Healthcare organizations with large, diverse and transient workforces face persistent access control challenges. Clinicians and care providers frequently move between health systems, work as contractors or hold multiple affiliations. Combined with high attrition, burnout and staffing shortages, this volatility makes it difficult to determine who should have access to what, and when. Too much friction drives away essential workers; too little control exposes organizations to security risks, compliance violations and patient safety issues.

These challenges are compounded by the complexity of healthcare’s hybrid technology ecosystem. Identity and access management (IAM) processes typically have to be deployed across cloud applications, on-premises systems, legacy platforms and third-party solutions.

“An effective identity solution has to span both legacy applications and cloud applications and bring them together to provide a frictionless user journey for everyone in the healthcare workforce,” said Loren Russon, Senior Vice President, Product Management, Ping Identity. Russon shared his insights during the webinar, “Managing the Transient Workforce: Solving Identity Governance and Access Control in Healthcare.”

The Challenge of a Transient Workforce

A transient clinical workforce is a fact of life for today’s healthcare organizations. Ninety percent (90%) of US healthcare facilities rely on locum tenens (temporary) providers each year.¹ These workers present a unique identity governance challenge that maps directly onto the three stages of the workforce lifecycle, said Russon:

• Joiner. This phase begins when a transient worker is hired. “Onboarding needs to be live, self-service and online,” he said. Any delays in verifying identity, validating credentials or provisioning access can undermine productivity and disrupt patient care.
• Mover. Roles often change as workers are assigned to different units or facilities. To maintain operational agility, “transient workers need to be provisioned in a just-in-time fashion, so they have the access rights for the job they are doing that day,” Russon explained.
• Leaver. “For most organizations, a zero-day start is not their biggest problem,” he said. “Instead, the leaver part is really difficult. Once that person’s contract ends, how do you make sure there aren’t any lingering accounts or any lingering access?”

Failing to manage the joiner-mover-leaver lifecycle can have significant consequences for employees, patients and the organization. Employees who experience high friction as they try to access electronic medical records or other mission-critical systems will be frustrated and harder to retain. When caregivers can’t access those systems, patient care can suffer.

At the same time, problems such as lingering access rights can provide an opening for cyberattacks, pointed out Hector Rodriguez, Health & Life Sciences, Principal Industry & Security Leader, AWS. “HIPAA requires that you know who is in your system, why they are there and what data they are accessing,” he said. “If an organization doesn’t manage identities properly, there are regulatory compliance issues, audit issues and other consequences that add friction and add costs.”

Working Within a Hybrid Technology Ecosystem

IAM becomes substantially more complex when delivered across hybrid environments. For many organizations, the cloud has not replaced on-premises or legacy systems. It may never fully do so.

“I asked a customer when he thought his organization would be moving completely to the cloud, and his answer was, ‘between five years and never,’” said Russon. “The reality is that many healthcare organizations have legacy systems they may never move away from. As a consequence, the organization’s identity and access management solution has to support a hybrid stack.”

Healthcare organizations depend on systems that may never be migrated off-premises, all while expanding their use of cloud-native applications, remote monitoring tools, telehealth platforms and connected medical devices. Clinicians may access information through shared kiosks, laptops, tablets, mobile phones or even wearable devices (e.g., smart watches).

This creates an identity environment defined by variability in user roles, clinical context, application type, device type, network location and user location, among other factors. The traditional approach to so much variability is to lock down access, but that can exacerbate friction.

“Technology can enable clinicians to provide better care, but it can also get in the way,” said Rodriguez. “People work in different ways, using different modalities, across different devices. We need to enable access in all those situations without compromising security.”

A Modern Approach to Identity and Access Management

In an environment with so many variables, the only way to ensure access and to protect security at the same time is to make identity the key. “Identity is the new perimeter when it comes to security,” Rodriguez noted.

A modern IAM platform shifts the focus from securing the network perimeter to continuously verifying the individual and authorizing their access in context (Figure 1). This enables organizations to scale friction up or down, depending on the risk associated with each access request.

This approach can minimize friction, support operational efficiency and enhance security in the following ways:

• Enhance existing systems. Instead of replacing legacy tools, IAM can enhance them. For example, the organization’s human resources (HR) system can serve as the authoritative source for identity data when integrated with a unified identity platform, improving identity data accuracy and operational efficiency.
• Automate manual processes. The onboarding process often includes the verification of credentials against databases such as the national nurse credential database (Nursys®), the National Provider Identifier (NPI) database or other sources. By integrating these and other credentialing databases into a unified identity platform, HR departments can improve security while saving time and money by automating processes that are often done manually.
• Integrate identity across the entire joiner-mover-leaver lifecycle. A unified, integrated approach to identity and access can close gaps in onboarding processes, enable real-time authorization and ensure timely deprovisioning to avoid issues tied to lingering access. This integration also unlocks identity data silos to speed care delivery and accuracy across a diverse health ecosystem for improved competitive advantage.

Figure 1. Getting workforce identity right

A modern IAM platform shifts the focus from securing the network perimeter to continuously verifying the individual and authorizing their access in context. This enables organizations to scale friction up or down, depending on the risk associated with each access request.

This approach can minimize friction, support operational efficiency and enhance security in the following ways:

• Enhance existing systems. Instead of replacing legacy tools, IAM can enhance them. For example, the organization's human resources (HR) system can serve as the authoritative source for identity data when integrated with a unified identity platform, improving identity data accuracy and operational efficiency.
• Automate manual processes. The onboarding process often includes the verification of credentials against databases such as the national nurse credential database (Nursys®), the National Provider Identifier (NPI) database or other sources. By integrating these and other credentialing databases into a unified identity platform, HR departments can improve security while saving time and money by automating processes that are often done manually.
• Integrate identity across the entire joiner-mover-leaver lifecycle. A unified, integrated approach to identity and access can close gaps in onboarding processes, enable real-time authorization and ensure timely deprovisioning to avoid issues tied to lingering access. This integration also unlocks identity data silos to speed care delivery and accuracy across a diverse health ecosystem for improved competitive advantage.
• Enable real-time, risk-based authorization. User friction stays low during routine, low-risk activity but automatically increases when risk signals like unusual location, device or behavior are detected. By adjusting friction based on real-time risk, HCOs improve security without hurting productivity or user experience.
• Orchestrate identity management across all systems and devices. Identity orchestration enables and automates a unified identity journey across legacy, hybrid and modern systems based on policies across the entire identity lifecycle. Leading orchestration engines can coexist with and augment solutions such as governance, provisioning and myriad disparate point solutions. This allows HCOs to extend the value of existing investments.

Where to Start

Modernizing IAM can sound like a massive project, but healthcare organizations don’t have to do everything at once. Russon and Rodriguez suggest starting with data and building on what already works.

item-1-icon

item-1-icon-alt

checked circle

item-1-title

Start With an Inventory of Roles

item-1-description

Russon recommends beginning with a role and risk inventory informed by metrics. “Looking at the areas for improvement is really important, because that’s where the money is,” he said. One hospital, for example, identified more than 40 roles and then focused first on those with the highest cost and highest risk (e.g., transient staff) before expanding to others.

item-2-icon

item-2-icon-alt

checked circle

item-2-title

Coexist With Current Systems and Orchestrate Better Journeys

item-2-description

Instead of simply replacing existing tools, both speakers recommend a coexistence strategy that layers orchestration on top of what’s already in place. A standards-based IAM platform can provide verification, authentication, authorization and lifecycle management while working alongside systems like HR, credentialing and governance tools. Orchestration allows organizations to implement new, role-based identity journeys without breaking clinical workflows.

item-3-icon

item-3-icon-alt

checked circle

item-3-title

Learn From Other Industries and Experienced Partners

item-3-description

Finally, Rodriguez encourages healthcare leaders to work with partners who have cross-industry experience. Retail, education and financial services have already solved many workforce identity challenges at scale. “Sometimes, when we’re just focused on what’s in front of us, we’re not seeing what better looks like, or what optimal looks like,” he said. Working with partners like Ping Identity and AWS can help healthcare organizations accelerate their IAM journey to improve security, operational efficiency and user experiences, all while reducing costs.

Reference

¹ Caliber Healthcare Solutions. August 11, 2024. Purpose-driven healthcare: The numbers behind National Locum Tenens Week 2024. https://www.caliberhealth.com/blog/purpose-driven-healthcare-national-locum-tenens-week-2024#

About Ping Identity: Ping Identity delivers a unified identity and access management (IAM) platform that helps healthcare organizations secure every digital moment for patients, employees, and partners. With robust support for Zero Trust—including global identity verification, adaptive MFA, decentralized identity, and real-time fraud and risk protection—we help mitigate critical cyber threats to healthcare. Our platform supports full compliance with healthcare regulations like HIPAA and HITECH. Ping also simplifies access and personalizes digital experiences—leading to improved efficiency, deepened loyalty, and reduced operational costs. With Ping, healthcare organizations can securely build dynamic digital health ecosystems, connect users, streamline operations, and confidently scale their business to deliver exceptional care.