1 / 23

Identity Management – A Success Story Prolifics / Tampa General Hospital

Identity Management – A Success Story Prolifics / Tampa General Hospital. Tivoli User Group, Atlanta Georgia. Kyle Watson, Security Practice Director kwatson@prolifics.com 813-480-1575 April 14, 2011. Who We Are > Prolifics. Total End-to-End Solutions. 100% Exclusive to IBM.

kaye-ball
Télécharger la présentation

Identity Management – A Success Story Prolifics / Tampa General Hospital

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management – A Success StoryProlifics / Tampa General Hospital Tivoli User Group, Atlanta Georgia Kyle Watson, Security Practice Director kwatson@prolifics.com 813-480-1575 April 14, 2011

  2. Who We Are > Prolifics Total End-to-End Solutions 100% Exclusive to IBM

  3. Who We Are > Security Practice • IBM Security Leadership • Experience in a myriad of security challenges across many industries • Only IBM Business Partner “AAA Accredited” for Deployment across the entire IBM Tivoli Security Portfolio • Largest IBM Dedicated Security Practice of any integrator in North America • Team includes original developers of core IBM Security Platforms • Technical Leadership • Over 110 IBM and IT Industry Security technical certifications; Sr. Architects are also CISSP certified • Participation in all IBM Early Release and Beta programs (TIM, TFIM, TAMESSO) • Sought out by IBM for new product feature input and technical direction • Prolifics Architects lead/present at IBM and IT Industry Security conferences • Delivery Leadership • Considered one of three “A-list” partners from IBM Support for Security • Considered low-risk by IBM’s software delivery group; projects often staffed 100% by Prolifics resources 3

  4. Tivoli Identity Manager Success Story Tampa General Hospital One of Florida’s largest hospitals with 1004 beds and approximately 15,000 identities including physicians and students. Tampa General Hospital is a not-for-profit hospital and serves a population of over 4 million. TGH is affiliated with the University of South Florida College of Medicine.

  5. Business Challenges • American Recovery and Reinvestment Act • Infused budget for Electronic Medical Record (EMR) • Increased penalties for non-compliance to HIPAA Then TGH called Prolifics and said… • But we don’t have a good handle on who is… • An Employee • A contract or temp nurse • A Medical Student • A Resident • A Staff vs. Regular Physician • And none of the medical staff have unique logins • And students, doctors, and contractors have no centralized point of management And by the way, our budget is driven by clinical needs

  6. Security Challenges • Visibility • Unauthorized access was nearly impossible to detect • Tracking and reporting of user activity was impossible (shared ids) • Automation • User Lifecycle Management – Manual and Decentralized • Password reset calls made up the majority of help desk work effort • Control • Access rights were not managed by organizational role (discretionary access control)

  7. Unique User Account Challenge In order for the EMR implementation to be successful, TGH Needed every user to be uniquely identified in the Active Directory for authentication. The current mainframe patient accounting environment had some reference data. Some users login under unique ID names, Some do not, Some follow the standard, Some do not Invision Active Directory always shared in medical areas, always unique in back office, not always standardized

  8. Unique User Account Challenge The patient record is opened in EPIC The PACS Web Viewer is Launched with the image requested The user clicks on the radiology image

  9. Unique User Account Challenge Behind the scenes, EPIC is loading the PACS web viewer connected to PACS. If the user is Generic here (“epicuser”) then no auditing can take place in PACS about what Janet, user C123456, has viewed. PACS AD and EPIC After Phase 1, Janet is always uniquely identified here (“C123456”)

  10. Solution Phase 1: Role Based Access Control (RBAC) and Tivoli Identity Manager (TIM) foundation for Employees Phase 2: RBAC and TIM expansion to students, contractors, affiliated physicians Phase 3: Fast desktop sharing with unique identification for control and compliance with Tivoli Access Manager for Enterprise Single Sign On The solution gives Tampa General something it never had before: precise knowledge and control of who has access to applications Faster system access means better patient care

  11. How did we get there?

  12. RBAC and TIM

  13. Baby Step, Data Cleansing • Data Cleansing – Why and How? • Defining access by role requires analysis of what all users by type and cost center have in common • Analyzing this information was not presently possible because we weren't certain who owns what user ID • Using pattern matching we are produced linkage between HR employee information and Key Platforms • Reviewing and approving the correlated HR and user ID information was the role of IT • Then we assigned a unique identifier (badge ID) back to the target system to ensure accuracy

  14. User Linkage Example Percentage of Success The Person Record Attempted Matches This match looks likely Where badge# and user ID match ownership is 100% certain, then any exact name match (without dupes) will be assumed as100% certain, after that we provided varying levels of percentage for validation manually.

  15. Data Cleansing Result A data file was extracted for each platform similar to the data shown below: We worked with the system owner to identify an available user ID field in which to “upload” the badge ID to the platform

  16. Next Step, Standards and Process Definition • Identity Policies > defined on how IDs would be named • Roles and Provisioning to Systems > defined leveraging business area and job code combinations (AD Example, Invision Example) • Approval Tracking > Workflows defined on access level granted in target. • Termination Management > Workflows defined to retain access in suspended state in a holding area in TIM • Password Policies > Commonality challenges with Mainframe and Active Directory pushed to smaller password complexity. Password Synchronization enabled. Password Reset enabled. • Policy Enforcement > Correct non-compliant accounts • Visibility for Audit/Reporting • Access Request Management Integration • Change Management!!!!

  17. Role Enforcement Defined with Tivoli Identity Manager

  18. Next Step, Solution Build 1 5 2 6 4 3 Audit and Recertification becomes centralized as platforms are integrated Identities are automatically granted access to system resources by Role (starting with AD, RACF, SQL, and EPIC) Termination and Password Management are automated

  19. Solution Benefits • Ensures centralized and synchronized security • Automatically creates and modifies access based upon a person’s organizational role (Role Based Access Control) • Eliminates user access for terminated personnel • Reduces operational costs by reducing helpdesk involvement in password reset • Provides a mechanism for clinical staff to logon with unique user IDs (instead of shared IDs)** • Enforces access privileges to the minimum necessary required for a given job function** • Increases security through approval and recertification workflows and automated termination processing** • Provides a centralized audit record of access and approvals, correlated to HR records for compliance reporting • **HIPAA Related Concern for PHI

  20. Customer Feedback • “Prolifics has consistently met our expectations and business objectives through discovery, development, deployment and post go-live support. The solutions provided by the Prolifics Security Practice enable TGH to provide end-users with a high level of integrity, availability and confidentiality.” • Matt Hickmott, Identity and Access Management, Tampa General Hospital, February 2011

  21. Prolifics Case Studies

  22. Prolifics/IBM Case Studies http://www-01.ibm.com/software/success/cssdb.nsf/CS/SCHA-899LXP?OpenDocument&Site=default&cty=en_us

  23. Prolifics Identity and Access Management Customers F i n a n c i a l S e r v i c e s R e t a i l & D i s t r i b u t i o n I n s u r a n c e U t i l i t i e s M a n u f a c t u r i n g E d u c a t i o n G o v e r n m e n t T r a n s p o r t a t i o n

More Related