Computer-based systems and applications are part of the fabric of every hospital. Who uses these systems, and for what purposes, has become as important an issue as who works in your hospital. The need to identify people so you know who they are and can control their access has grown beyond the analog world to include the digital one.

Today, the need for hospital administrators to recognize, monitor, and control access in the digital world is as crucial to a hospital’s practices as knowing who holds the scalpel in the operating rooms.

Stored in computers, information that was once physically kept in safe places and generally only accessible to proper caregivers is now potentially available to a much larger audience. It is no longer possible to rely on the safeguards that the analog world inherently allows, such as having to look, sound, or write like someone in order to be that person.

Instead, the digital world simplifies the process of enabling a person to be someone else by virtue of possessing a password or because someone neglected to log off their computer. In the absence of effective identification and authentication techniques, it is easy for people to intentionally or accidentally be someone else in the digital world. A thirteen-year-old child visiting his mother would be hard pressed to pass as a physician in order to sneak a look at the paper records of other patients. But the same child could easily browse patient records using an unsecured computer in his mother’s room.

The absence of proper controls to govern valid computer users also presents challenges in the digital world. Consider this example. The receptionist in Dr. Smith’s office says to a patient as he enters the office, “Hello, Mr. Green, nice to see you again.” All the people in the reception room now know that Mr. Green is a patient of Dr. Smith’s, and, to some degree, Mr. Green’s privacy has been violated. However, only the people within hearing distance of the receptionist heard what she said, and so this violation is reasonably contained.

Later that day, the receptionist sends an e-mail message to all of Dr. Smith’s patients informing them that the office will be closed for next week’s holiday. She sends this message such that every patient’s name is included in the e-mail distribution list. Now every patient knows the name of every one of Dr. Smith’s patients, and in one simple act, the privacy of all of Dr. Smith’s patients has been violated. Such are the challenges of identity and access management in the digital world.

The only practical and prudent way for healthcare organizations to meet these challenges and continue to engender the trust and confidence of the communities they serve is for executive management to develop and implement an effective identity and access management strategy. A proper strategy should enable the following things to be done easily and reliably:

• Assign a single unique identity to each computer user (e.g., Dr. John D. Smith the cardiologist is identified as jdsmithcardio as compared to Dr. John D. Smith the obstetrician, who is electronically identified as jdsmithob).

• Authenticate all computer users so that you know they are who they claim to be (e.g., a particular computer user really is Dr. John D. Smith the cardiologist as evidenced by his secret password, fingerprint biometric, or other authentication mechanism).

• Define roles for computer users that constrain what they are allowed or entitled to do (e.g., a particular physician serves in the role of oncology researcher and in so doing is allowed to order an experimental chemotherapy medication).

• Know the professional, service, or family relationships that exist between people and those who care for them (e.g., a particular physician is assigned as a specialist to a case).

• Know what others are allowed or entitled to do on behalf of the people they are related to (e.g., a patient’s mother is allowed to see her son’s medical records).

• Maintain identities and roles even as changes occur in your organization (e.g., a therapist gets married and changes her last name, a nurse is assigned to the ED and should no longer have access to information about ICU patients, etc.).

The wired world of healthcare continues to evolve as more systems are developed and deployed. Healthcare executives need to view IT security and privacy with as much seriousness and intent as any physical plant consideration.

The backbone of achieving the necessary safeguards lies in the ability to create electronic identities for everyone known to your healthcare organization and manage the associated data access permissions. These people include not only the clinical and administrative users of your computer systems, but also your patients and their families.

It is within the reach of every healthcare organization to create computer-based systems that provide effective identity and access management capabilities. However, only when an organization deems it imperative will the identity crisis be averted.

Robert Seliger is CEO of Sentillion, Inc. and chair of the HIMSS Steering Committee for Integration and Interoperability. He is widely recognized as a visionary at the forefront of converging technical, market, and clinical trends in healthcare. He can be reached at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it