securing access of health information using identity ......hr/manager is notified of new hire...

Securing Access of Health Information Using Identity Management

Steve WhickerManager – Security ComplianceHIPAA Security OfficerAHIS – Central RegionSt Vincent [email protected]

Chris BidlemanDirector of HealthcareNovell, [email protected]

© Novell, Inc. All rights reserved.2

Healthcare Industry Themes for 2010• Reduce healthcare costs: Surveys indicate HIT budgets will

stay the same or slightly increase but CIO's will still look for ways to save money. IT Departments still resource constrained.

• Deal with aftermath of healthcare reform: New regulations, incentives to adopt electronic health records, and changes in reporting, breach notification and audits plus higher violation fines. Achieve Meaningful Use criteria.

• Expanded use of Health IT: HITECH and Meaningful Use guidelines will drive HIT adoption with it will also bring focus on privacy and security of protected health information (PHI) by encrypting data, role-based access controls, and audit trails.

• More communication between patient and provider: Incentives for increase programs of preventative medicine will require more electronic communication with patient and families, secure exchange of health data (eg. patient, doctor, referrals, public health orgs), and better patient identification


Meaningful Use Criteria - Stage 1Starting January 1, 2011 from CMS-0033-P

• Improve quality, safety, efficiency, and reduce health disparities

• Engage patients and families in their health care• Improve care coordination • Improve population and public health• Ensure adequate privacy and security protections for

personal health information (PHI)


Today, who typically cares about Identity and access management?• Chief Information Officer (CIO)• Director of Infrastructures• Network/Server Manager• IT Security• Application Administrators


With ARRA and Meaningful Use — Who SHOULD care about Identity and Access Management?• Application owners• Audit committee• Lines of Business owners• Director of Applications• Chief Executive Officer (CEO)• Chief Financial Officer (CFO)• Chief Information Officer (CIO)• Chief Technology Officer (CTO)• Chief Operating Officer (COO)• Chief Medical Information Officer

(CMIO)

• Chief Information Security Officer (CISO)

• Chief Nursing Officer (CNO)• Corporate Controller• Internal Audit Director• Operations VP• HIPAA/Compliance Security

Director/Officer• Many others…


Today's Speaker

Steve WhickerManager – Security ComplianceHIPAA Security OfficerAHIS – Central RegionSt Vincent [email protected]


Identity Management Goalsat St. Vincent Health• Enable regulatory compliance (HIPAA) and internal controls

in Information Systems (IS) security processes • Reduce operating costs through user account provisioning

(process automation) and sharing common infrastructure components

• Decrease corporate exposure by reducing the risk of unauthorized access to data & automating enforcement of security policy

• Improve associate satisfaction by automating online Human Resources (HR) benefits management

• Improve data integrity by decreasing duplicative identity data stores and manual data entry processes

• Improve the quality of services provided by IS


• HIPAA• Unique user identification requirements

• Access Control Requirements

• Auditing Requirements

• Minimum Necessary Requirements

• Enterprise Role-based Access Control (RBAC) model

• Auditing / Reporting

• Automate Manual Security Policies

• Automate Identity Management (Create, Modify, Delete)

• Automate Roles Based Access Control

• Automate Workflow Approval, Denial

Regulatory Compliance Security

• Reduce Manual Admin via automated account provisioning

• Manage online HR Benefits

• Set up Foundation for Expanded Services

• Improve Data Accuracy

• Leverage Current Investments

• Provide Password Reset Self Service

Efficiency / Cost

St. Vincent Health’s Identity Management Drivers


Where We Started (July 2005)

• Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo)

• Two separate and overlapping access request processes for identity and access management (ID Request & IS Request), made it difficult to centrally manage the access request and change logs

• Identity creation and management was a manual process

• No centralized process to document request completion

• No formal validation process to verify the authenticity of requesting manager

• Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user

• De-provisioning process was not consistently followed

• No user entitlement matrix existed


Our Identity Management Roadmap

Governance, Organizational Change Management and Communication

Enhanced Provisioning D

esign and Im

plementation

Directory

Infrastructure R

eadiness

Role B

ased Provisioning D

esign and Im

plementation

Business and O

ngoing Support

Implement Universal Password

Upgrade Existing Drivers to IdM2

Enable Bi-Directional

Creates Upgrade NT

Domains to AD

Identify Audit Needs

Design Auditing and

Reporting

Role Definition and Mapping

Audit Logging ( enable real time logging with appropriate systems)

Implement Audit

Provision users to additional systems

Implement Role based access and

provisioning

Document Identity Management Requirements

Document Web based Provisioning

Workflow Requirements

Enhance Existing Connectors and

Implement

Implement PeopleSoft Connector Implement Web

Based Provisioning

Workflow

Implement Password Self

Service

Consolidate File Services Trees

Design Enhanced Identity Management

Design Web based Provisioning Workflow

Auditing and R

eporting

Skill Assessment

Process Analysis and

Design

Skills Development and Training

Ongoing Maintenance and Support

Design Role based

provisioning

Document Role based provisioning requirements


Identity and RequestManagement Portal

IDVIdentity Management Portal

IND1

STVLDAP

National AD / Exchange STVNET

Vistar

STVI Windows

Windows

Windows

Windows

Biztalk DataWarehouse

Windows


Process performed for each application requested

Non-S

ystemP

rocessesP

eopleSoftH

RM

SW

orkflow P

rocesseseD

irectory™ (ID

V)

eDirectory

(STV

I &S

VH

LDA

P)

Active

Directory(IN

D1)

Active

Directory

(STV

NE

T)O

ther A

pplications

1. HR/manager is notifiedof new hire (associate/

non-associate)

Start 1

2. HR/manager entershire data into PS(associate / non-

associate)

3. All required attributedAre available and

PeopleSoft effectivedate has transpired

4. Is this anew Identity?

5a. Identity Managerdetermine unique

Login ID

6. Identity Managercreates and places

the Identity

13. Identity Managergenerates workflow &email notify for defaultapplications per rules

11. Identity Manageremails manager of

new hire

14. WFapproved byapprover?

15b. Applicationsupport checks queue

16. Application supportdetermines access rights

17. Application supportcreates Identity and

access rights

7. PeopleSoft isupdated with LoginID & email address

8b. Identity Managercreates Identity in

SVHLDAP

8a. Identity Managercreates Identity in

STVI

9. Identity Managercreates Identity IND1

10. Identity Managercreates Identity STVNET

5b. Go toModify UsersProcess Box

#4

12. Go toModify UsersProcess Box

#10b

20. User and Managerreceives notification that

application has been granted

19. Workflowgenerates email

notifications

18. Applicationsupport approves

WF

15a. Create newuser account automatically

NoYes

Yes for nonconnected

system

Yes for connected system

Yes

Managerrequests

additional Apps via WF

Hiring Process


Non-S

ystemP

rocessesP

eopleSoftH

RM

SW

orkflow P

rocesseseD

irectory™ (ID

V)

eDirectory

(STV

I &S

VH

LDA

P)

Active

Directory(IN

D1)

Active

Directory

(STV

NE

T)

1. Manager is notified of a termination event for

associate or nonassociate

Start 1

2. Data is entered intoPeopleSoft HRMS

3. IDM Updates User data inIDV. disables account & movesuser to the inactive container

4a. Is this an ano show hire?

15. Managerreceives notification

13. Application support adminsdisable/delete user manually

in other application(s)

1b. HR Service Center isnotified of termination

event for associate or nonassociate

Start 2

1c. Termination is initiatedthrough VISTAR feed

Start 3

4b. Routes terminationWF request to all app

security admin(s)

5. Server team is email notified that theuser never showed up for work, research isdone, accounts may be deleted manually,

instead of just disable automatically

11. All application support admin(s)are notified via email of a terminationworkflow task to be completed afterthey disable or delete the account

14. Workflow generatesemail notifications

13.Application Support

Approves WF

6. IDM Updates User data inSTVI. disables account & moves

user to the inactive container

7. IDM disables Groupwiseuser and sets visibility

to note

10. IDM deletes useraccount in SVHLDAP

8. IDM Updates User data inIND1. disables account & moves

user to the inactive container

9. IDM deletes useraccount in STVNET

Yes

Termination Process

Other

Applications


Other Processes Handled

• Renames (Name Changes)

• Business Unit Changes

• User Data Changes


Automated Escalation Process Insures Customer Request Are Not Lost

ApplicationOwner

Escalate toOwner's Mgr

2nd Escalation toOwner's Mgr

1d2d Denied

3d4d Denied

5d6d Denied

Start

Finished

Time Out

Time Out

Time Out

Log for alldenied activitiesIDM

Entitlementis granted

Could takeup to 6 days

Initiated by Manager toGrant application for End User

* indicatescompletion

of work

Approved *

Approved * Approved *


Self-Service Password Reset

• Provides user the ability to reset their own password anytime any place

– At work

– At home on portals

• Reduces Helpdesk calls

• Provides for positive validation of user identity through “Challenge and Response” Questions

• Easily integrates with current systems


Lessons Learned

• Know and thoroughly document your environment• Assume nothing

(verify things actually work as advertised)• Understand the organizations business processes

– Talk to the users and understand yours and their business processes

• Cooperation and involvement of Human Resources is vital

• Have a viable test environment• Be prepared for problems


What’s Next?

• Install the Roles and Provisioning Module

– Upgraded version of the User Application (Self-service portal)

• Role Based Provisioning Design and Implementation


Data Center End-UserComputing

Novell – Three Solution AreasHelping Healthcare Providers give users simple, secure access while safeguarding patient information

Identity and Security

Lower Costs•SUSE Linux Enterprise•Virtualization• Intelligent Workload Management•Business Service Management

Secure Assets•SUSE Linux Desktop•Endpoint Management•Manage and Secure servers and desktops•Secure Social Collaboration Tools

Protect Data•Compliance Management•Access Governance• Identity Management•Single Sign-on•Security Management


Issue Novell Product Solution

Impermissible uses and disclosures of protected health information (PHI)

Novell Compliance Management Platform (CMP) provides identity management, audit reporting, and web access control to network resources

Lack of safeguards of protected health information such as logging and monitoring to detect suspicious system activities

Novell SecureLogin (NSL) provides enterprise single sign-on and fast user switching for shared workstations. Novell Sentinel can provide real-time auditing, monitoring and remediation of user access to PHI with powerful correlation engine

Enhance role-based access control based on the minimum necessary principle

Novell Access Governance Suite (AGS) can manage roles and security policies as well as access certification. Novell Identity Manager (IDM) can provision/deprovision resources based on roles and provide self-service and workflow.

Breach notification procedure updates with monitoring and reporting

Novell Sentinel Log Manager can store and analyze who had access to what, when, where and how for all connected devices and apps

Encryption of mobile devices and other data sources storing PHI plus reducing data leakage

Novell ZENworks Endpoint Management solutions can secure devices including USB ports, encrypt data, application virtualization, patch management and make upgrades easy (e.g. Windows 7)

Novell Solutions For Key HITECH Security Issues

Questions?


For More Information

www.himss.org/EconomicStimulus/ - HITECH and MU

www.novell.com/healthcare - Healthcare Solutions

www.novell.com/singlesignonforhealthcare - SSO

www.novell.com/identity - Identity Management

www.novell.com/success - Case Studies

Making IT work as One

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

securing access of health information using identity ......hr/manager is notified of new hire...

Documents