Unleashing Directory-Powered Business SM How to Approach an Identity and Access Management IAM Program within a Healthcare Organization (Payers & Providers) Aaron Perry - APTEC Rich Fellmann - Oracle November 22, 2011 2007 APTEC, LLC Confidential Agenda • What is Identity Management? • What we typically see in Healthcare Organizations • Challenges faced by Healthcare Organizations • Healthcare IAM Architecture • IAM Business Drivers & Benefits • Oracle IAM Solutions for Healthcare • Where to Start • Ensuring IAM Project Success • Questions 2011 APTEC, LLC Confidential 2 Setting the Stage… What is Identity Management? A set of processes and a supporting infrastructure for the creation, maintenance, and use of digital identity - 80% process - 20% supporting infrastructure Keys to successful implementation… • Support and involvement at all levels (CIO, CISO, Process Owners, System Administrators, etc.) • Governance and the authority to enact decisions • Identification and Management of Sources of Truth 2011 APTEC, LLC Confidential 3 IAM Solutions Address Top Issues faced by Healthcare Organizations • IAM can improve security, reduce costs, and protect privacy – Security breaches / business disruptions – Operating costs / budgets – Data protection / privacy • Large and growing number of Healthcare Organizations have experienced IT Security Breaches in last 12 months. – Breaches now have monetary fines associated – Unauthorized access to sensitive patient data – Unauthorized access to sensitive member data – Breaches of employee & patient SSN s 2011 APTEC, LLC Confidential 4 More breaches than ever… Data Breach Once exposed, the data is out there – the bell can t be un-rung PUBLICLY REPORTED DATA BREACHES 630% Increase Total Personally Identifying Information Records Exposed (Millions) Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach Source: DataLossDB, Ponemon Institute 2011 APTEC, LLC Confidential 5 More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access 2011 APTEC, LLC Confidential 6 Risk And Security Breach in Healthcare • Unauthorized Access to Patient Records. • Co-worker, Family Member, Neighbor, VIP Record Snooping. Access & Privacy • Access from unauthorized locations • Misuse Of Privileges Fraud & Security Breach • Unauthorized Prescription to Patients • Patient Fraud (Illegal Drugs From Multiple Providers) Ø Healthcare has suffered more data breaches than financial services so far in 2010 – ITRC Report 2011 APTEC, LLC Confidential 7 What we typically see in healthcare industry • Manual Processing • • Manual Provisioning and Approval Workflows Insufficient de-provisioning processes • Lack of Centralization and Delegated Administration • • Application silos and administration silos Multiple credential stores • Home Grown Solutions • • • • Good at provisioning Inefficient or non-existent de-provisioning and transfers Inability to scale to meet growing demands Inconsistent/ineffective auditing and reporting • Lack of Security Policies and Enforcement 2011 APTEC, LLC Confidential 8 8 What we typically see at Healthcare Organization 2011 APTEC, LLC Confidential 9 Challenges and Issues Data Supportability • No single view of identity data across applications • Administration performed both centrally and locally • Inconsistent user identity data • Manual, paper-driven processes work, but lack audit ability • Multiple repositories of user identity data • Lack of defined standards for user attributes • Many identity owners & sources Typical HE Challenges and Issues Growth • IT staff is stretched, especially as new projects are defined and started • Infrastructure support team has a wide range of responsibility with limited means Institutional Culture • Use of web-based applications continues to grow • Priorities may vary on a per hospital basis • Increasing demands for new services • Varied and complex user populations • Need to support within current spending levels • Many hospitals bend over backwards to provide the highest levels of service to their doctors and nurses • Patient & Member community is always growing 10 2011 APTEC, LLC Confidential 10 Healthcare IAM Reference Architecture – General View 2011 APTEC, LLC Confidential 11 Provider Reference Oracle IAM Architecture 2011 APTEC, LLC Confidential 12 IAM Business Drivers • Business Facilitation – Improve productivity through streamlined, automated processes and efficient provisioning and de-provisioning of user accounts. – Enable efficient deployment of new enterprise-wide applications and services in a manner that provides ease of use for all constituents through use of standards and automation. • Cost Containment – Efficiently managing the growing number of users and network-accessible resources by streamlining and centralizing business processes in support of new users, end-user transfers/job changes, and user disablement. – Reduce errors and the time required to manually administer user accounts and resources through automation of tasks. • Security Effectiveness and IT Risk – Improve security and support high levels of security and privacy appropriate to specific systems and services. – Improve system audit ability and access management to ensure compliance with Federal, State and Local Regulations. – Improve audit readiness via a central audit log of accounts and privileges, as well as reporting and auditing capabilities. – Create effective monitoring and control over identity-related processes to ensure policies and practices are adhered to and security policies are consistently followed. 2011 APTEC, LLC Confidential 13 IAM Deployment Benefits • Solid Identity Management infrastructure built on standards that can serve as the platform for supporting all future identity management services • Automated provisioning and identity origination • Clean identity data with processes in place to prevent re-corruption • Elimination of the use of SSN as the primary unique identifier for all end users • Enterprise-level auditing with ability to track events across the entire institution • Drastic reduction of risk as it relates to provisioning users to new services and the protection of those services due to all provisioning and access control events being audited • Drastic reduction of cost and overhead due to further automation of manual administration process and introduction of delegated administration models enterprise-wide • Self-service services benefit the user by offering the ability to update information from a central location for use throughout the enterprise • Reduction of costs associated with manual provisioning and manual data cleansing processes 2011 APTEC, LLC Confidential 14 Oracle IAM Solutions for Healthcare Identity Admin. Identity Manager Access Management Access Manager Security Governor Enterprise Single Sign-On Identity Federation + Fedlet Directory Services Internet Directory Virtual Directory Directory Server EE Identity & Access Governance Manageability Identity Analytics Enterprise Manager IdM Pack 2011 APTEC, LLC Confidential 15 Oracle IAM Solutions for Healthcare Provisioning & Identity Administration Access Management Directory Services Authentication, SSO & Fraud Prevention Roles-based User Provisioning LDAP Storage Virtualized Identity Access Password Management Self Service Request & Approval Platform Security Services Identity Analytics Reporting Attestation SoD Mining Identity Services for Developers 2011 APTEC, LLC Confidential 16 Identity Administration Oracle Identity Manager GRANT REVOKE GRANT REVOKE GRANT REVOKE Employee Joins / Departs HR System Approval Workflows Applications • Automate Provisioning / Deprovisioning • Identify orphaned accounts • Report on Who has access to what • Self-service requests 2011 APTEC, LLC Confidential 17 Identity Analytics Rapid and Sustainable Compliance Automation Oracle Identity Analytics Role Governance Oracle Identity Manager Monitoring Dashboards Integrate Reports Identity Warehouse 2011 APTEC, LLC Confidential Segregation of Duties ETL Access Certification Other Sources of Identity Data 18 Oracle eSSO Suite Oracle eSSO Password Reset Password Oracle eSSO Suite Management Console Oracle eSSO Provisioning Gateway Directory, Domain, Database Oracle Identity Manager (OIM) Windows Web Sites PKI Biometrics Oracle eSSO Logon Manager Oracle eSSO Authentication Manager (OS390, AS400) Java Oracle eSSO Kiosk Manager Token/ Smart card User Auth Mainframes User s Desktop 2011 APTEC, LLC Confidential Extranet & Portal Application Sign-On 19 Oracle Security Governor What does it do? Privacy & Security Breach Detection/Prevention Protection Against Insider Snooping And Identity Theft Oracle Security Governor Risk Assessment And Rapid Incident Investigation Master Patient Index (MPI) Electronic Health Record Applications Billing 2011 APTEC, LLC Confidential 20 Where to Start / IAM Roadmap 2011 APTEC, LLC Confidential 21 Ensuring Project Success • Phased project approach • Strong executive sponsorship • Strong project management and leadership • Governance / Steering committee monthly meetings • Integration of client personnel into project team • Knowledge transfer and on-going training • Weekly status meetings with the right people and right focus • Constantly clarifying IAM capabilities to project stakeholders • Proactive and open communication 2011 APTEC, LLC Confidential 22 Questions Aaron Perry President – APTEC, LLC Phone 917.696.1450 Email aaron@aptecllc.com Web www.aptecllc.com Rich Fellmann TSM – Oracle Corporation Phone 781.238.9415 Email rich.fellmann@oracle.com Web http://www.oracle.com/us/products/ middleware/identity-management/index.html 2011 APTEC, LLC Confidential 23
© Copyright 2024