Securing Access of Health Information Using Identity Management Steve Whicker Manager Security Compliance HIPAA Security Officer AHIS Central Region St Vincent Health sawhicke@stvincent.org Chris Bidleman Director of Healthcare Novell, Inc chris.bidleman@novell.com
Healthcare Industry Themes for 2010 Reduce healthcare costs: Surveys indicate HIT budgets will stay the same or slightly increase but CIO's will still look for ways to save money. IT Departments still resource constrained. Deal with aftermath of healthcare reform: New regulations, incentives to adopt electronic health records, and changes in reporting, breach notification and audits plus higher violation fines. Achieve Meaningful Use criteria. Expanded use of Health IT: HITECH and Meaningful Use guidelines will drive HIT adoption with it will also bring focus on privacy and security of protected health information (PHI) by encrypting data, role-based access controls, and audit trails. More communication between patient and provider: Incentives for increase programs of preventative medicine will require more electronic communication with patient and families, secure exchange of health data (eg. patient, doctor, referrals, public health orgs), and better patient identification 2
Meaningful Use Criteria - Stage 1 Starting January 1, 2011 from CMS-0033-P Improve quality, safety, efficiency, and reduce health disparities Engage patients and families in their health care Improve care coordination Improve population and public health Ensure adequate privacy and security protections for personal health information (PHI) 3
Today, who typically cares about Identity and access management? Chief Information Officer (CIO) Director of Infrastructures Network/Server Manager IT Security Application Administrators 4
With ARRA and Meaningful Use Who SHOULD care about Identity and Access Management? Application owners Audit committee Lines of Business owners Director of Applications Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Information Officer (CIO) Chief Technology Officer (CTO) Chief Operating Officer (COO) Chief Information Security Officer (CISO) Chief Nursing Officer (CNO) Corporate Controller Internal Audit Director Operations VP HIPAA/Compliance Security Director/Officer Many others Chief Medical Information Officer (CMIO) 5
Today's Speaker Steve Whicker Manager Security Compliance HIPAA Security Officer AHIS Central Region St Vincent Health sawhicke@stvincent.org 6
Identity Management Goals at St. Vincent Health Enable regulatory compliance (HIPAA) and internal controls in Information Systems (IS) security processes Reduce operating costs through user account provisioning (process automation) and sharing common infrastructure components Decrease corporate exposure by reducing the risk of unauthorized access to data & automating enforcement of security policy Improve associate satisfaction by automating online Human Resources (HR) benefits management Improve data integrity by decreasing duplicative identity data stores and manual data entry processes Improve the quality of services provided by IS 7
St. Vincent Health s Identity Management Drivers Regulatory Compliance Security Efficiency / Cost HIPAA Unique user identification requirements Access Control Requirements Auditing Requirements Minimum Necessary Requirements Enterprise Rolebased Access Control (RBAC) model Auditing / Reporting Automate Manual Security Policies Automate Identity Management (Create, Modify, Delete) Automate Roles Based Access Control Automate Workflow Approval, Denial Reduce Manual Admin via automated account provisioning Manage online HR Benefits Set up Foundation for Expanded Services Improve Data Accuracy Leverage Current Investments Provide Password Reset Self Service 8
Where We Started (July 2005) Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo) Two separate and overlapping access request processes for identity and access management (ID Request & IS Request), made it difficult to centrally manage the access request and change logs Identity creation and management was a manual process No centralized process to document request completion No formal validation process to verify the authenticity of requesting manager Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user De-provisioning process was not consistently followed No user entitlement matrix existed 9
Our Identity Management Roadmap Directory Infrastructure Readiness Upgrade NT Domains to AD Implement Universal Password Upgrade Existing Drivers to IdM2 Enable Bi- Directional Creates Consolidate File Services Trees Enhanced Provisioning Design and Implementation Document Identity Management Requirements Process Analysis and Design Document Web based Provisioning Workflow Requirements Design Enhanced Identity Management Design Web based Provisioning Workflow Implement Password Self Service Implement PeopleSoft Connector Enhance Existing Connectors and Implement Implement Web Based Provisioning Workflow Role Based Provisioning Design and Implementation Role Definition and Mapping Document Role based provisioning requirements Design Role based provisioning Implement Role based access and provisioning Provision users to additional systems Auditing and Reporting Identify Audit Needs Design Auditing and Reporting Audit Logging ( enable real time logging with appropriate systems) Implement Audit Business and Ongoing Support Skill Assessment Skills Development and Training Ongoing Maintenance and Support Governance, Organizational Change Management and Communication 10
Identity and Request Management Portal Windows Windows Biztalk Data Warehouse Vistar STVLDAP Windows Identity Management Portal IDV IND1 Windows 11 National AD / Exchange Windows STVI STVNET
Hiring Process Non-System Processes Start 1 1. HR/manager is notified of new hire (associate/ non-associate) 20. User and Manager receives notification that application has been granted PeopleSoft HRMS 2. HR/manager enters hire data into PS (associate / nonassociate) 7. PeopleSoft is updated with Login ID & email address Workflow Processes edirectory (IDV) edirectory (STVI & SVHLDAP) 3. All required attributed Are available and PeopleSoft effective date has transpired 15b. Application support checks queue Yes for non connected system No 4. Is this a new Identity? 14. WF approved by approver? Yes 5a. Identity Manager determine unique Login ID 13. Identity Manager generates workflow & email notify for default applications per rules 6. Identity Manager creates and places the Identity 11. Identity Manager emails manager of new hire 8b. Identity Manager creates Identity in SVHLDAP 5b. Go to Modify Users Process Box #4 Manager 12. Go to requests Modify Users additional Process Box Apps via WF #10b 8a. Identity Manager creates Identity in STVI 19. Workflow generates email notifications Yes 18. Application support approves WF Active Active Directory Directory (IND1) (STVNET) Yes for connected system 9. Identity Manager creates Identity IND1 10. Identity Manager creates Identity STVNET Other Applications 16. Application support determines access rights 17. Application support creates Identity and access rights Process performed for each application requested 15a. Create new user account automatically 12
Termination Process Non-System Processes Start 1 1. Manager is notified of a termination event for associate or non associate Start 2 1b. HR Service Center is notified of termination event for associate or non associate Start 3 1c. Termination is initiated through VISTAR feed 5. Server team is email notified that the user never showed up for work, research is done, accounts may be deleted manually, instead of just disable automatically 15. Manager receives notification PeopleSoft HRMS 2. Data is entered into PeopleSoft HRMS Workflow Processes edirectory (IDV) 3. IDM Updates User data in IDV. disables account & moves user to the inactive container 4a. Is this an a no show hire? 4b. Routes termination WF request to all app security admin(s) Yes 11. All application support admin(s) are notified via email of a termination workflow task to be completed after they disable or delete the account 14. Workflow generates email notifications 13. Application Support Approves WF edirectory (STVI & SVHLDAP) 6. IDM Updates User data in STVI. disables account & moves user to the inactive container 7. IDM disables Groupwise user and sets visibility to note 10. IDM deletes user account in SVHLDAP Active Directory (IND1) 8. IDM Updates User data in IND1. disables account & moves user to the inactive container Active Directory (STVNET) 9. IDM deletes user account in STVNET Other Applications 13. Application support admins disable/delete user manually in other application(s) 13
Other Processes Handled Renames (Name Changes) Business Unit Changes User Data Changes 14
Automated Escalation Process Insures Customer Request Are Not Lost Initiated by Manager to Grant application for End User Start Application Owner Escalate to Owner's Mgr 2 nd Escalation to Owner's Mgr Could take up to 6 days 1d 2d Denied 3d 4d 5d 6d Time Out Time Out Denied Denied Approved * Time Out Approved * Approved * * indicates completion of work IDM Entitlement is granted Log for all denied activities Finished 15
Self-Service Password Reset Provides user the ability to reset their own password anytime any place At work At home on portals Reduces Helpdesk calls Provides for positive validation of user identity through Challenge and Response Questions Easily integrates with current systems 16
Lessons Learned Know and thoroughly document your environment Assume nothing (verify things actually work as advertised) Understand the organizations business processes Talk to the users and understand yours and their business processes Cooperation and involvement of Human Resources is vital Have a viable test environment Be prepared for problems 17
What s Next? Install the Roles and Provisioning Module Upgraded version of the User Application (Self-service portal) Role Based Provisioning Design and Implementation 18
Novell Three Solution Areas Helping Healthcare Providers give users simple, secure access while safeguarding patient information Data Center End-User Computing Identity and Security Lower Costs SUSE Linux Enterprise Virtualization Intelligent Workload Management Business Service Management Secure Assets SUSE Linux Desktop Endpoint Management Manage and Secure servers and desktops Secure Social Collaboration Tools Protect Data Compliance Management Access Governance Identity Management Single Sign-on Security Management 19
Novell Solutions For Key HITECH Security Issues 20 Issue Impermissible uses and disclosures of protected health information (PHI) Lack of safeguards of protected health information such as logging and monitoring to detect suspicious system activities Enhance role-based access control based on the minimum necessary principle Breach notification procedure updates with monitoring and reporting Encryption of mobile devices and other data sources storing PHI plus reducing data leakage Novell Product Solution Novell Compliance Management Platform (CMP) provides identity management, audit reporting, and web access control to network resources Novell SecureLogin (NSL) provides enterprise single sign-on and fast user switching for shared workstations. Novell Sentinel can provide realtime auditing, monitoring and remediation of user access to PHI with powerful correlation engine Novell Access Governance Suite (AGS) can manage roles and security policies as well as access certification. Novell Identity Manager (IDM) can provision/deprovision resources based on roles and provide self-service and workflow. Novell Sentinel Log Manager can store and analyze who had access to what, when, where and how for all connected devices and apps Novell ZENworks Endpoint Management solutions can secure devices including USB ports, encrypt data, application virtualization, patch management and make upgrades easy (e.g. Windows 7)
Questions?
For More Information www.himss.org/economicstimulus/ - HITECH and MU www.novell.com/healthcare - Healthcare Solutions www.novell.com/singlesignonforhealthcare - SSO www.novell.com/identity - Identity Management www.novell.com/success - Case Studies 22
Making IT work as One
Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.