transforming logical access control for a hospital network

1

Transforming Logical Access Control for a Hospital Network

Session 408, March 7, 2018

Scott Ellis, Interim CISO, St. Luke’s University Health Network

Andrew Tarbox, CEO, Thornebrook, LLC

2

Scott Ellis, CISSP, HCISPP, PCIP

Andrew Tarbox, B.S.

Have no real or apparent conflicts of interest to report.

Conflict of Interest

3

Agenda• St. Luke’s Then and Now

• Access Control System Goals

• Identity Management Overview

• IDAM is a Program not a Project

• Strategy and Approach

• Lessons Learned

• Round Table Discussions

4

Learning Objectives• Analyze the time and budget required to transform a hospital system

to automated access control

• Explain the value of using a hybrid access control using both Role Based and Attribute Based Access Control (RBAC + ABAC)

• Preform an analysis of the number, type and access requirement for the organizations applications

• Illustrate a methodology to build a comprehensive organizational chart and reporting structure

• Discuss the differences between job titles and access roles and attributes

5

Transforming Logical Access Control

for a Hospital Network

HIMSS 2018

6

Proud Heritage at St. Luke’s• Founded March 1872

• Oldest Nursing School in the Country - Established 1884

7

St. Luke’s Today• 7 Major Campuses - Acquiring 2 more Hospitals in early 2018

• 350 Locations, 14,000+ Staff, 1,000+ Students – Full Teaching Hospital

• St. Luke's is a Stage 7 HIMSS Analytics EMR Adoption Model hospital

• Covering Eastern Pennsylvania and Western New Jersey

8

Staffing by Major Groups

Clinical

AdminEducation

9

Headcount by General Ledger Coding

Campuses

Campuses

Admin - IT

St Luke’s

Physicians Group

10

Access Control System Goals

• Improved Security

• Privacy Enhancing

• Easier To Use

• More Efficient

• Cost Effective

11

Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right

times for the right reasons.

Authentication

•Single Sign On

•Password Services

•Multi Factor Authentication

•Device Management

Authorization

•Role & Attribute Based Access

•Provisioning

•Audit and Review

User Management

•Delegated Administration

•User and Role Management

•Provisioning

•Password Management

Central User Repository

•Integration directly to Workday

•Organized Directory

•Data Synchronization

•Link with applications and systems

Identity and Access Management

Source: The Hong Kong Polytechnic University

12

Benefits of Identity and Access Management

• 95% increase in productivity in account activity

• One username and password - Extends SSO capability to software, cloud services, web and virtual applications

• 80% reduction in security risk caused by unmanaged user access

• Clearly defined and segregated business roles

• Proactive and secure response to BYOD access to the network

• Increased visibility and clarity into change control process

• Improved Audit and Compliance

13

IDAM is Program not a Project• Impacts EVERYONE – A Corporate Program

• As much a business change as a technical change

– This is not an IT Program

– Involve Stakeholders across the organization - Our Governance Committee meets monthly

– Inform and continually advise senior management

• Implementing a full IDAM system is a journey

• Time is our friend

– Seeking quick results can lead to disaster

• Think of this as a sweeping program

– With a number of significant projects

14

Program Timeline

• Estimated Three Year Program

• Four Major Phases

Planning and Preparation

Deployment

• Epic – A Separate Project Within Deployment

Optimize

Maintenance

Phase Jun Jul Aug Sep Oct Nov Dec J F M A M J J A S O N D J F M A M J J A S O N D

Plan & Prep

Deploy

Optimize

Maintenance

2017 2018 2019

15

5 Year Budget

Identity, Access Management, Governance Software $ 750,000

Staff Realignment – 10 people @ $90K/year (fully loaded) -$ 4,500,000

Savings $ 3,750,000

16

Learn

Policy

Pilot

Deploy

Evaluate

Tracks can be overlapped

Advise

Source: Thornebrook Associates

Deployment Process

17

Waterfall vs Agile• It’s a moving target

• You will never know enough to write the plan

• Gather the data

• Go with the flow

• Demonstrate Success

• Know the end goal

• Optimize later

18

RBAC / ABAC Hybrid Solution• Roles are not enough

– Roles alone will yield thousands of roles

• You also need attributes

– Location

– Certifications

– Department

• Role + Attributes = Manageable Access Control

19

Determining Roles is a Challenge• Job Profiles a bit of a mess

– Cleanup under way by HR

– Mixed Job Profile with other Attributes

• General Ledger Codes plus attributes cleaner

– Location(s)

– Supervisor(s)

– Options from Supervisor

20

We will apply lessons learned early from simple small departments to more complex and larger departments later in the deployment

Simple to Complex AccessRN

Warren

Oncology

Internal Epic Attributes

Small to Large Groups

Maintenance

21

Current Access Request MethodsUsers Requester Process

Employees - SLUHN Any Manager Service Now Onboarding Form

Employees - SLPG Any Manager Web Form/Paper Process

Non-Employed Credentialed Staff Medical Affairs Paper Process

Contractors Any Manager Paper Process

Volunteers Volunteer Services Paper Process

Students Dept of Medical Education, Nursing

Services, Volunteer Services,

Physician Services, and Medical

Affairs

Paper Process

Community Referring Physicians Medical Affairs Paper Process

Vendors Any Manager Paper Process

22

Fine Grained Access Control• Many Applications have access control within the application – Fine

Grained Control

– Epic, MSCM, Finance, ServiceNow

• Where possible – do this in the optimization phase

– Time consuming

– Requires connectors and more

– May require a lot of input from Managers

• The Big Apps have a small team managing the App

– Lots of nuances and exceptions

23

Lessons learned – So Far• Take time to understand and plan

– Know the adversary – Lack of Knowledge

• HR will not solve the Role Challenge

• One Source of Truth but many Authoritative Sources

– Workday – HR System is our Source of Truth

– Epic, Echo, Active Directory, ServiceNow and more have important data

• If Possible, One Unique Identity per Person

• Meet Face to Face with Application Owners

• Meet Face to Face with Department Managers

24

Round Table Discussion

25

Source of Truth & Authoritative Sources

• Source of Truth – HR System – Workday

– Job Title

– Cost Center

– Supervisor

• Authoritative Sources

– Epic

– Echo

– ServiceNow

– Active Directory

26

Strategy - Empowering Managers

• Managers are the front line to success

• Follows the current model and process

– Current 5 page online form to select applications for their staff

– In the future much shorter – only options that are relevant

• Managers know what their staff needs

– Default applications that fit the role and attributes

– Select other applications that are options for that department

• Managers will attest to access requirements

– Periodically

27

246 Major Applications to Migrate 250+ Unknown Applications

Level 1 – Most Critical

Source: St. Luke’s Internal Data

Do you know what applications you have?

How many to support automatically?

28

How will you Approach IAM?

• Business change or IT

• Project or Program

• How Long will it take

29

What are your Goals?

• Improved Security

• Privacy Enhancing

• Easier To Use

• More Efficient

• Cost Effective

30

Scott Ellis

Interim CISO

St. Luke’s University Health Network

scott.ellis@sluhn.org

Andrew Tarbox

CEO

Thornebrook, LLC

awt@thornebrook.com

Mobile 518-301-0731