How Automation Improved Identity, Access Management at Molina Health

February 08, 2021 - One of the key challenges facing healthcare organizations is a lack of control over access management. With a vast number of vendors and endpoints, visibility into identity governance and an effective onboarding/offboarding processes is a necessity. 

These challenges fueled Molina Health’s recent decision to overhaul its own homegrown solution for onboarding and offboarding users, as the Long Beach, California-based health system sees more than 5 million individuals across 15 states.

Several years ago, Molina Health relied on its processes for the input and removal of users in daily batches from its human resources system into and out of its Active Directory.

As Molina Healthcare’s Manager of Platform Engineering Veda Sankepally describes it, the rapid growth of the health system at that time made the manual provisioning and deprovisioning process incredibly time consuming.

At the time, Molina had 18,000 active identities that supported 16 different states with a range of business lines. The hope was that Molina would be able to standardize and automate the identity and access management platform, Sankepally explained.

Leadership conducted an extensive review of vendors and related services, focusing on a team that could enable the health system to conduct needed identity governance from the start.

“With the increasing demands, we could not complete all the business processes involved, and there was a lack of standards,” explained Sankepally. “We decided to implement identity security because we could not afford an onboarding process that would take 10 to 20 days.”

“We had a ‘near real-time integration ‘with our cloud-based HR system that has automated the onboarding and offboarding process for onboarding users,” she added.

As a result, Molina was able to streamline the onboarding and offboarding process. She explained that from there, the team was able to build a platform for application provisioning and deprovisioning. 

The platform allows for faster integration of an increased number of onboarding applications. Sankepally said they first focused on the main applications, then pivoted to access governance to build in regulatory compliance. 

By working closely with the compliance team, Molina was able to ensure all policies and procedures surrounding the program were being documented. 

To Sankepally, the biggest reward has been seen with employees. The tech has allowed employees to be more efficient and successful in their work.

“We have significantly cut down on time-to-access and received tremendous feedback on this piece of the program,” said Sankepally. “But to dig a little deeper, we then focused on lifecycle management and implemented a role-based provisioning process.” 

“This process pre-populates access based on a person's role within the business. This was part of our goal to address operational efficiency,” she continued. “By simplifying the process for granting access by standardizing roles and operationalizing segregation-of-duties management, we have also improved compliance.”

Assigning user roles based on individual job functions has enabled role-based access control, which “not only conforms to the security principle of least privileged access but drives operational efficiencies by simplifying the fulfillment of user access.” 

For healthcare organizations considering similar implementations, Sankepally encourages other entities to consider adopting more thorough review processes to reduce risks associated with a more complex regulatory environment.

Since improving its governance program, Molina Health’s security team now has complete visibility and the ability to enforce the appropriate level of permissions needed for each user. 

“I would say to any healthcare provider that peace of mind is worth it. Compliance assurance was an important goal for the program – from the top-level down,” said Sankepally.

In healthcare, inadequate visibility and control over access management and user permissions is frequently named as one of the leading risks to the enterprise. As remote work and telehealth has expanded amid the pandemic, access management challenges have increased.

As hackers continuously seek to and successfully obtain user credentials, the need to ensure visibility into access controls is crucial. NIST and H-ISAC have previously released identity management insights, which can help adapt current processes.

But security leaders have repeatedly stressed the importance of automating many of these processes to reduce the burden and increase the accuracy of large-scale challenges, including identity governance.