Identity and Access Management 2020
Healthcare Looks (Well) beyond SSO (A Decision Insights Report)
As healthcare continues its measured move to the cloud, healthcare provider organizations can no longer protect data solely through firewalls and strong perimeter defenses—the digital identity must be protected as well. With organizations replacing homegrown identity and access management (IAM) solutions with commercial options, new vendors have entered the healthcare arena, and longstanding single sign-on (SSO) vendors have expanded their suites. To understand which vendors are being replaced, considered, and purchased and what factors drive these decisions, this report combines customer satisfaction insights with feedback from 40 unique healthcare provider organizations that have recently made an IAM technology purchase decision.
KLAS Identity and Access Management Framework
While KLAS seeks to gather feedback from healthcare provider organizations on their IAM suite as a whole, the reality today is that most are at the start or in the middle of building and executing a long-term strategy. With this in mind, the basic framework below outlines common IAM capabilities. These select capabilities were the focus of KLAS’ recent research and validation efforts and are not intended to cover all aspects of IAM. Other components of an IAM strategy—e.g., privileged access management, access control, and password management—were not a focus of this report but may be included in future research.
Healthcare-Focused Vendors Expanding beyond SSO: Imprivata Makes Strong Initial Leap; Identity Automation Sees Minimal Traction
Based on their reputation, strong market share in healthcare SSO, and recent product expansion efforts, Imprivata receives significant consideration in new IAM purchase decisions. In the last year, KLAS has validated more new contracts with Imprivata than any other IAM vendor, with customers purchasing additional modules beyond SSO, including governance, electronic prescribing of controlled substances (EPCS), provisioning, password management, and multi-factor authentication (MFA). Clients expanding with Imprivata do so largely based on existing relationships and previous success with Imprivata. Customers that choose to expand with other vendors often cite a high price tag, and a few imply that Imprivata is arrogant about their market position and solutions.
Identity Automation, another key healthcare-focused SSO vendor, has signed a number of new clients in the last year; these customers, typically smaller organizations, see great value in the SSO capabilities. Despite offering a broad suite of IAM capabilities, Identity Automation has yet to see much adoption in healthcare outside SSO. Customers looking to expand their IAM technology typically choose other vendors’ solutions. In the last year in particular, some clients have expressed concern about a lack of development following Identity Automation’s acquisition of HealthCast, leading to a notable downward trend in customer satisfaction.
Among Cloud-Based Options Duo Carves Out a Niche; Microsoft IAM Clients in Limbo
Though not healthcare specific, Duo has become increasingly relevant in healthcare for their focused MFA offering and the fact that their solution is cloud based. Duo clients love the solution’s simplicity and ease of use and say they feel comfortable with the cloud technology since MFA doesn’t require the vendor to access any sensitive data. Duo is not currently viewed as a full-suite IAM provider, but this does not hinder customer satisfaction. Instead, clients perceive Duo as a valuable component that can be installed fairly quickly and easily.
Microsoft is recognized as a formidable force in cloud technology. At the same time, healthcare IAM clients often relay uncertainty and frustration, describing the on-premises solution, Microsoft Identity Manager (MIM), as lacking in development and needed support. This contributes to low ratings and some hesitancy to consider the go-forward cloud-based product, Azure Active Directory (Azure AD); in short, clients often feel stuck with MIM and unsure about the future.
Okta Identity Cloud is seen as a technologically advanced solution. Some organizations feel the cloud-only approach does not map to their current reality of on-premises and hybrid environments. In terms of security concerns, organizations find Okta’s broader, cloud-centric offering a little more daunting (as opposed to Duo’s offering, which is mostly MFA focused). Ping Identity also offers cloud solutions for SSO, MFA, and governance and has been considered in a few decisions in this research. KLAS has yet to validate any wins.
Identity Governance: SailPoint Stands Out as Leading Choice
For most healthcare provider organizations, formal identity governance is a new endeavor—many of those acquiring governance technology are making a net new purchase and looking for a vendor with a strong focus in this area. Large organizations commonly consider and choose SailPoint, citing strong development, functionality, and healthcare industry focus. Current customers also report using or planning to use SailPoint for provisioning. Customers considering SailPoint also often look at other cross-industry vendors, including Microsoft (used in healthcare mostly for provisioning) and Saviynt, as well as healthcare-focused Imprivata.
Saviynt is seen as having a strong product suite; respondents interviewed in this research feel hesitant to choose the vendor due to reports from current customers of implementation difficulties. Similarly, some organizations considering Imprivata are concerned about the product requiring workarounds. However, the number of organizations choosing Imprivata for governance has grown over the last year, and clients expect the product to improve over time.
Long-Standing Vendors IBM, Micro Focus, Oracle Diminish in New Considerations
Many healthcare provider organizations are just embarking on the journey toward full IAM, with some describing their current hodgepodge assortment of products as “an identity management wreck.” Some organizations may have existing products from IBM, Oracle, and Micro Focus, all long-standing vendors in IAM. However, over the last two years, these vendors have not been high on healthcare organizations’ radars in new decisions.
IBM and Oracle received a handful of considerations each, often due to their traditional presence in the market. One respondent who didn’t select IBM said the vendor tried to sell them additional functionality and tack on artificial intelligence processes they weren’t ready for. A prospective Oracle client felt that the feature set was decent but said Oracle didn’t articulate much healthcare experience and was generally too pricey. KLAS did validate one organization moving forward with additional functionality and modules from Micro Focus in an effort to consolidate systems and vendors.
Top-Considered Vendors at a Glance
Vendors ordered by consideration rate (high to low)
Considered in nearly 80% of decisions in this study; is the largest and best-known vendor for SSO in healthcare. Acquisitions of GroundControl and Caradigm as well as recent partnership with Microsoft have expanded offering to include full suite of IAM solutions, drawing interest from existing clients looking to add functionality. Those considering the vendor also highlight positive relationship/partnership qualities. Some respondents who chose to pass on Imprivata say representatives were aggressive and arrogant (due to reputation and large market presence); others say price was too high (also commonly cited as a challenge by current customers). Users satisfied with ease of use and say the product works as promoted; some note challenges with delivery of new technology and say the service has not been as proactive as they would like.
Prospective customer: "Knowing Imprivata and what they had to offer, we thought that choosing them was the right way to go. Getting support with Imprivata was a huge win. The same thing goes for the tap-and-go capabilities for the medical devices. Building bridges for SSO is a lot easier to do in the Imprivata system. That is a plus. Our previous system had a piece of the functionality. The Imprivata system had the second piece and allowed us to move to one platform. Having everything in one place was a no-brainer." —IT director
Prospective customer: "Once Imprivata took over the Vergence product, we got an idea of what kind of company they are and how they treat their existing customers and potential future customers. We were less than impressed with the vendor’s team. The vendor wasn’t willing to change anything. We weren’t really appreciative of their tactics and their demeanor toward customers." —Security manager
Current customer: "From an end-user perspective, the product is very easy to use. Users just tap their badges, authenticate themselves, and sign in. We acquired a couple of hospitals and provisioned the new employees in less than 72 hours. The process was pretty slick. We let the engine do what it was supposed to do, and the process was seamless." —VP
Cross-industry SailPoint has expanded their healthcare division over the last several years. Offers strong technical product that customers use mainly for governance. Often selected by larger organizations, who say functionality matches their needs and highlight the positive references they received. Those who considered but did not select SailPoint felt the product might be too complex for their needs or might require difficult customization to be integrated. SailPoint typically encourages customers to engage a third-party implementation firm due to the complexity. Current clients highly satisfied, especially with the product’s quality and integration. Some concerns reported about poor ease of use and lack of responsive support.
Prospective customer: "“We see a lot of people going to SailPoint. I talk to my peers and get feedback from places like Deloitte. We looked at many vendors, but we narrowed things down to SailPoint. We haven’t seen anything out there that is that much better, so we are heavily leaning toward SailPoint. All the major health systems we have talked to said that they were happy with SailPoint’s tool.” —CISO
Prospective customer: “In terms of building integrations, SailPoint didn’t seem very open. The technical implementation was complicated, and that didn’t leave a good taste in our mouths. We were concerned about the amount of customization we would have to do. The vendor we selected has an open framework, but SailPoint wanted us to do a specific integration. We felt that integration with SailPoint’s system would be difficult on the technical side. The solution wasn’t intuitive or flexible.” —Security engineer
Current customer: “Something we really like about SailPoint is that we are seeing a more predictable pace of code release, and it is much more manageable. SailPoint’s solution is a mature, predictable product, but the vendor is still innovating to meet some of the specific needs we have from a technology perspective. But there are no regrets about the path we have taken and the path we are taking going forward.” —CISO
Frequently considered, mostly by smaller organizations. SSO solution is a strength; other modules have not seen as much traction, and Identity Automation is rarely considered for full-suite IAM. Organizations that choose Identity Automation like the price point and the company’s attentiveness and flexibility. Those that considered but did not select them felt functionality wasn’t on par with other systems. Current clients’ satisfaction has decreased since last year, and more customers are planning to replace due to service and support challenges. Some customers feel a notable difference from the relationship they had with HealthCast and feel Identity Automation has not met expectations post-acquisition. On the positive side, money’s worth is a strength, and most clients see high value in the product.
Prospective customer: “Identity Automation was willing to work with us from the beginning. We brought up a number of our concerns, and the vendor said they had dealt with other customers like us before. The vendor actually added a launchpad, and that was a request from a previous customer. The vendor was willing to work with us and make changes to make the process seamless for us.” —Manager
Prospective customer: “The HealthCast solution is a little less slick than other solutions. HealthCast doesn’t necessarily have all the integration with our EMR that other solutions have. It can accomplish the same thing in a similar fashion, but it just seems less integrated into the whole process.” —Director
Current customer: “HealthCast was recently acquired by Identity Automation. We were longtime HealthCast clients, and we enjoyed fantastic service at great rates. Since the acquisition, the service has been less customer friendly. The employees who came over from HealthCast continue to be great to work with, but the Identity Automation employees are much more rigid and difficult. The product gets the job done and is a price performer, but I don’t see Identity Automation as a long-term partner.” —Director
Considered in 25% of purchase decisions in this research; validated by KLAS as chosen in one. Some organizations see Okta’s cloud-only approach as too advanced (much of healthcare still uses on-premises technology and many organizations are not ready for cloud-based security). Perceived as more of a niche player for MFA and SSO, rather than a full-suite vendor, though some healthcare organizations are starting to look at Okta as a broader offering.
Prospective customer: “We plan on going with Okta’s solution. We have done several demos and looked at other products. Okta seems light-years ahead of their competitors. . . . The vendor has technology to be able to ship laptops without a password, and they can all be provisioned. A person just needs the machine to get everything set up. We don’t have to bring the laptops to our site first and install a bunch of things before shipping them out.” —Security manager
Prospective customer: “I couldn’t find any examples of organizations interfacing Okta with Epic, so that was one of the deciding factors against Okta. Also, Okta had no tap-and-go feature. If we were a heavily cloud-based service company, Okta would be great. They had the most visionary road map, but that road map was very cloud-centric and less geared toward an on-premises solution.” —Security VP
Now part of Cisco. Has a large presence in academic medical centers thanks to deep roots in higher education. Mostly used for MFA. Some customers also use for EPCS, and early feedback from physicians has been positive. Duo sits on top of or alongside other core IAM systems as it does not provide provisioning or governance. Seen as easy to use, and many current clients are highly satisfied. Involvement from Duo executives may be an opportunity for improvement as this is Duo’s lowest scoring indicator.
Prospective customer: “We went with Duo’s product because of the end-user experience and just how clean the application is. It is really not hard to use. Duo’s product has great functionality on our phones. We have the ability to add multiple phone numbers, which may not always be the most secure method. But if we have a work phone and a personal phone, we can get the push notification sent to whichever device we select in the drop-down menu. Doctors have the application on their phones. The application is very seamless. Doctors can get a push notification or a phone call depending on how they set things up. We will continue to leverage the system and add more multifunction capabilities as the security landscape changes.” —VP
Prospective customer: “The lack of a tap-and-go feature led us away from Duo. I did see several Epic shops that use Duo, but there were fewer examples of organizations using Duo with Epic than there were of organizations using other products. Epic really pushes for other vendors. Also, Cisco’s acquisition of Duo isn’t really a plus in my mind because most technologies tend to get worse after an acquisition.” —Security VP
Current customer: “We are very happy with Duo. Their product is fantastic. Our future with Duo is driven toward looking at what else Duo can do around multifactor authentication and identity protection with devices. I love Trusted Access. It is easy to use and has been well received and adopted by our users.” —Security manager
Has two IAM products—MIM, rated in this study, is an older on-premises solution; Azure AD is a new cloud product. Customer frustration with MIM clouds understanding of and creates hesitation toward Azure AD. MIM considered often due to Microsoft’s deep technology footprint in healthcare and is often included as part of a larger enterprise license. Some customers would like to replace but feel stuck because of how embedded Microsoft is in their organization. Known for their willingness and ability to partner with other solution providers, Microsoft recently partnered with Imprivata to augment each other’s capabilities and offer a complete suite. This has not yet surfaced in customer considerations or KLAS validations.
Prospective customer: “Microsoft has a large presence within our hospital as an incumbent, and there was some comfort in continuing that engagement with a major vendor that was on par with us. I don’t believe that Microsoft was leading the market, but they were definitely doing some innovative things. We needed to find a scalable product that could support the identities we have. We have patient users, and we have referring providers that use the same system for logging in to the referring provider portal. We had to start the search for a new authentication system. Our intent was not to replace everything.” —IT director
Prospective customer: “We looked at Microsoft’s product, but we just thought that it wasn’t enough yet. Microsoft is usually late to the party, but they usually get things right. An example of that is their Hyper-V technology with virtualization. It has come a long way and is certainly very good. I think the vendor is going to get there the same way with identity management. They are kind of building it out. The product just didn’t have everything that we needed. We were looking at it and thinking that we couldn’t see Microsoft doing the things that we could do right out of the gate with the vendor we chose.” —Security manager
Current customer: “Microsoft is a core vendor that we can’t get away from. Their software is embedded within a lot of applications. But when it comes to the nuts and bolts of supportability and having things that are usable, Microsoft just seems to be a common frustration. That is how we feel with Microsoft Identity Manager. We love and hate Microsoft at the same time.” —Manager
About This Report
Data for this report comes from two sources: (1) KLAS Decision Insights data and (2) KLAS performance data.
KLAS Decision Insights Data
All references in this report to organizations’ purchasing motivations come from KLAS’ Decision Insights data. Since 2017, KLAS has been gathering information as to which vendors are being replaced, considered, and purchased and what factors drive these decisions. KLAS Decision Insights data does not represent a comprehensive census or win/loss market share study. Rather, it is intended to help healthcare provider organizations understand which vendors have market energy and why.
KLAS Performance Data
Each year, KLAS interviews thousands of healthcare professionals about the IT products and services their organizations use. These interviews are conducted using a standard quantitative evaluation, and the scores and commentary collected are shared online in real time so that other providers and IT professionals can benefit from their peers’ experiences. To enable readers to more quickly understand high-level differences in vendor performance and give better context as to how each product compares to other offerings in the market, KLAS has organized the questions from the standard evaluation into six customer experience pillars—culture, loyalty, operations, product, relationship, and value.
The quantitative performance data in this report comes from standard evaluations and was collected over the last 12 months; the number of unique responding organizations is given in the chart on the right.
What Does “Limited Data” Mean?
Some products are used in only a small number of facilities, and some vendors are resistant to providing client lists. Thus a vendor’s sample size may not reach KLAS’ required threshold of 15 unique respondents. When a vendor’s sample size is less than 15, the score for that vendor is marked with an asterisk (*) or otherwise designated as “limited data.” If the sample size is less than 6, no score is shown. Note that when a vendor has a low number of reporting sites, the possibility exists for KLAS scores to change significantly as new surveys are collected. Overall scores are measured on a 100-point scale and represent the weighted average of several yes/no questions as well as other questions scored on a 9-point scale.
Writer
Elizabeth Pew
Designer
Jess Wallace-Simpson
Project Manager
Robert Ellis
This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2024 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.