Mississippi Division of Medicaid leaps into modernized data access management

The Mississippi Division of Medicaid (MS DOM) supports low-income and vulnerable Mississippi residents with access to quality healthcare. With privacy and confidentiality as its watchwords, the state works tirelessly to keep member records safe. But in the past, striking a balance between maintaining confidentiality and granting certain agencies and partners access to user records appropriately was a formidable task—and an added difficulty for a state agency with aging technology. In 2020, at the height of the pandemic, MS DOM found the technology it needed to automate access to an ever-changing rotation of external agencies and individuals, by creating access packages using the entitlement management feature in Microsoft Azure Active Directory (Azure AD) Identity Governance. 

Putting member data privacy first 

MS DOM manages the personally identifiable information (PII) for more than 840,000 Mississippians receiving healthcare through the Medicaid program. MS DOM is responsible for sharing files and records through email and a variety of legacy file sharing tools with more than 300 affiliated agencies, healthcare organizations, and other entities. It has around 1,100 employees between the head office in Jackson and 30 regional offices scattered around the state to service their Medicaid members. 

Sally Harrison, Workplace Modernization Consultant at the Mississippi Division of Medicaid, recounts the complex needs—and frustrations—of managing file sharing and governing access with outdated technology that operated as unintelligent gateways to sensitive data. “When we granted an individual access to our legacy tools, we worried that their access might continue if they left the organization,” she explains. “And organizations would often request access using shared mailboxes that limited our visibility into who actually accessed the information, whether they accessed it from home computers, or whether they printed or forwarded the data.” 

Managing that sensitive information is further complicated by the need to comply with regular audits by a multitude of oversight agencies such as the IRS, the Social Security Administration, the Mississippi Office of the State Auditor, and the Centers for Medicare and Medicaid Services (CMS). “With the almost continual audits healthcare agencies need to respond to, we needed a better way to control access that would remove much of the day-to-day burden from our team,” adds Harrison. 

Her team created a technology roadmap that called for upgrading the organization from Windows 7 to Windows 10 and managing identity with Azure AD, part of Microsoft Entra. Some parts of MS DOM had limited connectivity, making the Division’s technology upgrade roadmap even more urgent. The department’s successes—it replaced faltering remote desktop technology with Microsoft Remote Desktop Services (RDS) in 2018—helped set the stage for remote work when COVID-19 hastened modernization plans. 

Re-inventing identity and access management with Azure AD Identity Governance

Although the state procurement process can sometimes take more than a year, in mid-2020 MS DOM received the funding it needed to fast-track its plans and make the leap to a modernized data access management solution. MS DOM had its work cut out for it. “We found ourselves in a bad spot,” Harrison recalls. “We were still on Office 2010, Windows 7, and Window Server 2008.” The organization made a rapid switch from tower-format desktop devices running outdated operating systems to new laptops. Harrison states, “Our Windows 10 and Microsoft 365 deployment was a huge leap forward. We made enormous progress, just setting up new automations and workflows that we didn't have before."

As it planned a new day in access management for the organization, the MS DOM IT team immediately identified Microsoft as its solution provider. “We wanted as much as possible under the Microsoft umbrella,” declares Harrison. “We had been trying for years to simplify our technology portfolio, including our software.” 

Her team worked with the Microsoft support team to roll out Azure AD features such as access packages, automating access for the lifetime of a file or folder with a one-time setup of policies and resources. “Using Azure AD Identity Governance to limit and control access was a game-changer for us,” says Harrison. “We can be hands-on as much as we need to, but the system does the work for us after we set the policies.” With more than 300 guest accounts for external entities, IT teams faced a daunting workload: managing frequent access requests alongside terminating access on schedule.

Harrison reasoned that the experts on who should have access to information should also be the ones to control access, not the IT team. “Now the responsibility is on the owner of the data,” she explains. “Using the access package feature in Azure AD gives them the control that they need while allowing IT to focus on the work that other departments need us to do.” That capability is a natural pairing with Azure AD External Identities, part of Microsoft Entra, a feature that organizations can use to share applications with users from external entities without exposing data to risk. “Azure AD External Identities is an enormous benefit to us because it ties the guest accounts to their email accounts at their organizations for automated management,” adds Harrison. “Adding that capability to access packages has been a dramatic improvement for us.”

MS DOM was also able to simplify its file sharing challenges. For auditing purposes, partners like UnitedHealthcare Community Plan, Magnolia Health, and Molina Healthcare are required periodically to give reports to MS DOM, some of which can reach volumes of 150 or so per folder. The MS DOM IT team set up a cloud-based drive where they store folders governed by access packages. “We can use access packages to safely share large files more safely and securely, with varying approval levels and time-delineated access,” says Harrison.

Empowering value and efficiency everywhere

After longtime aspirations to modernize the MS DOM IT estate, Harrison is gratified by the employee enthusiasm sparked by the transformation. “People are excited by the technology,” she says. “They are thrilled to use modern devices and collaborate with Microsoft 365 apps like Microsoft Teams. Employees outside of our IT team are keeping up with the Microsoft roadmap and ask me about the other cool innovations they cannot wait to use.”

Most of all, she appreciates the peace of mind the team enjoys with the automation that frees them to concentrate on value-added activities. “We have about 1,100 employees in MS DOM,” she says. “We’ve erased an enormous amount of IT overhead that stems from creating and terminating accounts due to employee turnover now that we use the automation capabilities in Azure AD.” MS DOM’s movement away from its inefficient on-premises active directory has been a tremendous time saver. Invaluable during COVID-19, those capabilities were also the beginning of big productivity gains. The IT team now uses run books to assign rights to data based on job title, for example. “We were so reactive for so long,” adds Harrison. “With old technology, it was always a struggle. We are finally able to be proactive, and we can field some of those complex requests from the business side of our organization.”

Harrison is clear about what—and who—is most important. “We’re very concerned about the privacy of the people we serve,” she concludes. “Our new Microsoft landscape gives us a lot of confidence about our data privacy and security.”

Find out more about Mississippi Division of Medicaid on Twitter, Facebook, and LinkedIn.