Identity and Access Management (IAM) should be high on the NHS CIO’s agenda for 2018 after a year of turmoil. From security challenges, to the complexity of new technologies changing working practices. The NHS needs to demonstrate that they are managing IAM risks as they look for ways to optimise operational agility.
IAM risk importance
For those effectively managing IAM, the benefits are significant. Increased security from controlling access to NHS systems and operations, minimises the knock-on effect of downtime, ensuring staff are able to fulfil their duties.
Robust access management is fundamental to a successful NHS. Ensuring the continuity of services to patients is an important part, but the NHS also holds a vast amount of sensitive data, which must be protected to limit financial loss and reputational damage.
In a report about ‘The importance of IAM Programs’, research house Gartner stated: “Security and risk management leaders must establish a program capability to maximize the specific benefits that IAM provides.”
For IAM to be effective, the CIO must focus on ensuring accurate records are kept and updates automatically applied, in a timely manner. The NHS faces an array of risks, yet IAM is relatively controllable. If an effective programme is put in place and, importantly, understood by employees and followed correctly, then the NHS can mitigate much of its IAM risk that is caused by carelessness.
Risk education
One of the biggest vunlerabilities for the NHS is staff. Ensuring that employees do not share or let others borrow their staff passes, system passwords, etc, is critical. Equally, so is ensuring that any phyiscal passes or written down passwords are kept securely.
NHS employees must understand the potential consequences of the sharing of details, whether intentional or not. A programme of continuous IAM education is essential to limit this risk.
Applying agility to IAM
Effective IAM should not be cumbersome, but create efficiencies and limit downtime. IAM can assist with operational agility, so access is monitored and controlled from one system. BDS Solutions Directory Manager, is such a system that bridges the gap across Active Directory, ESR and NHSmail.
This ensures identity data is consistent across all systems, without the need to access every system individually. Creating a more agile back end, helps workers throughout the Trust to conduct their roles more effectively.
Adding to this, BDS Solutions’ ‘One NHS, One Identity’ ensures that each employee has a single personal identifier, limiting employees having multiple profiles across a variety of systems causing management complexity.
By understanding the significant role that IAM plays in risk management, the NHS should put efforts into a clearly defined IAM programme at the top of the CIO agenda, to create more agility and limit potential risks.