As standards such as those from the Liberty Alliance mature, it will become increasingly easy to exchange data among different organizations and systems, using different products–vital for efficient monitoring and referral of patients among different healthcare providers, and support for cost effective and streamlined treatment programs.
The main challenges for a healthcare provider in terms of identity management are:
* Ensuring that every user is strongly authenticated, and is granted access to only those resources and information that they are authorized to access.
* Protecting the confidentiality of patient information, and ensuring that it is kept private.
* Auditing access policies, to determine who has been granted access to specific applications or information.
* Creating workflow processes so that appropriate management approval is required whenever a user requests access to confidential information.
* Ensuring that access to confidential information is terminated immediately when an employee leaves the company.
* Protecting confidential information, even across the boundaries of business units within a large corporation, or between corporations themselves.
* Creating procedures for creating and changing passwords, so that the environment has stronger security.
CHILDREN’S HOSPITAL CASE STUDY
One large hospital that has recently implemented identity management is the Children’s Hospital in Boston, using the Identity Management Suite from Courion.
The main function of the system is to handle password resets and account provisioning, since inefficient password management and multiple authentication authorities were causing problems in the security infrastructure.
In addition to treating more than 300,000 patients each year, Children’s is the world’s largest pediatric research facility. As such, it deals with unique challenges, including 300 new interns each spring, each of whom must be provided passwords and system accounts; a highly mobile work force that needs to access information from surgical units, inpatient floors and offices; researchers and surgical chiefs who are not employees of the hospital but need to access its resources; legacy systems and applications; departmental IT groups that run their own account management systems; and the need to comply with strict government regulations such as HIPAA.
As it told eWeek, the hospital also faced many of the same password management problems that other organizations do, such as account sharing and passwords written on sticky notes.
Before Courion was implemented in late 2002, many authentication systems were in place, including those in PeopleSoft’s HRMS, Netscape email, the Oracle database, and several vertical healthcare and internally built applications. This led to many orphaned accounts and bad passwords.
Making matters worse was the inefficiency of Children’s old account creation process. Users would send a fax requesting an addition or a change to an account, and a helpdesk staffer would enter this request by hand into the hospital’s helpdesk system. New users would then be created in each of the different authentication areas.
After deciding in early 2002 that the efficiency of password and account management needed improvement, the IT staff evaluated several solutions. These included products from Access360 (since acquired by IBM), BMC Software, Business Layers (since acquired by Netegrity), M-Tech Information Technology and Waveset Technologies.
The decision was made to go with Courion’s Identity Management Suite because of its superior password reset capabilities and account creation capabilities. In addition, unlike other products the Children’s IT staff evaluated, Courion’s suite integrates with the hospital’s legacy Hewlett Packard VMS and Alpha servers, as well as with its diverse application infrastructure.
The implementation of the password and account management features of Courion’s Identity Management Suite has resulted in 2,000 fewer support calls and more than $200,000 in recovered costs.
The Children’s Hospital team also had to deal with the conflicting requirements of keeping processes simple while not being able to use lots of default user templates because of the diverse nature and cultural issues of hospital and research workers.
Apparently simple issues, such as what questions could be asked when users were resetting their own passwords, turned into big hurdles and it is hard to mandate requirements or procedures to senior staff such as chiefs of surgery.
The hospital launched an internal campaign to clean up the ID info across all the hospital systems and applications in order to keep bad data and bad account information out of the system. The group also developed internal tools to identify and manage differences in directories and to find problems such as duplicate and orphaned accounts.
There was also the need for an internal marketing campaign to let workers know that PasswordCourier would be implemented and to provide information on how they could access accounts. This was critical to get buy-in and rapid adoption.
Children’s IT staff also wrote a script that reminded users when their Windows NT password–the gateway password for most users–was about to expire and sent them to PasswordCourier via a link to the application’s web interface.
While the password reset features provide the most visible and obvious benefits to users and were what originally got Courion through the door at the hospital, the Children’s IT staff knew that the biggest payoff would come from implementing the AccountCourier module to improve account management.
Much of the planning focused on making the AccountCourier rollout essentially invisible to users and managers. To help with this, the IT staff tied existing applications into AccountCourier, for instance, through rearchitecting certain web forms, used to request account access for users.
AccountCourier has significantly reduced the amount of time it takes IT staff to create accounts–from as long as three to four weeks in the old system to about 10 minutes now.
Currently, the IT staff have decided against implementing workflows that would allow managers to grant account access themselves.
The improved efficiencies and return on investment were key benefits of moving password and account management to Courion, says the hospital, but these paled in comparison with the ability the IT staff now has to bring security management practices in line with regulations and to help hospital staff do their jobs more effectively.
While some kind of single-sign-on implementation seems logical for the hospital’s needs, the IT staff has not brought anything in yet. There is a big drive to do so, but the hospital does not want to take on too much too quickly, and has already achieved step one–less frequent sign-on, with the considerable benefits that brings in terms of tracking access, protecting data and streamlining processes.
The hospital is also looking at building a more centralized directory to help offset the problems of dealing with many separate user directories and authentication mechanisms. To help address password and authentication issues, the IT staff has also considered biometric solutions. However, that initiative has been put on the back burner because of cultural problems as well as more practical problems, such as the difficulty that biometric systems might have with hospital gloves and masks. Other future developments could include sending XML to Courion to start workflows.