Achieving HIPAA Compliance with Identity and Access Management

Similar documents
IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Managing Privacy and Security Challenges of Patient EHR Portals

Strategic Identity Management for Industrial Control Systems

Identity Management with midpoint. Radovan Semančík FOSDEM, January 2016

Identity and Access Management Point of View

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

Integrated Identity and Access Management Architectural Patterns

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Enterprise Identity Management Reference Architecture

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

Trust but Verify: Best Practices for Monitoring Privileged Users

Identity Governance Evolution

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Alberta Health Services Identity & Access Management (IAM) Alberta Netcare Access Request Process User Reference Guide

Introduction to Identity and Access Management for the engineers. Radovan Semančík April 2014

<Insert Picture Here> Oracle Identity And Access Management

The Unique Alternative to the Big Four. Identity and Access Management

Apache Syncope OpenSource IdM

Oracle Identity Manager, Oracle Internet Directory

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

Current Environment Assessment Specification. Single Sign On Customer Relation Management Workstation Support

Identity & Access Management new complex so don t start?

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist

Jobs Guide Identity Manager February 10, 2012

Workflow Templates Library

Attestation of Identity Information. An Oracle White Paper May 2006

eopf Release E Administrator Training Manual

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Security and Identity Management Auditing Converge

Privacy Impact Assessment: Peace Corps Intranet

NetIQ Identity Manager

Course Duration: 3.5 Days. CPE Hours Available: 32 CPE. Knowledge Level: Intermediate. Field of Study: Auditing. Prerequisites: None

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

OneLogin Integration User Guide

Password Management Guide

Automated User Provisioning

1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing

Google Apps Deployment Guide

CHIS, Inc. Privacy General Guidelines

User Management Tool 1.5

Novell to Microsoft Conversion: Identity Management Design & Plan

Published April Executive Summary

Introduction. Connection security

NetIQ Identity Manager

HIPAA and HITECH Compliance for Cloud Applications

Novell Identity Manager

PeopleSoft Enterprise Directory Interface

Presentation to House Committee on Technology: HHS System Identity & Access Management

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Quest One Identity Solution. Simplifying Identity and Access Management

Regulatory Compliance Using Identity Management

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Word Secure Messaging User Guide. Version 3.0

InCompass, Privacy Impact Assessment (PIA) 8/3/2011

Central Agency for Information Technology

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Leveraging the Synergy between Identity Management and ITIL Processes

NETWRIX IDENTITY MANAGEMENT SUITE

Secret Server Qualys Integration Guide

ManageEngine ADSelfService Plus. Evaluator s Guide

Statewide Financial System

Clinical Platform Identity & Role Based Access Management

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

EMR Link Server Interface Installation

Advanced Configuration Steps

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

Honeywell Secure External User Guide August 2013

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

HIPAA Compliance Use Case

Preparing your Domain to transfer from Go Daddy

Identity Management Overview. Bill Nelson Vice President of Professional Services

Foundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS HEALTHCARE: A UNIQUELY COMPLEX ENVIRONMENT

NC Identity Management (NCID)

Georgia Tech Active Directory Policy

Transcription:

Achieving HIPAA Compliance with Identity and Access Management A Healthcare Case Study Stephen A. Whicker Manager Security Compliance HIPAA Security Officer AHIS/St. Vincent Health DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

Conflict of Interest Disclosure Stephen A. Whicker Has no real or apparent conflicts of interest to report. 2012 HIMSS

Agenda Organizational Background Meaningful Use & Identity Management Driving Factors to Implement IDM History of our Implementation Our Identity Management Roadmap IDM Implementation Structure Process of Provisioning Escalations Lessons Learned and Next Steps Questions

Organizational Background St. Vincent Health is the largest Not-for-Profit healthcare provider in the Midwest. 20 Hospitals and 100+ ancillary facilities St. Vincent Health is part of Ascension Health which is the largest Not-for-Profit healthcare organization in the United States with over 100,000 associates. Ascension Health Information Services, LLC is the Information Services provider for all ministries within Ascension, including St. Vincent. Nearly 25,000 users are managed by the Identity Management System at St. Vincent Health.

Meaningful Use Stage 1 Divided among five priority areas Improving quality, safety, efficiency, and reducing health disparities Engage patients and families in their health care Improve care coordination Improve population and public health Ensure adequate privacy and security protections for personal health information

Meaningful Use Stage 1 Objectives Satisfied by Implementing Identity Management Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency Verify that an individual seeking access to electronic health information is the one claimed and is authorized to access such information

Driving Factors to Implement IDM Regulatory Compliance HIPAA Requirements Unique User ID - 164.312(a)(1) Access Control - 164.308(a)(4) Workforce Security - 164.308(a)(3) Minimum Necessary - 164.502(b)(1) Enterprise Role-based Access Control (RBAC) model Auditing / Reporting Security Automate Manual Security Policies Automate Identity Management (Create, Modify, Del ete) Automate Roles Based Access Control Automate Workflow Approval, Denial Efficiency / Cost Reduce Manual Admin via automated account provisioning Implement Online HR benefits management Lay Foundation for expanded services Improve Data Accuracy Leverage Current Investments Implement Password Reset Self Service

Past Problem Current Solution Four separate networks (Indianapolis, Frankfort, Ander son, Kokomo) Two separate and overlapping access request processes for identity and access management (ID Request and IS Request), made it difficult to centrally manage the access request and change logs Identity creation and management was a manual process No centralized process to document request completion No formal validation process to verify the authenticity of requesting manager Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user De-provisioning process was not consistently followed No user entitlement matrix existed Identity Manager 3.0 deployed January 17, 2007

Business and Ongoing Support Auditing and Reporting Role Based Provisioning Design and Implementation Enhanced Provisioning Design and Implementation Directory Infrastructure Readiness Our Identity Management Roadmap Upgrade NT Domains to AD Upgrade Existing Drivers to IdM2 Enable Bi-Directional Creates Consolidate File Services Trees Completed Implement Universal Password Document Identity Management Requirements Process Analysis and Design Document Web based Provisioning Workflow Requirements Design Enhanced Identity Management Design Web based Provisioning Workflow Implement Password Self Service Implement PeopleSoft Connector Enhance Existing Connectors and Implement Implement Web Based Provisioning Workflow Completed Role Definition and Mapping Document Role based provisioning requirements Design Role based provisioning Implement Role based access and provisioning Provision users to additional systems Identify Audit Needs Design Auditing and Reporting Audit Logging ( enable real time logging with appropriate systems) Implement Audit Skill Assessment Skills Development and Training Ongoing Maintenance and Support Governance, Organizational Change Management and Communication

Identity Management Structure PeopleSoft Biztalk Data Warehouse Vistar Password Management Framework Identity Vault Identity Management Portal (User Application) STVI IND1 STVLDAP STVNET National E-Mail

Other Applications Active Directory (STVNET) Active Directory (IND1 & SVHLDAP) edirectory (STVI ) Workflow Processes edirectory (IDV) PeopleSoft HRMS Non-System Processes Start 1 Hiring Process 1. HR/manager is notified of new hire (associate/ non-associate) 20. User and Manager receives notification that application has been granted 2. HR/manager enters hire data into PS (associate / nonassociate) 7. PeopleSoft is updated with Login ID & email address 3. All required attributes Are available and PeopleSoft effective date has transpired No 4. Is this a new Identity? Yes 5a. Identity Manager determine unique Login ID 6. Identity Manager creates and places the Identity 5b. Go to Modify Users Process Box #4 19. Workflow generates email notifications Yes 15b. Application support checks queue 14. WF approved by approver? Yes for non connected system 13. Identity Manager generates workflow & email notify for default applications per rules 11. Identity Manager emails manager of new hire Manager requests additional Apps via WF 12. Go to Modify Users Process Box #10b 8. Identity Manager creates Identity in STVI 18. Application support approves WF Yes for connected system 9a. Identity Manager creates Identity IND1 9b. Identity Manager creates Identity in SVHLDAP 10. Identity Manager creates Identity STVNET 16. Application support determines access rights 17. Application support creates Identity and access rights Process perfomed for each application requested 15a. Create new user account automatically

her Applications Active Directory (STVNET) Active Directory (IND1 & SVHLDAP) edirectory (STVI) Workflow Processes edirectory (IDV) PeopleSoft HRMS Non-System Processes Termination Process Start 1 Start 2 Start 3 1. Manager is notified of a termination event for associate or non associate 1b. HR Service Center is notified of termination event for associate or non associate 1c. Termination is initiated through VISTAR feed 5. Server team is email notified that the user never showed up for work, research is done, accounts may be deleted manually, instead of just disable automatically 15. Manager receives notification 2. Data is entered into PeopleSoft HRMS 3. IDM Updates User data in IDV. disables account & moves user to the inactive container 4a. Is this an a no show hire? 14. Workflow generates email notifications 4b. Routes termination WF request to all app security admin(s) Yes 11. All application support admin(s) are notified via email of a termination workflow task to be completed after they disable or delete the account 13. Application Support Approves WF 6. IDM Updates User data in STVI. disables account & moves user to the inactive container 7. IDM Updates User data in IND1. disables account & moves user to the inactive container 8. IDM deletes user account in SVHLDAP 9. IDM disables Exchange user 10. IDM deletes user account in STVNET 13. Application support admins disable/delete user manually in other application(s)

Other Processes Handled Renames (Legal Name Changes) Business Unit Changes User Profile Data Changes

Lessons Learned Lessons Learned and Next Steps Know how implementing the solution will help your organization comply with HIPAA and HITECH Know and thoroughly document your environment Assume nothing (verify things actually work as advertised) Understand the organization s business processes Talk to users and understand and their business processes Cooperation and involvement of Human Resources is vital Have a viable test environment Be prepared for problems Next Steps Access Governance Suite Implementation Role Based Provisioning

Questions?

It s kind of fun to do the impossible. Walt Disney Stephen A. Whicker Manager Security Compliance HIPAA Security Officer AHIS/St. Vincent Health sawhicke@stvincent.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information