Enterprise Infrastructure and HIPPA
Yesterday I attended a training on the HIPPA Security Rule. For those unfamiliar with HIPPA I think it stands for Health Information Privacy and Portability Act. HIPPA has rules on privacy, security, and transactions, and it has implications for a number of state agencies, including ITS.
Two issues stuck with me from the training. The first was a realization made by one of the participants of the training that it would make sense for agencies to collectively solve HIPPA-related issues, and let all benefit from the work. I think agencies will be realizing more and more that, for a lot of IT challenges that they face, it is a good idea to solve those issues as an enterprise rather than each agency on their own. With shrinking budgets and increased business and regulatory demands on our IT resources, it makes sense to solve things once for everybody.
That brings me to the second thing that stuck with me, and that was the fact that UMD-based authentication could really solve a lot of HIPPA issues. One of the security rules stipulates that agencies need to be able to assert that access to protected information is indeed limited to those that should have it. This includes being able to revoke access efficiently when necessary. UMD-based authentication could really benefit agencies that have to meet these HIPPA requirements. One example would be an employee termination. If every application that said employee had access to was protected by UMD-based authentication (web or non-web, it doesn't matter) then as soon as the HR tech enters the termination event in the HR Enterprise database, access to those applications would be immediately revoked. The application administrator would not have to do a thing.
A gartner study revealed that the average employee has access to 15 to 17 applications during employment. The same study reveals that employees usually still have access to about 10 of those applications after termination. If we can tie authentication to UMD, we could solve this problem for the state enterprise.