GCA Technology Healthcare Identity Management Case Study


Published on

This Identity Management project won the “Project of the Year” award at the Information Security Executive (ISE) of the Year Awards in Atlanta, GA. The ISE Southeast Award recognizes the information security executives and their teams who have demonstrated outstanding leadership in risk management, data asset protection, regulatory compliance, privacy, and network security. Additionally, the project was named a finalist for the North American Project of the Year.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

GCA Technology Healthcare Identity Management Case Study

  1. 1. GCA TECHNOLOGY SERVICES GETS HEALTHCARE GROUND BREAKING IDENTITY MANAGEMENT IMPLEMENTATION www.gca.net | 888.422.9786THE HEALTHCARE CUSTOMEROur customer is one of the leading operators of general acute care hospitals in theUnited States. The organization was founded in 1985 and has 220,000+ users. Ourcustomer is one of the largest publicly-traded hospital companies in the UnitedStates and a leading operator of general acute care hospitals in non-urban andmid-size markets throughout the country.The organization and its affiliates own, operate, or lease over 134 hospitals in 29 states. This brings the totallicensed bed count to approximately 20,000. Its hospitals offer a broad range of inpatient and surgical services,outpatient treatment and skilled nursing care. The organization also provides management and consultingservices to non-affiliated general acute care hospitals located throughout the United States.THE CHALLENGEThe healthcare organization was manually provisioning rights and access to new employees (corporateemployees, physicians, nurses, etc). Provisioning new users (and deprovisioning terminated users) took 24 hours.On average, it took up to three weeks for those employees to gain access to the systems they are required to usebased upon their job function/role. These timely delays were due to the manual process for workflow approvals.Like the majority of organizations, the customer had an inconsistent process for archiving for roles basedexceptions (needed for compliance), undefined employee to manager relationships, no synchronization acrossmultiple applications/platforms, no auditing or mapping of users to applications and access, and limitedpassword self-service. Clinicians were required to remember multiple usernames and passwords, causing aninflux of password reset calls to the help desk.It was decided that its process for managing the lifecycle of its employees was not as efficient and cost-effectiveas it could be. The overall goal of the Identity Management project tuned, expanded and enhanced the currentprovisioning system that allowed the organization to maintain an employee’s complete set of identityinformation, which span multiple business and technical contexts. This allowed the IS team to condense identityand access provisioning methods that ultimately improved data consistency and accuracy as well as securityacross multiple systems that clinicians access to provide patient care. User Count vs Time 250000 The user count grew rapidly as the organization acquired 200000 new hospitals. The local IT team had to import the new identities to the IDM system and make sure they were set 150000 up the same as existing users within the organization’s user provisioning environment. 100000 On average, it took up to three weeks for the employees 50000 of the newly acquired hospital to be fully provisioned to 0 their applications and systems. It now takes 5-15 minutes. 2004 2005 2006 2007 2008 2009 2010 2011 2012 Page 1 of 4
  2. 2. PROJECT STAKEHOLDERS AND GOALSGCA Technology Services planned the project in several phases. Phase I was an infrastructure and applicationupgrade slated to start in October 2009. Phase II and III (A) consisted of expanding and enhancing clinical applica-tions. Phase III (B) added many more premise based clinical applications and connected to several cloud (SAAS)applications. The ongoing Phase IV expanded upon the clinical application connectors and assisted the customerwith production rollouts to newly acquired hospitals. GCA Technology Services worked alongside the healthcareorganization’s team of information security professionals to complete each project phase on time and on budget.At the time of implementation, the project supported 140,000 employees including physicians, clinicians, hospitaladministrators, information systems staff, consultants, and physician office staff. The project also supportedapproximately 60,000 remote users. As of March 2012, the project reportedly supports over 220,000 users,with more users being added daily.Our customer listed the following as goals for their identity management project: - Reduce multiple user accounts to a single account for system access - Provision a single user account for multiple applications - Real time provisioning of new and terminated users - Password reset capabilities for multiple systems - Create manager to employee relationships for organizational charts - Reduce support calls handled by local facility IS - Time bound provisioning for consultants / contractors - Compliance auditing and reporting of provisioning - User to application access mapping and reportingTHE PROJECT DETAILSNetIQ Identity Manager 4.0 was recommended as an upgrade to the existing Identity Manager 2.0solution, thus preventing relicensing and reworking of their existing architecture. Utilizing the 5 existing physicalservers, we extended these by adding 25 virtual servers to encompass a larger portion of their provisioning. Thenumber of servers added was based on the sheer scale of the solution. Additionally, high availability was built intothe solution so that one third of the solution can be down at any given time. Due to the hundreds ofconnections being made to different systems, the architecture was chosen for its highly scalability. Old Environment: 5 Servers New Environment: 5 Physical Servers 25 Virtual Servers Page 2 of 4
  3. 3. THE PROJECT DETAILSThe project team from GCA Technology Services custom developed clinical drivers along with workflows andentitlements for the McKesson, Ultipro, Meditech, AllScripts, HMS, and Keane suite of clinical products.GCA Technology Services’ engineers were able to work with these healthcare applications and custom developdrivers with enhanced functionality. These drivers enabled NetIQ Identity Manager to automatically provision,deprovision, and modify user accounts to each of the application based on the user’s role.Determining the access required for each user was a problem. Utilizing a paperwork approval process slowed thecame to their department. There are multiple areas where an employee could make a mistake on the form. Thispayroll database, the customer was able to get up to the minute status of new and terminated users. GCATechnology Services decided to connect to payroll because the information contained in such a database istypically the most accurate source of user’s information within an organization. The payroll information also gaveinsight to help determine a baseline role for most of the provisioning required such as, assigned position, 134locations. Access Approver User Employees now request access directly Identity Management System through the IDM system. The access approver They now are able to grant access immediately through the IDM system which provisions the employee directly to the application. Application ABased on the data mined from the payroll system, the project team was able to determine the facility anddepartment of a user, which allowed the provisioning of the user automatically to only the clinical applications thatthey need access to. They standardized their facilities on the same applications across those hospitals and theautomated provisioning based on the roles. This allowed the organization to rollout the applications at theirapplication could be performed in a matter of minutes, not days or weeks. These clinical drivers, the key toproject delivered a single username and password to all locations for 16 applications and that list is growing today. Page 3 of 4
  4. 4. THE RESULTSIdentity Management improved user provisioning for our customer by reducing the amount of time to add,modify or remove users in under 4 minutes. The previous provisioning process took 24 hours. The call volumesfor password resets were around 60% of the service desks requests. Today, the volume of password related calls isnow less than 10% of the total service desk call volume. Identity Management support resources havetransitioned into other areas of support since the implementation. The time to provision users at the time of aaudits have been reduced by over 90% for terminated users and roles based violations.The project team also integrated NetIQ Sentinel (SIEM) to the Identity Manager. This allows the organization tosee all IDM processes in real time and log all activity for regulatory compliance. They can watch the Role Processor(brain behind the role based engine) determine the role of a new user as he/she is entered into payroll whilewatching each of the connectors provision the role in real-time. When a user is terminated, the customer can seeeach account as it is disabled, one-by-one throughout the system. If, for any reason, a connection goes down(VPN tunnel outage, local IS takes the application down for maintenance, etc.), Sentinel will show that IDM couldnot connect to the remote system and is waiting for it to come back online. This increased level of visibility willensure everthing within the user provisioning environment will run smoothly. The time to add, modify or remove users once took 24 Time to provision new users at the time of a hospital hours. With the new identity management system in aquisition took 3 weeks. The new identity management place, provisioning users takes just 4 minutes. system can now provision access to the new users in 5-15 minutes.SOUTHEAST PROJECT OF THE YEAR, 2011On March 16, 2011, the Identity Management project won the “Project of the Year” award at the InformationSecurity Executive (ISE) of the Year Awards in Atlanta, GA. The ISE Southeast Award recognizes the informationsecurity executives and their teams who have demonstrated outstanding leadership in risk management, dataasset protection, regulatory compliance, privacy, and network security. There was stiff competition as they werenominated along with Equifax, Thomson Reuters, and the Internal Revenue Service to name a few. However, theproject prevailed and took home 2011’s top honor from the ISE. Additionally, the project was named a finalist forthe 2011 North American Project of the Year. GCA TECHNOLOGY SERVICES 1511 N. WESTSHORE BLVD. SUITE 700 TAMPA, FL 33607 sales@gca.net www.gca.net | 888.422.9786