Achieving HIPAA Compliance with Identity and Access Management

Transcription

1 Achieving HIPAA Compliance with Identity and Access Management A Healthcare Case Study Stephen A. Whicker Manager Security Compliance HIPAA Security Officer AHIS/St. Vincent Health DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

2 Conflict of Interest Disclosure Stephen A. Whicker Has no real or apparent conflicts of interest to report HIMSS

3 Agenda Organizational Background Meaningful Use & Identity Management Driving Factors to Implement IDM History of our Implementation Our Identity Management Roadmap IDM Implementation Structure Process of Provisioning Escalations Lessons Learned and Next Steps Questions

4 Organizational Background St. Vincent Health is the largest Not-for-Profit healthcare provider in the Midwest. 20 Hospitals and 100+ ancillary facilities St. Vincent Health is part of Ascension Health which is the largest Not-for-Profit healthcare organization in the United States with over 100,000 associates. Ascension Health Information Services, LLC is the Information Services provider for all ministries within Ascension, including St. Vincent. Nearly 25,000 users are managed by the Identity Management System at St. Vincent Health.

5 Meaningful Use Stage 1 Divided among five priority areas Improving quality, safety, efficiency, and reducing health disparities Engage patients and families in their health care Improve care coordination Improve population and public health Ensure adequate privacy and security protections for personal health information

6 Meaningful Use Stage 1 Objectives Satisfied by Implementing Identity Management Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency Verify that an individual seeking access to electronic health information is the one claimed and is authorized to access such information

7 Driving Factors to Implement IDM Regulatory Compliance HIPAA Requirements Unique User ID (a)(1) Access Control (a)(4) Workforce Security (a)(3) Minimum Necessary (b)(1) Enterprise Role-based Access Control (RBAC) model Auditing / Reporting Security Automate Manual Security Policies Automate Identity Management (Create, Modify, Del ete) Automate Roles Based Access Control Automate Workflow Approval, Denial Efficiency / Cost Reduce Manual Admin via automated account provisioning Implement Online HR benefits management Lay Foundation for expanded services Improve Data Accuracy Leverage Current Investments Implement Password Reset Self Service

8 Past Problem Current Solution Four separate networks (Indianapolis, Frankfort, Ander son, Kokomo) Two separate and overlapping access request processes for identity and access management (ID Request and IS Request), made it difficult to centrally manage the access request and change logs Identity creation and management was a manual process No centralized process to document request completion No formal validation process to verify the authenticity of requesting manager Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user De-provisioning process was not consistently followed No user entitlement matrix existed Identity Manager 3.0 deployed January 17, 2007

9 Business and Ongoing Support Auditing and Reporting Role Based Provisioning Design and Implementation Enhanced Provisioning Design and Implementation Directory Infrastructure Readiness Our Identity Management Roadmap Upgrade NT Domains to AD Upgrade Existing Drivers to IdM2 Enable Bi-Directional Creates Consolidate File Services Trees Completed Implement Universal Password Document Identity Management Requirements Process Analysis and Design Document Web based Provisioning Workflow Requirements Design Enhanced Identity Management Design Web based Provisioning Workflow Implement Password Self Service Implement PeopleSoft Connector Enhance Existing Connectors and Implement Implement Web Based Provisioning Workflow Completed Role Definition and Mapping Document Role based provisioning requirements Design Role based provisioning Implement Role based access and provisioning Provision users to additional systems Identify Audit Needs Design Auditing and Reporting Audit Logging ( enable real time logging with appropriate systems) Implement Audit Skill Assessment Skills Development and Training Ongoing Maintenance and Support Governance, Organizational Change Management and Communication

10 Identity Management Structure PeopleSoft Biztalk Data Warehouse Vistar Password Management Framework Identity Vault Identity Management Portal (User Application) STVI IND1 STVLDAP STVNET National

11 Other Applications Active Directory (STVNET) Active Directory (IND1 & SVHLDAP) edirectory (STVI ) Workflow Processes edirectory (IDV) PeopleSoft HRMS Non-System Processes Start 1 Hiring Process 1. HR/manager is notified of new hire (associate/ non-associate) 20. User and Manager receives notification that application has been granted 2. HR/manager enters hire data into PS (associate / nonassociate) 7. PeopleSoft is updated with Login ID & address 3. All required attributes Are available and PeopleSoft effective date has transpired No 4. Is this a new Identity? Yes 5a. Identity Manager determine unique Login ID 6. Identity Manager creates and places the Identity 5b. Go to Modify Users Process Box #4 19. Workflow generates notifications Yes 15b. Application support checks queue 14. WF approved by approver? Yes for non connected system 13. Identity Manager generates workflow & notify for default applications per rules 11. Identity Manager s manager of new hire Manager requests additional Apps via WF 12. Go to Modify Users Process Box #10b 8. Identity Manager creates Identity in STVI 18. Application support approves WF Yes for connected system 9a. Identity Manager creates Identity IND1 9b. Identity Manager creates Identity in SVHLDAP 10. Identity Manager creates Identity STVNET 16. Application support determines access rights 17. Application support creates Identity and access rights Process perfomed for each application requested 15a. Create new user account automatically

12 her Applications Active Directory (STVNET) Active Directory (IND1 & SVHLDAP) edirectory (STVI) Workflow Processes edirectory (IDV) PeopleSoft HRMS Non-System Processes Termination Process Start 1 Start 2 Start 3 1. Manager is notified of a termination event for associate or non associate 1b. HR Service Center is notified of termination event for associate or non associate 1c. Termination is initiated through VISTAR feed 5. Server team is notified that the user never showed up for work, research is done, accounts may be deleted manually, instead of just disable automatically 15. Manager receives notification 2. Data is entered into PeopleSoft HRMS 3. IDM Updates User data in IDV. disables account & moves user to the inactive container 4a. Is this an a no show hire? 14. Workflow generates notifications 4b. Routes termination WF request to all app security admin(s) Yes 11. All application support admin(s) are notified via of a termination workflow task to be completed after they disable or delete the account 13. Application Support Approves WF 6. IDM Updates User data in STVI. disables account & moves user to the inactive container 7. IDM Updates User data in IND1. disables account & moves user to the inactive container 8. IDM deletes user account in SVHLDAP 9. IDM disables Exchange user 10. IDM deletes user account in STVNET 13. Application support admins disable/delete user manually in other application(s)

13 Other Processes Handled Renames (Legal Name Changes) Business Unit Changes User Profile Data Changes

14 Lessons Learned Lessons Learned and Next Steps Know how implementing the solution will help your organization comply with HIPAA and HITECH Know and thoroughly document your environment Assume nothing (verify things actually work as advertised) Understand the organization s business processes Talk to users and understand and their business processes Cooperation and involvement of Human Resources is vital Have a viable test environment Be prepared for problems Next Steps Access Governance Suite Implementation Role Based Provisioning

15 Questions?

16 It s kind of fun to do the impossible. Walt Disney Stephen A. Whicker Manager Security Compliance HIPAA Security Officer AHIS/St. Vincent Health sawhicke@stvincent.org