Client Overview
The organisation is a privately held healthcare services group in South America operating five outpatient clinics and two diagnostic centres across two cities. The group employs around 600 clinical and administrative staff and runs an electronic health records system, a diagnostic imaging platform, and an administrative management system. As the group has expanded and digitalised its clinical operations, managing who has access to patient data systems has become a more pressing concern.
The Challenge
Clinicians and administrative staff accessed patient records, imaging systems, and administrative tools using separate credentials for each platform. There was no single sign-on, which clinicians found disruptive in a fast-paced clinical environment where switching between systems frequently was the norm. The group had also grown through the acquisition of two diagnostic centres, whose staff had been absorbed into the organisation but whose access to the group's central systems had been set up manually without a consistent role framework. A patient data compliance review highlighted that several accounts had broader access to patient records than was appropriate for the account holder's role, and that one account belonging to a former administrative staff member had remained active for three months after their departure.
“Clinicians having to log in separately to three different systems between patient consultations is time they don't have. And access to patient data has to be tightly controlled — we can't have people with access that isn't right for their role.”
— Chief Operating Officer
The Solution
eMudhra deployed SecurePass across all seven sites. A centralised identity directory was established, and role-based access profiles were defined for each clinical and administrative role — doctors, nurses, radiographers, administrative coordinators, and billing staff — with access scoped to the patient data and systems each role legitimately needed. SSO was configured for the EHR system, diagnostic imaging platform, and administrative management system, giving clinical staff a single authenticated session across all three tools. MFA was enabled using TOTP for all access to patient records systems. The integration with the HR system automated account provisioning for new staff and triggered deactivation on departure, addressing the former employee access gap identified in the compliance review. An access review workflow was configured to run every six months, generating reports for the compliance officer on account access alignment.
Results
The former employee account and the over-privileged accounts identified in the compliance review were addressed within the first week of deployment. Clinicians report noticeably less friction accessing systems during consultations. The bi-annual access review process has been running without manual intervention since go-live.
Metric | Before | After |
Clinician system access experience | Separate logins for EHR, imaging, admin tools | Single SSO session across all 3 clinical systems |
Over-privileged accounts resolved | Multiple accounts with excess patient data access | All aligned to role-based profiles on go-live |
Former employee access | Account active 3 months after departure | Automated deactivation on HR exit trigger |
MFA coverage — patient records | Password only; compliance gap | TOTP MFA enforced for all EHR access |
Access review process | No formal review; compliance gap noted | Bi-annual automated review reports for compliance officer |
