Identity Management: Front and Center for Healthcare Providers

Identity Management: Front and
Center for Healthcare Providers

2SailPoint Technologies Confidential & Proprietary Do Not Distribute
Welcome
 Thank You for attending today’s webinar
 The webcast is being recorded and will be available shortly after the event
 Webcast audio is in listen only mode. You can communicate via the
GoToWebinar question panel.
Glossary of Terms
IDENTITY GOVERNANCE – Next-Generation approach to identity management that goes
beyond provisioning, allowing clients to sustainably govern how they manage access. Enabling
organizations to determine who has access to what resources, if that access is appropriate and if
it threatens security or compliance posture.
ROLE LIFECYCLE MANAGEMENT (RLM) – Process that enables organizations to mine, map,
manage and report on the complex relationships of users, business rules and the entitlements
assigned to them within the IT infrastructure.
PREVENTATIVE AND DETECTIVE CONTROLS – Preventative controls are designed to keep
errors or irregularities from occurring in the first place. Detective controls are designed to detect
errors and irregularities which have already occurred and to assure their prompt correction.

Agenda
 Speaker Introductions
 Healthcare Providers
 Changing Landscape of Business and IT
 Identity and Access Management Business Drivers
 Case Study: Presbyterian Healthcare Services
 IAM Journey
 IAM Revelation and Program
 Lesson Learned
 A Word from Our Sponsors

Speakers
Andrew Ames
VP Marketing
Logic Trends
Larry Wolf
Regional Director
Logic Trends
Aaron Frankel
Security Operations
Manager,
Presbyterian
Health Systems
Jackie Gilbert
VP Marketing &
Founder
SailPoint

Company Overview
 National services, consulting and systems integration firm focused on
Security, Identity and Access Management (IAM)
 Proven, repeatable IAM deployment methodology: IAM5™
 Hundreds of successful IAM Engagements executed in nearly every industry
 Regional offices: Atlanta, Dallas, Chicago, New York
 New Mexico’s only private, non-profit healthcare system serving over 700,000
patients at over 30 different clinics and 7 hospitals
 Largest health care provider and managed care organization in New Mexico
 Fastest growing physician group, employing more than 500 physicians
and practitioners
 Award-winning identity governance software, SailPoint IdentityIQ™, provides
superior visibility into and control over user access to sensitive applications
and data while streamlining the access request and delivery process
 Helps the world’s largest organizations to mitigate risk, reduce IT costs and
ensure compliance
 Customers include top healthcare, pharmaceutical, health/life insurers,
financial services, property & casualty insurers, and other highly regulated
industries

IAM BUSINESS DRIVERS FOR
HEALTHCARE PROVIDERS
Section 1

Business Drivers for Healthcare Providers
CURRENT STATE
HIPAA audit; HHS Oversight
HITRUST Maturity & CSF, SAS70
CURRENT STATE
Clinician survey results:
#1 request: Simplified app access.
Approx. 40% of help desk calls
were password reset.
CURRENT STATE
IT teams pale in comparison to
corporate standards. HITECH
driving more IT adoption.
Increased security scrutiny.
CURRENT STATE
30% of Stage 1 Meaningful Use
Criteria are IAM related.
Increased scrutiny and penalties
assoc with HIPAA alignment.
Risk and Compliance
End User Experience
Operational Efficiency
Meaningful Use

Healthcare Provider Industry Survey Results
 Industry survey provided by Zoomerang
 Polled 600 healthcare decision makers
10%
38%
38%
10%
4%
Inadequate application
access security
Breach of confidential
information
Unauthorized access to
clinical applications
and patient data
Audit failure
Other
1%
2%
15%
29%
53%
They aren't considered very
much
They aren't a factor at all
They are the primary drivers
They are an influence
They are strongly considered
What is your greatest security concern? How much do HIPAA/HITECH drive your
organization’s IT purchasing decision?
Direct correlation between “security concerns” and purchasing decisions.

40%
24%
6%
12%
6%
9%
3%
Top 3 IAM Drivers for Healthcare Providers
70% of registered attendees identified:
1. Improved user experience
2. Automated user lifecycle mgmt
3. Tighter compliance related controls

PRESBYTERIAN HEALTHCARE
SERVICES’ CASE STUDY
Section 2

Company Overview
Established in 1908, New Mexico’s largest non-profit
healthcare system, largest health care provider and largest
managed care organization with:
 7 hospitals and 40 clinics
 Over 9,000 employees, including 500+ physicians &
clinicians and 3,000+ contractors
 Over 700,000 patients generating over 1.2M visits/yr
 Top 10 integrated healthcare delivery network
INDUSTRY, PERSONNEL AND COMMUNITY EXCELLENCE

IAM Journey @ PHS
2008 20112009 2010
Influential and vocal Cardiology
Group seeks to invest heavily in IT to
improve patient care. Heart Glass
(single pane) initiative begins to
address patient data management
for cardiology physicians. Auditors
seek more granular insight into
access and IT controls.
PHS seeks to address
several business & IT
requirements with IAM.
Conducts internal discovery,
and interfaces with IT
analyst. Initial focus was
technical in nature, with an
appetite for eProvisioning.
PHS’ users clamor for
improved experience and
self-service. IT and
Security collaborate to
build upon the IAM
platform to enable these
end-user services.
ARRA & HITECH Act
provide PHS with a
renewed vision on
simplification, both
infrastructure and
clinical IT.
Multiple PHS groups
collaborate to understand
and define key IT, audit,
security, clinical and
business goals, and the
role of IAM. Logic Trends
works as advisor to
establish program that
aligns with key initiatives.
PHS looks to further
leverage the eProvisioning
platform and introduces
Patient Context
Management to support
data integration of several
key clinical applications.

IAM Revelation & Goals
2008 20112009 2010
Influential and vocal Cardiology Group seeks
to invest heavily in IT to improve patient care.
Heart Glass (single pane) initiative begins to
address patient data management for
cardiology physicians. Internal and external
audit seek more granular insight to access
and IT Controls.
Presbyterian Healthcare seeks to
address several business & IT
requirements with IAM…conducts
internal discovery, purchases and
implements a solution. Initial focus
was technical in nature, with an
appetite for eProvisioning.
PHS’s user community clamors
for improved experience and self-
service. IT and Security
collaborate to build upon the IAM
platform to enable these end-user
services.
ARRA & Health Information
Technology for Economic and
Clinical Health (HITECH) Act
provides PHS with a renewed
vision on simplification, both
infrastructure and clinical IT.
PHS looks to further leverage
the eProvisioning platform
and introduce Context
Management, supporting the
data integration of several key
clinical applications.
IAM is a business challenge first and a technology issue,
second. What does the business need?
Multiple PHS groups collaborate to
understand and define key IT,
Audit, Security, Clinical and
Business goals, and the role of
IAM. Logic Trends works as
advisor to establish program that
Multiple PHS groups
collaborate to understand
and define key IT, Audit,
Security, Clinical and
Business goals, and the
role of IAM. Logic Trends
works as advisor to
establish program that
Enable simplified access reporting and
demonstration of IT controls to best support the
many needs of Audit
Expose user-friendly entitlements to business
users so access decisions can be made efficiently
and effectively
Automate application access based on
authoritative user events, to create agility and
speed when dealing with patient-care
Improve and simplify the user experience thereby
empowering users with the tools to do their job
Mature the IT, Identity and Application
infrastructure to enable more rapid adoption
of solutions

IAM Program Development
 With a clear understanding of the
business needs, PHS set out to
align the proper activities
 Leveraging the Logic Trends IAM5
methodology, PHS embraced:
 Phased approach with prioritization
of initiatives
 Data & process focus first
 Maturity model to enable future
functionality
 Business case and frequent solution
release schedule

Role Development
 “smart” eProvisioning of new users
based upon roles
 Full user lifecycle with approval and
controls
 Zero-day user and application
enablement
 Enterprise risk management
 Strengthen IT controls
 Compliance reporting alignment
IAM Program Execution
Phase 1
Phase 2
Phase 3
 Top Down (business) and Bottom-Up
(app / entitlement) analysis
 Business and technical role
development (model)
 Policy alignment with role and
business functions
 Business-aligned definition of “Who
Has (and needs) Access to What”
 Flexible yet accountable model for
identity and access management
 Least privilege without role explosion
Applications
Managers
FUNCTIONALITY BUSINESS VALUE
 Enterprise identity data collection,
reconciliation & cleansing
 Defining “Who Has Access to What”
 Policy awareness and definition
 User access certification
 Identity, access & entitlement maturity
 Enhanced IT controls
 Audit alignment
 IAM platform enabler
 End user empowerment & efficiency

Lessons Learned
 IAM is always evolving and the business will remain dynamic…
remain agile and annually assess priorities, technology and
alignment
 Focus on your data & entitlements first (who has access to
what). Everything else in your IAM program builds upon that.
 Quick Wins are critical for maintaining momentum and
organizational support for Identity and Access Management
initiatives.
 Develop an IAM strategy, and seek support and contributions
from key business and clinical stakeholders.
 Experienced partners can help navigate the process to ensure
objectives are met.

A WORD FROM OUR SPONSORS
Section 3

Logic Trends
A leading professional services firm focused on Identity & Access
Management and Governance
Corporate Profile
 Founded in 2002
 Inc. 500 Fastest Growing US private
company honoree for five years
 Logic Trends services its National
client base through operations in
Atlanta (HQ), Dallas, Chicago,
New York, and Baltimore
Services Profile
 300+ Engagements Completed
 Repeatable IAM5 Services Framework
 Full IAM Lifecycle Service Delivery including:
 Strategic Advisory
 Program/Project Management
 Full IAM SDLC Support
 Cloud-Based IAM offering
 24X7 Support Center
Resource Snapshot
 Senior Delivery Team, 12+ years of IAM delivery
 70 employees nationally
 Regionally focused
with national
coverage
Sample Healthcare Clients

IAM5 – Approach & Methodology
Identity and Access Management often represents the first truly
enterprise solution an organization will deploy. Consequently, IAM
is an organizational, process, and corporate culture challenge first
and a technology challenge second. Our broad experience with
Enterprise IAM has led to the following methodology development:
The IAM5 Methodology is positioned to deliver incremental wins and
outputs for the business and technical audiences

IAM for Healthcare
Perfect storm of…
 Compliance needs
 Provider consolidation
 Patient access
 IT adoption
 End user experience
improvements
Requires a partner with
healthcare, business, IT and
security knowledge capital

Introducing SailPoint
 Leading identity and access governance (IAG)
solution provider
 Founded in 2005
 Headquartered in Austin, Texas
 Over 140 employees around the world
 Our global customer base
 Over 75 companies in 14 countries
 Our specialty: security & privacy regulatory
challenges in healthcare, financial services and
insurance
 We help our customers to
 Reduce risk of non-compliance
 Proactively manage security and identity risk
 Lower administration and compliance costs
 Enhance employee productivity
 Pave the way for future initiatives

SailPoint IdentityIQ Suite
A unified solution for automating compliance and user lifecycle
processes – built on a common roles, policy, and risk model
Compliance
Management
Lifecycle
Management
 Automates regular review
of user access
 Proactively detects and
notifies managers of
policy violations
 Detects and mitigates
identity & access risks
 Provides analytics &
reporting for proof of
compliance
 Provisions new users
 Automates routine user
administration tasks
 Job changes
 Location changes
 Forgotten or expired
passwords
 De-provisions
terminated users

Determine Current
State
Who has access to what?
Is that access appropriate?
Automate User
Lifecycle Processes
Access Request
Event Lifecycle Mgmt
Workflow/Connectors
Model Desired State
Mine, model & define roles
Define access policies
Configure risk model
SailPoint’s Unique
Governance-Based Approach
 Aggregate and correlate data
 Data cleanup
 Access reviews
 Remediation & critical
corrective actions
 Mine, model & create roles
 Define role assignment rules
 Define business policies (SoD
and other)
 Define risk model components
 Configure access request
 Define lifecycle events
(joiner, mover, leaver)
 Establish approval
workflows and policies
 Define change management
processes
 Deploy connectors
where needed

SailPoint: Fast Results, Fast ROI
 Immediate value to the business
 Identify potential risks and vulnerabilities
 Remediate problems to reduce risk
 Automate strong controls and reliable, repeatable oversight
 Provide proof of compliance on demand
 Ensure compliance with these safeguards by all staff
 Measurable results in weeks
 Reduced compliance costs and staffing requirements
 Revocations of inappropriate access (avg. 20-30%)
 Detection and remediation of policy violations
 Elimination of high-risk accounts

Identity Management: Front and Center for Healthcare Providers

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Identity Management: Front and Center for Healthcare Providers

Similar to Identity Management: Front and Center for Healthcare Providers (20)

Recently uploaded

Recently uploaded (20)

Identity Management: Front and Center for Healthcare Providers