Securing Access of Health Information Using Identity Management

Similar documents
Key Benefits of Novell ZENworks 10 Configuration Management. Enterprise Edition

IDEAS for Identity and Access Governance. Capabilities summary and screenshot selection

Tools for the Times New Boulder Tools Overview Presenter Name

Just Enough Operating System to kick start creativity. Simona Arsene

Novell o e File Management age e Suite

Effectively Managing Identities within the Enterprise and Cloud

Compliance Management Solutions from Novell Insert Presenter's Name (16pt)

Novell GroupWise. Product Overview. Corne Groesbeek

Automating the Creation and Management of Cloud Workloads

PSA Peugeot Citroën PME PORTO

SAP Product Road Map SAP Identity Management

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

White paper June IBM Tivoli Identity and Access Assurance for healthcare

Deltek Touch Time & Expense for GovCon 1.2. User Guide

Oracle Identity & Access Management

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

Believe in a higher level of IT Security SECUDE Business White Paper. How to Improve Business Results through Secure Single Sign-on to SAP

Novell Compliance Management Platform

SafeNet Authentication Service (SAS) Service Provider Role and Scope Guide

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mønsted

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Optimize Process Performance with Analyzer, Monitor & Business Intelligence

ADM920 SAP Identity Management

SAP BusinessObjects Access Control 5.3 Support Pack 9. Functional Overview SAP BusinessObjects Access Control Solution Management September 30, 2009

SAP SuccessFactors Onboarding

RSA Identity Management & Governance

Enhancing Service Quality with Next Generation Business Automation in Government Muti Ur Rahman, ECM Sales Lead IBM India/SA

Transforming Healthcare

Securing Intel s External Online Presence

Preparing for an OCR Audit: What is Expected of You

WHITE PAPER MARCH Improve ROI of PeopleSoft Enterprise With Business Automation

Vendor Cloud Platinum Package: Included Capabilities

AN EMM CHECKLIST FOR CIOs. Factors to Consider When Choosing an EMM Solution. Whitepaper

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

SafeNet Authentication Service. Service Provider Role and Scope Guide

Howto Approach Identity Management?

Big Data, Security and Privacy: The EHR Vendor View

HIPAA and Electronic Information

Top 5 Must Do IT Audits

Neues von der Oracle Identity Governance Suite. Dr. Stephan Hausmann

Securing the Mobile, Cloud-connected Enterprise

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

SAP Road Map for Governance, Risk, and Compliance Solutions

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Compass 9.2 Changes by Module

Identity and Access Management

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

Identity Provider Policy. Identity and Authentication Services (IA Services)

Pega Care Management for Healthcare

Security solutions White paper. Effectively manage access to systems and information to help optimize integrity and facilitate compliance.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Identity and Access Management Success Stories.

Oracle Service Cloud. New Feature Summary. Release 18C ORACLE

Identity Management Solutions for Oracle E-Business Suite. An Oracle White Paper January 2008

Primavera Analytics and Primavera Data Warehouse Security Overview

This guide which is primarily intended for administrators and supervisors includes the following sections:

Identity & Access Management Unlocking the Business Value

Amol Bhandarkar Technology Specialist Identity & Access Microsoft

National Disclosure Summit

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise

IBM Business Process Manager on Cloud

IBM Business Process Manager on Cloud

IBM TRIRIGA Version 10 Release 5.2. Document Management User Guide IBM

On the Alert: Incident Response Plan for Healthcare 111/13/2017

_ PRODUCT OVERVIEW EFFECTIVE MARCH 6, 2019 PRODUCT OVERVIEW

Optimizing Security Practices Among Employees

Effective Data Governance & GDPR Compliance for the Nonprofit CFP

a physicians guide to security risk assessment

The power of the Converge platform lies in the ability to share data across all aspects of risk management over a secure workspace.

HR APPROVALS. Version 5.5

An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control

What s New with Version 9.5

Place the organization in their hands. BlackBerry Enterprise Solution For Government

CA Workload Automation Agent for Micro Focus

How to sell Azure to SMB customers. Paul Bowkett Microsoft NZ

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Deltek Touch for Maconomy. Touch 2.2 User Guide

Security Monitoring Service Description

The Business Case for Unified IT: Automated IT Service and Unified Endpoint Management Solution

IBM Sterling Supply Chain Visibility Vendor Compliance

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi

PeopleSoft Human Capital Management Strategy Update and Roadmap

ServiceNow Order Form Product and Use Definitions

IBM Tivoli Endpoint Manager for Lifecycle Management

_ PRODUCT OVERVIEW EFFECTIVE AUGUST 6, 2018 PRODUCT OVERVIEW

IBM Business Process Manager on Cloud

Fulfilling CDM Phase II with Identity Governance and Provisioning

SAP SuccessFactors Recruiting

CHHS Master Data Management Strategy

DKSystems DKHelpDesk Software

Sage HRMS 2014 Sage Employee Self Service Installation and Setup Guide. October 2013

Policy Outsourcing and Cloud-Based File Sharing

Top 10 SAP audit and security risks

Financial Services Cloud Administrator Guide

IBM Clinical Trial Management System for Sites

Deltek Touch Time & Expense for Vision. User Guide

Transcription:

Securing Access of Health Information Using Identity Management Steve Whicker Manager Security Compliance HIPAA Security Officer AHIS Central Region St Vincent Health sawhicke@stvincent.org Chris Bidleman Director of Healthcare Novell, Inc chris.bidleman@novell.com

Healthcare Industry Themes for 2010 Reduce healthcare costs: Surveys indicate HIT budgets will stay the same or slightly increase but CIO's will still look for ways to save money. IT Departments still resource constrained. Deal with aftermath of healthcare reform: New regulations, incentives to adopt electronic health records, and changes in reporting, breach notification and audits plus higher violation fines. Achieve Meaningful Use criteria. Expanded use of Health IT: HITECH and Meaningful Use guidelines will drive HIT adoption with it will also bring focus on privacy and security of protected health information (PHI) by encrypting data, role-based access controls, and audit trails. More communication between patient and provider: Incentives for increase programs of preventative medicine will require more electronic communication with patient and families, secure exchange of health data (eg. patient, doctor, referrals, public health orgs), and better patient identification 2

Meaningful Use Criteria - Stage 1 Starting January 1, 2011 from CMS-0033-P Improve quality, safety, efficiency, and reduce health disparities Engage patients and families in their health care Improve care coordination Improve population and public health Ensure adequate privacy and security protections for personal health information (PHI) 3

Today, who typically cares about Identity and access management? Chief Information Officer (CIO) Director of Infrastructures Network/Server Manager IT Security Application Administrators 4

With ARRA and Meaningful Use Who SHOULD care about Identity and Access Management? Application owners Audit committee Lines of Business owners Director of Applications Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Information Officer (CIO) Chief Technology Officer (CTO) Chief Operating Officer (COO) Chief Information Security Officer (CISO) Chief Nursing Officer (CNO) Corporate Controller Internal Audit Director Operations VP HIPAA/Compliance Security Director/Officer Many others Chief Medical Information Officer (CMIO) 5

Today's Speaker Steve Whicker Manager Security Compliance HIPAA Security Officer AHIS Central Region St Vincent Health sawhicke@stvincent.org 6

Identity Management Goals at St. Vincent Health Enable regulatory compliance (HIPAA) and internal controls in Information Systems (IS) security processes Reduce operating costs through user account provisioning (process automation) and sharing common infrastructure components Decrease corporate exposure by reducing the risk of unauthorized access to data & automating enforcement of security policy Improve associate satisfaction by automating online Human Resources (HR) benefits management Improve data integrity by decreasing duplicative identity data stores and manual data entry processes Improve the quality of services provided by IS 7

St. Vincent Health s Identity Management Drivers Regulatory Compliance Security Efficiency / Cost HIPAA Unique user identification requirements Access Control Requirements Auditing Requirements Minimum Necessary Requirements Enterprise Rolebased Access Control (RBAC) model Auditing / Reporting Automate Manual Security Policies Automate Identity Management (Create, Modify, Delete) Automate Roles Based Access Control Automate Workflow Approval, Denial Reduce Manual Admin via automated account provisioning Manage online HR Benefits Set up Foundation for Expanded Services Improve Data Accuracy Leverage Current Investments Provide Password Reset Self Service 8

Where We Started (July 2005) Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo) Two separate and overlapping access request processes for identity and access management (ID Request & IS Request), made it difficult to centrally manage the access request and change logs Identity creation and management was a manual process No centralized process to document request completion No formal validation process to verify the authenticity of requesting manager Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user De-provisioning process was not consistently followed No user entitlement matrix existed 9

Our Identity Management Roadmap Directory Infrastructure Readiness Upgrade NT Domains to AD Implement Universal Password Upgrade Existing Drivers to IdM2 Enable Bi- Directional Creates Consolidate File Services Trees Enhanced Provisioning Design and Implementation Document Identity Management Requirements Process Analysis and Design Document Web based Provisioning Workflow Requirements Design Enhanced Identity Management Design Web based Provisioning Workflow Implement Password Self Service Implement PeopleSoft Connector Enhance Existing Connectors and Implement Implement Web Based Provisioning Workflow Role Based Provisioning Design and Implementation Role Definition and Mapping Document Role based provisioning requirements Design Role based provisioning Implement Role based access and provisioning Provision users to additional systems Auditing and Reporting Identify Audit Needs Design Auditing and Reporting Audit Logging ( enable real time logging with appropriate systems) Implement Audit Business and Ongoing Support Skill Assessment Skills Development and Training Ongoing Maintenance and Support Governance, Organizational Change Management and Communication 10

Identity and Request Management Portal Windows Windows Biztalk Data Warehouse Vistar STVLDAP Windows Identity Management Portal IDV IND1 Windows 11 National AD / Exchange Windows STVI STVNET

Hiring Process Non-System Processes Start 1 1. HR/manager is notified of new hire (associate/ non-associate) 20. User and Manager receives notification that application has been granted PeopleSoft HRMS 2. HR/manager enters hire data into PS (associate / nonassociate) 7. PeopleSoft is updated with Login ID & email address Workflow Processes edirectory (IDV) edirectory (STVI & SVHLDAP) 3. All required attributed Are available and PeopleSoft effective date has transpired 15b. Application support checks queue Yes for non connected system No 4. Is this a new Identity? 14. WF approved by approver? Yes 5a. Identity Manager determine unique Login ID 13. Identity Manager generates workflow & email notify for default applications per rules 6. Identity Manager creates and places the Identity 11. Identity Manager emails manager of new hire 8b. Identity Manager creates Identity in SVHLDAP 5b. Go to Modify Users Process Box #4 Manager 12. Go to requests Modify Users additional Process Box Apps via WF #10b 8a. Identity Manager creates Identity in STVI 19. Workflow generates email notifications Yes 18. Application support approves WF Active Active Directory Directory (IND1) (STVNET) Yes for connected system 9. Identity Manager creates Identity IND1 10. Identity Manager creates Identity STVNET Other Applications 16. Application support determines access rights 17. Application support creates Identity and access rights Process performed for each application requested 15a. Create new user account automatically 12

Termination Process Non-System Processes Start 1 1. Manager is notified of a termination event for associate or non associate Start 2 1b. HR Service Center is notified of termination event for associate or non associate Start 3 1c. Termination is initiated through VISTAR feed 5. Server team is email notified that the user never showed up for work, research is done, accounts may be deleted manually, instead of just disable automatically 15. Manager receives notification PeopleSoft HRMS 2. Data is entered into PeopleSoft HRMS Workflow Processes edirectory (IDV) 3. IDM Updates User data in IDV. disables account & moves user to the inactive container 4a. Is this an a no show hire? 4b. Routes termination WF request to all app security admin(s) Yes 11. All application support admin(s) are notified via email of a termination workflow task to be completed after they disable or delete the account 14. Workflow generates email notifications 13. Application Support Approves WF edirectory (STVI & SVHLDAP) 6. IDM Updates User data in STVI. disables account & moves user to the inactive container 7. IDM disables Groupwise user and sets visibility to note 10. IDM deletes user account in SVHLDAP Active Directory (IND1) 8. IDM Updates User data in IND1. disables account & moves user to the inactive container Active Directory (STVNET) 9. IDM deletes user account in STVNET Other Applications 13. Application support admins disable/delete user manually in other application(s) 13

Other Processes Handled Renames (Name Changes) Business Unit Changes User Data Changes 14

Automated Escalation Process Insures Customer Request Are Not Lost Initiated by Manager to Grant application for End User Start Application Owner Escalate to Owner's Mgr 2 nd Escalation to Owner's Mgr Could take up to 6 days 1d 2d Denied 3d 4d 5d 6d Time Out Time Out Denied Denied Approved * Time Out Approved * Approved * * indicates completion of work IDM Entitlement is granted Log for all denied activities Finished 15

Self-Service Password Reset Provides user the ability to reset their own password anytime any place At work At home on portals Reduces Helpdesk calls Provides for positive validation of user identity through Challenge and Response Questions Easily integrates with current systems 16

Lessons Learned Know and thoroughly document your environment Assume nothing (verify things actually work as advertised) Understand the organizations business processes Talk to the users and understand yours and their business processes Cooperation and involvement of Human Resources is vital Have a viable test environment Be prepared for problems 17

What s Next? Install the Roles and Provisioning Module Upgraded version of the User Application (Self-service portal) Role Based Provisioning Design and Implementation 18

Novell Three Solution Areas Helping Healthcare Providers give users simple, secure access while safeguarding patient information Data Center End-User Computing Identity and Security Lower Costs SUSE Linux Enterprise Virtualization Intelligent Workload Management Business Service Management Secure Assets SUSE Linux Desktop Endpoint Management Manage and Secure servers and desktops Secure Social Collaboration Tools Protect Data Compliance Management Access Governance Identity Management Single Sign-on Security Management 19

Novell Solutions For Key HITECH Security Issues 20 Issue Impermissible uses and disclosures of protected health information (PHI) Lack of safeguards of protected health information such as logging and monitoring to detect suspicious system activities Enhance role-based access control based on the minimum necessary principle Breach notification procedure updates with monitoring and reporting Encryption of mobile devices and other data sources storing PHI plus reducing data leakage Novell Product Solution Novell Compliance Management Platform (CMP) provides identity management, audit reporting, and web access control to network resources Novell SecureLogin (NSL) provides enterprise single sign-on and fast user switching for shared workstations. Novell Sentinel can provide realtime auditing, monitoring and remediation of user access to PHI with powerful correlation engine Novell Access Governance Suite (AGS) can manage roles and security policies as well as access certification. Novell Identity Manager (IDM) can provision/deprovision resources based on roles and provide self-service and workflow. Novell Sentinel Log Manager can store and analyze who had access to what, when, where and how for all connected devices and apps Novell ZENworks Endpoint Management solutions can secure devices including USB ports, encrypt data, application virtualization, patch management and make upgrades easy (e.g. Windows 7)

Questions?

For More Information www.himss.org/economicstimulus/ - HITECH and MU www.novell.com/healthcare - Healthcare Solutions www.novell.com/singlesignonforhealthcare - SSO www.novell.com/identity - Identity Management www.novell.com/success - Case Studies 22

Making IT work as One

Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback