White paper June IBM Tivoli Identity and Access Assurance for healthcare

Transcription

1 White paper June 2009 IBM Tivoli Identity and Access Assurance for healthcare

2 Page 2 Contents 2 Introduction 2 The healthcare challenge 3 Requirements for a healthcare identity and access assurance solution 5 Tivoli Identity and Access Assurance for healthcare 16 For more information 16 About Tivoli software from IBM Introduction Providers are rapidly deploying electronic medical records and computerized physician order entry (CPOE), which is driving demand for clinical applications and IT infrastructure security. Public interest and government regulations, such as the European Directive on Data Privacy, HIPAA, and French decree number , are requiring providers to be vigilant about who accesses systems, and for what purpose, putting more pressure on providers. IBM Tivoli Identity and Access Assurance helps healthcare providers comply with regulations, while dramatically improving productivity with features such as secure unified single sign-on, session management for quick clinician access to systems on shared workstations, and user compliance auditing. The healthcare challenge Regulations now require that users sign on to access electronic protected health information (ephi) with their own credentials, that all access must be logged, and that applications must log out if there is inactivity all in an effort to minimize unauthorized access. These policies can slow access to patient records, impact caregiver productivity, and impede quality of care. As clinicians typically roam from workstation to workstation, frequent sign-ons and sign-offs further impact clinical efficiency. It is critical for caregivers to have convenient access to patient records, but with an increasing number of clinical applications and access points, as well as the need for interoperability, the healthcare industry is struggling to balance access with increased compliance requirements. Healthcare providers need a comprehensive solution that helps make sure the right users have access to the right patient record in a timely manner, providing comprehensive identity management, access management, and user compliance auditing, and affordable operational costs.

3 Page 3 Healthcare providers need a comprehensive identity and access solution that improves clinician productivity, facilitates security and compliance, and helps reduce operational costs. Requirements for a healthcare identity and access assurance solution A healthcare solution should meet the following requirements: Clinician productivity Fast, secure access to patient records: The solution should provide fast, secure access to patient data, eliminating the need for per-application sign-on and sign-off. Comprehensive support for clinical workstations and network access points: The solution should support clinical kiosk environments in addition to handling different workflow requirements of different user groups. It should support shared, private, and roaming desktops. It should support fast user switching, which is especially crucial in healthcare provider environments, as it enables multiple caregivers to share a computer simultaneously and switch across users without making them log out or face the risk of being locked out. Fast user switching allows caregivers to securely share the workstation with other workers, enabling their work to follow them as they move between workstations. In addition, caregivers need access from remote offices as well as provider facilities. The solution should support access through personal and shared workstations, virtualized remote access terminals, Web portals, and extranets. Support for standards-based patient context management: The HL7 Clinical Context Object Workgroup (CCOW) enables efficient access to patient information and reduces clinical errors by automatically synchronizing patient context across applications.

4 Page 4 Security and compliance Help with regulatory compliance: The solution should enforce user-specific application sign-on and sign-off. It should log user access to each application and provide reasonable assurance that users are who they say they are. Support multi-factor authentication: The right identity credential enhances security. Using two or more factors improves identity assurance. Converged physical and logical access: The solution should have the capability to use building access badges for logical access, enabling clinicians to use the same ID badge they use for building access to gain application access. Comprehensive, flexible security policy: The solution should support access needs and assist with regulatory compliance for different user groups within an organization. In a healthcare environment, the solution would support onsite clinicians using shared workstations, physicians with remote access, and other IT, business, and laptop users. Access assurance: The solution must provide integrated auditing across information access points. Clinical access must be tracked within provider facilities and from remote sites. Integrated user provisioning: As clinicians transfer roles or jobs, or leave altogether, user provisioning systems should be able to automatically suspend or delete user access (a HIPAA requirement). Centralized user administration: Centralized user administration simplifies reporting, policy definition, and enforcement. Support for health information exchanges (HIEs): Accurately linking patients with their personal medical information across two or more healthcare providers, while at the same time protecting their privacy, is key to reducing costly medical errors. On-demand audit reports: Audit reports can be generated as needed to help demonstrate compliance.

5 Page 5 Reduced operational costs User self-service: The solution should provide support for different loss scenarios, such as loss of identity credentials, forgotten passwords, and emergency treatment bypasses. Integration with existing infrastructure: The solution should be able to integrate with existing clinical and business systems, without requiring changes to applications. Ease of deployment: The solution should be easy to deploy. It should support centralized deployment, delegated administration, and updates to minimize maintenance windows. Scalability: The solution should be scalable to support the needs of healthcare providers and the delivery network. It should work equally well offline or during peak usage. IBM Tivoli Identity and Access Assurance enables providers to simplify, strengthen, and track access to patient records from access points across the provider network. Tivoli Identity and Access Assurance for healthcare IBM Tivoli Identity and Access Assurance is a solution for healthcare that enables providers to simplify, strengthen, and track access to patient records from access points across the provider network. With this solution, providers can maintain clinician productivity with fast access to records, while reducing the cost and complexity of compliance. The central functions of the solution are: User provisioning. Unified single sign-on. Event analytics and reporting to facilitate compliance. IBM Tivoli Identity and Access Assurance meets all of the key requirements of a healthcare identity and access compliance solution. It enables caregivers to share clinical workstations through fast user switching via shared, private, or roaming desktops. Users can have a wide choice of identity credentials. Access automation support and patient context synchronization simplify access.

6 Page 6 Integrated support for push installation and centralized management provides easy deployment and management. User-centric tracking, sign-on and sign-off enforcement, and user provisioning helps support HIPAA and EU data privacy compliance. IBM Tivoli Identity and Access Assurance can help healthcare providers: Improve caregiver productivity and satisfaction through: Unified single sign-on and single sign-off for clinical and business applications Comprehensive shared workstation workflow management Support for HL7 CCOW context switching Comprehensive coverage of network access points Unified access using building access badges Support for health information exchanges and regional health information organizations (RHIO) Enhance security and compliance through: Application sign-on and sign-off enforcement Choice of authentication factors Comprehensive coverage of access needs for all users User-centric event capture, reporting, and archival with regulatoryspecific reporting Integrated user provisioning with many applications solutions Centralized administration of user access Reduce operational cost through: Integrated self-help Ease of integration with existing infrastructure A proven, scalable architecture

7 Page 7 Unified single sign-on and sign-off with auto-generation of profiles IBM Tivoli Identity and Access Assurance provides fast, secure access to clinical applications through unified single sign-on. The unified single sign-on component provides workflow automation to all applications. It also autogenerates profiles for single sign-on and provides a graphical interface for advanced configuration. Comprehensive shared workstation workflow management Through its unified single sign-on component, IBM Tivoli Identity and Access Assurance provides session management capabilities for clinical workstations. Shared desktops Tivoli Identity and Access Assurance may be configured to support desktop sharing for fast session log-in and log-out. Private desktops Tivoli Identity and Access Assurance may be configured to manage multiple private desktops on the same workstation. Roaming desktops Tivoli Identity and Access Assurance may be configured to provide personal desktops that follow users as they roam from workstation to workstation. Tivoli Identity and Access Assurance supports hybrid session management, where different session methods may be combined to maximize productivity. Tivoli Identity and Access Assurance supports hybrid session management, where different session methods may be combined to maximize productivity. To ensure fast emergency access to any clinical workstation, Tivoli Identity and Access Assurance supports an emergency hot key that may be configured to quickly unlock any computer. This feature provides a safety net against unintended lockouts while helping to maintain data privacy and audit controls.

8 Page 8 Support for patient context management IBM Tivoli Identity and Access Assurance supports patient context management for CCOW and non-ccow compliant applications as part of the HL7 suite of standards, and can enable compliant and non-compliant applications to provide integrated context management across a provider s clinical suite. 1 Comprehensive coverage of network access points IBM Tivoli Identity and Access Assurance provides comprehensive coverage of network access points such as personal and shared workstations, virtualized remote access terminals, Web portals and extranets. With Tivoli Identity and Access Assurance, users can access the corporate network across all access points securely and easily. This coverage also enables IT administrators to centrally manage security policies across access points and capture events for compliance reporting. Tivoli Identity and Access Assurance supports single sign-on to applications. Users need just one identity credential to log in to applications. In addition to support for Microsoft Windows platforms, IBM Tivoli Identity and Access Assurance supports secure and fast access to applications published through Citrix servers. The unified single sign-on component is designed to provide single sign-on and sign-off to applications accessed through Citrix servers or Terminal Services. IBM Tivoli Identity and Access Assurance can also enable two-factor authentication to secure access to applications running on these servers. IBM Tivoli Identity and Access Assurance supports single sign-on to applications. Users need just one identity credential to log in to applications.

9 Page 9 Tivoli Identity and Access Assurance delivers a unified access solution by enabling the use of building access cards as second factors for logical access. Unified access By supporting existing building access cards, IBM Tivoli Identity and Access Assurance delivers a unified access solution. It enables the use of building access cards, such as the HID Prox, HID iclass, Mifare, and Indala cards as second factors for logical access. As building access cards are already provisioned, no additional provisioning or re-badging is required. In addition, all support infrastructure and processes for managing these cards are already established, making this solution one of the most cost-effective two-factor authentication options. IBM Tivoli Identity and Access Assurance also supports converged cards that contain both smart card chips and RFID chips. This technology utilizes RFID for building access and smart cards for logical access. Alternatively, IBM Tivoli Identity and Access Assurance can turn any photo-badge or magnetic stripe-based building system into a logical access card using itag. Health information exchanges HeaIth information exchanges (HIEs) provide the capability to electronically move clinical information among disparate healthcare information systems while maintaining the meaning of the information being exchanged. HIEs facilitate access to and retrieval of clinical data to improve healthcare. HIEs are also useful to public health authorities. Tivoli Identity and Access Assurance supports identity management and compliance functions required by HIEs.

10 Page 10 Application sign-on and sign-off enforcement To ensure accountability for access to patient records and data privacy, HIPAA and similar EU and global regulations require that users sign on with their own credentials. To prevent shared access, applications should automatically sign off after a period of inactivity. IBM Tivoli Identity and Access Assurance enables enforcement of these policies. The unified single sign-on component authenticates each user through a pre-selected choice of authentication factors. Once the user is authenticated, the component personalizes the session for the user. This helps ensure regulatory compliance while providing single sign-on, thereby simplifying access to ephi. Tivoli Identity and Access Assurance lets healthcare providers choose from a variety of user credentials, helping to meet the needs of different healthcare user groups. Choice of authentication factors The IBM Tivoli Identity and Access Assurance solution lets healthcare providers choose from a variety of user credentials, including building access badges, contactless badges, itag, mobile devices, biometrics, and USB smart cards or tokens. This wide choice of authentication factors helps meet the needs of different healthcare user groups. The following table summarizes the form factors supported and the target user groups.

11 Page 11 Table 1: Choice of authentication factors Authenticati on Factor Building access badge with RFID technology Contactless card Mobile device itag Biometrics Smart USB key, smart card or token One-time password tokens Use Scenario Users tap their building access badge on the reader and enter a password to log in. Users are identified as they approach the workstation. They enter a password to log on. Users receive a code on their mobile device and use this code with their username and password to log on. Users leverage any personal device or photo badge with smart labels to enable two-factor authentication. Users use their intrinsic physical traits such as fingerprints and palmprints to log in. Users insert a smart USB key, a smart card, or a token and enter a password to log in. Users carry an authentication token, which is used to generate a onetime password. They use this password with a PIN to log in. Target User Group This is best for clinical staff and business users working on premise. This is best for clinical staff requiring fast log-ons and log-outs. This is best for remote physicians who need a second factor to log on to a remote portal. This solution frees remote physicians from carrying additional devices while still maintaining access security. This solution is an alternative to conventional token based two-factor authentication. With itag, users do not need to carry a separate token for authentication. This solution is an alternative to physical credentials for clinical staff. This solution is best for users who require a higher level of security protection. This is best for remote users who need a second factor to log in remotely to their corporate portal. Strong Users enter a user ID and a strong This solution is best for any group passwords password to log on. whose risk profiles do not warrant a second factor, or where a second factor is not viable. By supporting building access badges, contactless cards, itag, mobile devices, and biometrics for authentication, Tivoli Identity and Access Assurance is unique in leveraging what you have already as a second factor. This reduces the costs of acquisition, provisioning, and support. It also provides greater convenience, relieving physicians and caregivers of the need to carry additional devices.

12 Page 12 Regardless of choice of authentication factors, administrators can centrally manage all authentication policies through IBM Tivoli Identity and Access Assurance and can enforce application password policies, such as password expiration and password strength. The unified single sign-on component of Tivoli Identity and Access Assurance is available on all major access platforms, and it supports Web-facing applications and federated environments. Comprehensive coverage of all access needs Tivoli Identity and Access Assurance is designed to cater to all user groups in a healthcare organization. The unified single sign-on component is available on all major access platforms, and it supports Web-facing applications and federated environments. Table 2 lists the recommended platforms and authentication factors for each user group. Table 2: User groups and recommended authentication factors User Recommended Unified Single Recommended Authentication Groups Sign-On Platforms Factors Clinical Windows configured as shared Building access badge, users workstations Contactless card, or itag Remote Citrix, Windows Terminal Services, Strong passwords, clinicians Web portal or Web Workplace One-time password tokens, configured for single sign-on access Contact or contactless smart cards or tokens, or Mobile devices using transmitted code IT users Windows configured as dedicated workstations Terminal Services configured for single sign-on access to remote applications Strong passwords, Building access badge Smart cards or tokens, or itag Desktop Windows configured as dedicated Strong passwords, business workstations Building access badge, or users itag Laptop business users Windows configured as dedicated workstations Strong passwords, USB smart card or token, or itag

13 Page 13 User-centric event capture, reporting, and archival HIPAA and similar privacy safeguards require healthcare providers to implement audit controls for health information technology (HIT) systems with patient information. To facilitate compliance, providers need to know which applications users accessed, who accessed the applications and details about the accounts used, when users accessed applications and from where. Through Tivoli Identity and Access Assurance s event analytics and reporting, providers have consolidated user-centric logs that provide the information required for effective audit control. Tivoli Identity and Access Assurance provides a complete user provisioning solution for managing the lifecycle of user access, reducing the risk of unauthorized users gaining access to key healthcare systems. Support for user provisioning Centralized provisioning and de-provisioning of user access rights to healthcare systems is critical to helping healthcare providers manage clinicians and contract staff. Tivoli Identity and Access Assurance provides a complete user provisioning solution. Managing the lifecycle of user access to critical healthcare systems can be challenging. Clinical staff turnover can have significant effects on productivity and security. Tivoli Identity and Access Assurance s user provisioning can automatically grant, modify, suspend, and delete user access, reducing the risk of unauthorized users gaining access to accounts. Centralized administration and access certification Centralized administration and ongoing governance of user access to resources is vital to helping healthcare providers maintain security and compliance while minimizing operational costs. As healthcare systems grow and evolve, the amount of clinical data available has increased dramatically. Furthermore, the accuracy and nomenclature of user data can vary from one system to the next. When faced with audits, it can be very time consuming and complex to report on who has access to what. Tivoli Identity and Access Assurance can help organizations establish a consolidated, authoritative source of user data. Additionally, it provides centralized reporting so that organizations can quickly create reports that depict who has access to what.

14 Page 14 The governance of access to healthcare systems can be cumbersome to manage. Tivoli Identity and Access Assurance provides the ability to define access certification policies that dictate whether the clinical staff manager approves or rejects a user s access to particular systems over set time periods. If access is rejected, the Tivoli solution can automatically suspend or delete user access. Integrated self-help IBM Tivoli Identity and Access Assurance has extensive self-service capabilities to ensure clinician productivity is maximized even if they forget their password or authentication tokens. Table 3: Loss and recovery mechanisms Loss Scenario Forgotten/expired application password Forgotten/expired single sign-on password Lost or forgotten authentication token The Tivoli Identity and Access Assurance Approach This happens only when users are unable to sign on with their single sign-on credential. Users can reset their application password through Tivoli Identity and Access Assurance s self-help function. During installation, users are required to answer a select number of personal questions. In the event that users forget their single sign-on password or the password has expired, they may reset their passwords by correctly answering these personal questions or by requesting an authorization code from the help desk. 2 If users lose or forget their authentication token, they may temporarily bypass strong authentication by correctly answering selected personal questions. They may also request an authorization code from the help desk to be used as a temporary second factor until they regain their token. Ease of integration with existing infrastructure Given the diverse collection of applications in a healthcare organization and its 24x7 operation, Tivoli Identity and Access Assurance is designed to work with minimal or no change to the existing IT infrastructure. In particular, the unified single sign-on component will work with any directory structure, and does not require an expensive directory consolidation effort prior to deployment. In addition, it does not require any directory schema extension or replication of directory data.

15 Page 15 The Tivoli Identity and Access Assurance solution is built on a scalable and proven architecture that integrates easily with existing infrastructures. The Tivoli solution s event analytics and reporting integrate with much of the IT infrastructure, supporting different sources of audit data that can be collected and processed. User provisioning also has out-of-the box support for heterogeneous infrastructures. It supports multiple directories, operating systems, ERP systems, and applications, and provides for quick and easy custom adapter development for legacy or proprietary applications. Scalable and proven architecture The Tivoli Identity and Access Assurance solution provides a scalable and proven solution. Event analytics and reporting are built on a scalable architecture that allows the collection of data from thousands of sources. Similarly, user provisioning has a flexible, proven architecture to support different customer infrastructures. Meeting the healthcare challenge To meet regulatory requirements and provide speedy access to clinical data, healthcare providers need a solution to manage identities across their lifecycles while providing convenient access and ensuring strong security. Tivoli Identity and Access Assurance meets these needs for healthcare by centralizing and automating the management of users, authentication, access and audit policy, and provisioning access to user services all while reducing operational costs. In summary, Tivoli Identity Access and Assurance can help healthcare providers: Improve caregiver productivity and satisfaction. Enhance security and compliance. Reduce operational cost.

16 For more information To learn more about how Tivoli Identity and Access Assurance can help you manage data access and security issues in your environment, contact your IBM sales representative or IBM Business Partner, or ibm.com/tivoli/solutions/security About Tivoli software from IBM Tivoli software offers a service management platform for organizations to deliver quality service by providing visibility, control and automation visibility to see and understand the workings of their business; control to effectively manage their business, help minimize risk and protect their brand; and automation to help optimize their business, reduce the cost of operations and deliver new services more rapidly. Unlike IT-centric service management, Tivoli software delivers a common foundation for managing, integrating and aligning both business and technology requirements. Tivoli software is designed to quickly address an organization s most pressing service management needs and help proactively respond to changing business demands. The Tivoli portfolio is backed by world-class IBM Services, IBM Support and an active ecosystem of IBM Business Partners. Tivoli clients and Business Partners can also leverage each other s best practices by participating in independently run IBM Tivoli User Groups around the world visit Copyright IBM Corporation 2009 IBM Corporation Software Group Route 100 Somers, NY U.S.A. Produced in the United States of America June 2009 All Rights Reserved IBM, the IBM logo, ibm.com and Tivoli are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation. The customer is responsible for ensuring compliance with legal requirements. It is the customer s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation. 1 IBM partners with CareFx to provide patient context management. 2 An authorization code is required only if users fail to correctly answer their personal questions. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED AS IS WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. TIW14029-USEN-00