Foundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS The promise of reduced administrative costs and improved caregiver satisfaction associated with user provisioning can be realized through a wide range of implementation approaches. Given the significant and unique challenges user provisioning poses to healthcare organizations, many providers will benefit by employing a phased approach to implementation. provision foundation (formerly Sentillion provision and recently acquired by Microsoft) enables these providers to deploy basic workflows that manage the creation and termination of Active Directory and Microsoft Exchange accounts while retaining the flexibility to add additional systems and data over time. Through a combination of deployment technology and an entry-level, fixed price services plan tailored specifically to the healthcare industry, the provision foundation approach creates a lower risk, low cost path to realizing speed benefits while positioning the healthcare organization to seamlessly evolve to a more comprehensive provisioning deployment. HEALTHCARE: A UNIQUELY COMPLEX ENVIRONMENT Healthcare organizations face unique complexities when automating user provisioning. Many caregivers and other key resources are not employed directly by hospitals and are often contracted or are temporary employees (such as students, residents, Locum Tenens, and agency staff). This increases the risk of personal healthcare information (PHI) being compromised as well as posing challenges in providing access to the systems required to initiate immediate patient care. Further, the wide diversity of job functions and specialties within a healthcare organization place unique burdens on those tasked to define roles and manage access privileges on a granular basis. Also, healthcare IT professionals are stretched to the limit as they grapple with a variety of complex, enterprise and departmental-level, clinical and business implementations, leaving fewer resources for a comprehensive user provisioning development and deployment. While the benefits of a full user provisioning system are well-documented, these complicating factors require a practical approach: Creating a baseline for deployment via the establishment of Active Directory and Microsoft Exchange accounts and growing from there. While the benefits of a full user provisioning system are well-documented, there are complicating factors that require a practical approach, like the creation of a baseline for deployment via the establishment of Active Directory and Microsoft Exchange accounts and their continued growth.
CHALLENGES PATIENT CARE: QUICKLY GRANTING ACCESS Quality patient care requires that healthcare practitioners be granted fast access to basic network and communication resources, such as printers, network drives, shared files, web applications, VPN, and e-mail. Yet in many healthcare organizations, this process can take two weeks or more. provision foundation provides Zero Day Provisioning through simple onboard workflows that enable clinicians to gain this access on the first day that they arrive to treat patients. These workflows can be quickly and easily configured, eliminating the manual work required to set up Active Directory and Microsoft Exchange accounts and freeing up IT resources to work on more complex, clinical application deployments. SECURITY: FAST TERMINATION One of the most common security deficiencies cited by auditors is the ability to quickly disable accounts associated with caregivers leaving a healthcare organization. This lack of relevant controls increases the potential for inappropriate disclosure of PHI and the risk of legal prosecution and damaged reputations. The resulting security holes are exacerbated by the accumulation of privileges as caregivers and administrative personnel are transferred and promoted. Further, the high proportion of temporary professionals flowing in and out of a healthcare organization increases the risk of data leakage. By solidly establishing identities and accounts in Active Directory, provision foundation enables immediate user termination and the disablement of Active Directory and e-mail accounts. COMPLIANCE REPORTING: DEFINING WHICH USERS HAVE What Resources Regulatory pressures require healthcare providers to validate access privileges to ensure that policies relating to PHI are enforced. All transactions related to user and access information are automatically posted to an audit database, including when Active Directory and Microsoft Exchange requests are initiated and approved, by whom, and when. provision foundation also supports the generation of reports that match what resources users have to what they should have according to security policy. This provides the basis for meeting attestation requirements for HIPAA, The Joint Commission, Sarbanes-Oxley, and internal audits with fewer IT and user management resources. Capabilities Unlike traditional provisioning implementations, the provision foundation approach presumes a phased approach in which the scope of the initial implementation is narrowed to a predetermined set of critical, standardized workflows, requiring only the initial population of Active Directory accounts and simple policy decisions relating to Active Directory and Microsoft Exchange. 2
FIGURE 1. PROVISIONING WORKFLOW PROVISIONING WORKFLOWS New Account Creation and Management Create and modify Active Directory and Microsoft Exchange accounts with attributes based on role templates representing users with similar access rights and job responsibilities. This includes the ability to assign users to Active Directory Groups and Organizational Units (OUs). New accounts and account attribute changes are synchronized immediately and automatically reflected in the user interface. 3
User Deprovisioning Enable fast termination of user accounts while retaining information supporting the continuation of patient care. Requestor/Approver Workflow Provide user interface and e-mail based workflow for requests and approvals. Administrative personnel will be able to initiate requests for e-mail access privileges and prompt approvers to verify user and Active Directory access information. Clinical supervisors, specialists, and other managers will be able to verify information associated with Active Directory privileges and approve requests via e-mail. Provide an option for establishing policies for e-mail access (mailbox size, location) based on department code, job code, or facility/cost center information imported from your organization s human resource (HR) system. Contractor Workflow Provide user interface and e-mail based workflow to manage the provisioning of temporary clinical professionals such as medical students, traveling nurses, and Locum Tenens. Includes the ability for approvers to define contractor expiration dates, be alerted to impending expirations, and extend contractor engagements. INTEGRATION Active Directory and Microsoft Exchange Integration Automate the connection between user provisioning actions/workflows and Active Directory and Microsoft Exchange using Microsoft bridge technology. HR Triggers Initiate account creation and user disablement automatically based on user additions and deletions to provider HR systems. Self-Service Profile Management Enable users to create and modify their personal profile information within Active Directory. Provisioning for SSO and Context Management Enable provisioning actions and generate credentials for Vergence (formerly Sentillion Vergence and recently acquired by Microsoft) clinical workstation and Microsoft expresso (formerly Sentillion expresso and recently acquired by Microsoft) SSO solutions. Authentication Validate identity of users via authentication data stored in Active Directory via user name/password pairs or expresso SSO credentials. Automate the generation of user IDs and temporary PINs for initial user access. Password Reset Allow users to reset their own passwords if expired or forgotten without calling help desk personnel. Audit Trails The Microsoft provision logs details associated with the user, such as account add and delete as well as request and approve transactions, including those automatically initiated by the HR system. Store audit line items in a SQL Server database to facilitate the creation of summary and detailed reports for compliance audits describing who took what provisioning actions and when. 4
Compliance Reporting Provide three standard reports: Account Access By User Lists which users have access to which applications Terminated Users Lists users whose accounts have been disabled upon termination and when they were terminated Provisioning Transactions Lists all provisioning actions including name of provisioner and provisioned user, when the action was taken, and for what application Architecture Lay the foundation today and build the framework for future applications 1. One, easy-to-use web interface All users interact with the system via a single, intuitive web interface. The users are exposed to only those provisioning actions that they can take according to security policy. This interface represents a central dashboard for ultimately managing access for all target applications beyond Active Directory and Microsoft Exchange once clinical information systems are added to the workflow. 2. Simple, e-mail based workflows The provisioning engine generates workflows that eliminate the manual effort traditionally associated with managing access privileges. These workflows connect IT/security and clinical staff via a combination of e-mail and various web-based prompts requiring minimal IT intervention. 3. Automatic HR feed Changes in user role/status and account information within the provider s HR system automatically triggers corresponding information to be updated within the web-based provisioning interface. This capability drastically reduces IT resource requirements and generates a high return on investment for provisioning implementations. 4. Infrastructure for audit & compliance reporting provision foundation includes out-of-the-box SQL databases for audit and compliance. The audit database contains a record of every provisioning action taken, by whom, and when. The compliance reporting database provides summary tables that list who has access privileges for which accounts as well as who should have these privileges according to policy. Both databases provide the basis for responding to HIPAA and The Joint Commission audits in an automated, timely manner. 5. One authoritative source Active Directory acts as the single source of truth for user identities and associated attributes, eliminating the complexity and potential for errors associated with managing multiple identity stores. 6. Extensible to clinical applications The provision foundation architecture can be extended to any and all clinical applications without requiring programming-intensive changes to database schemas or elements of the provider s existing infra-structure. This architecture sets the groundwork for automating the provider s complete healthcare provisioning process, including physical items such as pagers and stethoscopes as well as additional identifying information, such as license and DEA numbers. 5
FIGURE 2. PROVISIONING WORKFLOW SERVICES Extensive Healthcare IT Implementation Experience Microsoft provides professional services to support the implementation of the provision foundation. Each member of this staff is exclusively dedicated to the healthcare industry and is an expert in multiple facets of identity and access management (IAM) solutions for clinical, administrative, and personal productivity applications. Microsoft IAM solutions have been implemented at over 219 customers worldwide, including, including 5 of the top 10 pediatric hospitals and 6 of the top 14 hospitals ranked by US News and World Report. 6
Each provisioning project is staffed by a dedicated, healthcare-savvy project manager and business analyst as part of a larger project team. The team follows a formal methodology incorporating defined processes and best practices for provisioning, starting with a discovery and scoping meeting and ending with the completion of mutually agreed upon project milestones. Fixed Priced Services Plan The provision foundation is a tightly managed set of services to deliver provisioning basic policy definition, role templates, workflows, and integration capabilities for Active Directory and Microsoft Exchange in a four week timeframe. Benefits of a Modular Approach Realize early wins By taking a module approach to implementation, healthcare providers can realize tangible physician satisfaction and cost reduction benefits early in the deployment cycle and promote these successes internally to build momentum for a broader deployment of Clinical Information Systems (CIS). Establish policy consensus By focusing on Active Directory and Microsoft Exchange initially, providers can tackle the most basic policy decisions first (such as establishing which Active Directory Groups get e-mail access and what size mailbox is appropriate for which roles), and then apply that knowledge to the deployment of future applications. Accelerate planned and future CIS deployment Identifying and establishing Active Directory accounts is often a critical pre-requisite for CIS implementations. These accounts provide the authoritative source and authentication mechanism for all future clinical applications. Quickly establishing a clear view of all identities and accounts will accelerate the deployment of any CIS system, resulting in improved patient care. A COMPLETE IDENTITY AND ACCESS MANAGEMENT OFFERING provision foundation is one of two stepping stones to a full provisioning deployment. provision foundation plus one offers the same Active Directory and Microsoft Exchange capabilities plus a platform for implementing one clinical information system of the healthcare provider s choice. The provision family, together with Vergence clinical workstation solution and expresso (both formerly from Sentillion and recently acquired by Microsoft), and the Microsoft desktop virtualization solution, represent the industry s most complete, integrated, and healthcare-oriented identity and access management offering. For more information visit us at www.whatsnextinhealth.com or contact us at info@sentillion.com. 7