional identity governance, which enables you to maintain control over your rights management, is crucial here.

Identity governance in government

A civil servant leaves the municipality, where he had spent years assessing complex applications for business permits. In his new role, he goes on to advise companies on permit applications. When leaving, he returned his equipment properly and in line with the rules, but later discovers that his account in the municipality’s case management system is still active. A typical case of temptation being put in someone’s way.

Governance challenges within the government sector

Government organisations are characterised by a combination of complexity, public responsibility and strong regulation. Governments work with large volumes of data relating to citizens and businesses, creating serious challenges around privacy, security and accountability.

The organisational structure is complex and fragmented, with multiple layers, executive agencies and chain partners. Despite all attempts at harmonisation, there are still many individual systems and processes. Including legacy systems, which are often still shared with other government bodies. The work is carried out by a mix of civil servants, employees of partner organisations and external contractors.

Within that complex landscape, there is certainly a great deal of attention paid to secure and transparent access, including logging, auditing and control mechanisms. But because of the complex environment in which they are deployed, it is often difficult to use them effectively. And every mistake made by government is, of course, immediately subject to intense scrutiny.

Common identity governance problems and risks

• Access rights for different systems are distributed across municipalities, executive agencies and ministries, among others. This complicates end-to-end control across the chain and increases the risk of unauthorised access to citizen data.

• When roles change, during secondment or after departure, rights often remain active. As a result, employees retain access to systems without any necessity for doing so.

• Roles and authorisations differ by organisation and system, creating inconsistencies. This makes it difficult to enforce policy centrally, and it complicates audits and accountability to regulators.

• It is often insufficiently clear who is accessing citizen data, when, and for what purpose. That makes it difficult to detect unauthorised access or data misuse.

• Because of overly broad settings, employees may be able both to assess and approve applications, for example for permits or benefits. Segregation of duties has not been translated into access rights, which increases the risk of misuse.

Importance of identity governance in government

Government organisations process vast amounts of sensitive data and must be able to account for this at all times. At the same time, there is a fragmented structure with a multitude of systems, including outdated applications, and users. This makes oversight more difficult and leads to problems including authorisation policy and segregation of duties. Working towards mature identity governance, with continuous monitoring and control, is therefore very important for improving quality and compliance.

Identity governance in education

Within the university of applied sciences where he teaches, a lecturer has, due to overly broad access rights, access not only to his own systems and data. He can also access the applications of other courses, where he can view and even alter grades without difficulty. And this happens without monitoring.

Governance challenges within the education sector

In education, you are dealing with a dynamic and often young user population. Students enrol and leave, change course or role, and often require temporary access to different systems. This is also linked to the fact that within one institution, students and lecturers often combine multiple roles. A final-year student, for example, may also hold a position as a lecturer or assistant. There is also a great deal of movement among staff, particularly teaching staff, including to arrange cover.

This places high demands on identity lifecycle management, because rights constantly need to be granted and then withdrawn again. Moreover, this happens in an open and collaborative culture where knowledge sharing and cooperation are the starting point. That makes it more difficult, for example, to apply least privilege strictly.

In addition, many educational institutions are organised decentrally. In primary and secondary education there are partnerships of dozens of schools, and in vocational education, universities of applied sciences and universities, departments and faculties often have considerable autonomy. This makes it difficult to safeguard identity and rights management centrally. Resources for IT management are often limited anyway, and cloud applications and external tools are used creatively.

Common identity governance problems and risks

• Accounts are not always closed after graduation or departure, allowing people to retain access to digital learning environments, research applications or shared files.

• To keep teaching and group assignments running smoothly, students and lecturers are sometimes given more access than would be permitted under internal policy rules. As a result, people unintentionally gain access to personal data, for example.

• Periodic intake and progression periods lead to many changes, making it difficult to keep all rights up to date. As a result, students and lecturers often retain access to irrelevant systems and personal data.

• Faculties and sub-programmes have their own processes and manage their own applications and data. As a result, there is no central overview of access rights to education and research systems.

• For group projects, research and wider collaboration, students and lecturers often make creative use of digital tools outside the view of IT departments. Through such shadow IT sensitive education or research data may unintentionally end up outside the institution’s controlled environment.

Importance of identity governance in education

The education sector has a dynamic and relatively vulnerable user population with changing roles and temporary access. This makes good identity lifecycle management important, but also complex. It increases the risk of accounts remaining active unnecessarily for too long and too many rights being granted. In addition, the sector struggles with creative shadow IT use. Identity governance can help education gain more control over access management, including through better monitoring and targeted control.

The importance of identity governance

Although sectors differ, the identity governance challenges show clear similarities. In all sectors discussed, there are complex user structures, fragmented systems and a difficult balance between usability and accessibility on the one hand, and access security on the other.

One of the biggest shared challenges is lifecycle management. In practice, organising the timely adjustment and withdrawal of access rights proves difficult. This quickly leads to excessive access rights and the associated risks. There is also often a lack of oversight in the granting of rights. Without clear insight into who has access to which systems, effective governance is not possible.

And the impact is significant. In healthcare, mistakes directly affect privacy and patient safety, in government you directly damage citizens’ trust, and in education it is not only about the quality of education and research, but first and foremost about the data of children or young people.

How can you gain more control over your identity governance?

Identity governance is not a purely technical issue, but a strategic necessity. Organisations must have insight into who has access to which systems and why. This helps reduce risks and remain compliant. With a strong IAM strategy and governance solutions, you gain greater control. Functionalities such as reconciliation, recertification and role mining help you review and optimise rights.

Want to know more? View Tools4ever’s governance solution:
More about Governance