How to Approach an Identity and Access Organization (Payers & Providers)

Unleashing Directory-Powered Business
SM
How to Approach an Identity and Access
Management IAM Program within a Healthcare
Organization (Payers & Providers)
Aaron Perry - APTEC
Rich Fellmann - Oracle
November 22, 2011
2007 APTEC, LLC Confidential
Agenda
•  What is Identity Management?
•  What we typically see in Healthcare Organizations
•  Challenges faced by Healthcare Organizations
•  Healthcare IAM Architecture
•  IAM Business Drivers & Benefits
•  Oracle IAM Solutions for Healthcare
•  Where to Start
•  Ensuring IAM Project Success
•  Questions
2011 APTEC, LLC Confidential
2
Setting the Stage…
What is Identity Management?
A set of processes and a supporting infrastructure
for the creation, maintenance, and use of digital
identity
- 80% process
- 20% supporting infrastructure
Keys to successful implementation…
•  Support and involvement at all levels (CIO, CISO,
Process Owners, System Administrators, etc.)
•  Governance and the authority to enact decisions
•  Identification and Management of Sources of
Truth
2011 APTEC, LLC Confidential
3
IAM Solutions Address Top Issues
faced by Healthcare Organizations
•  IAM can improve security, reduce costs, and
protect privacy
–  Security breaches / business disruptions
–  Operating costs / budgets
–  Data protection / privacy
•  Large and growing number of Healthcare
Organizations have experienced IT Security
Breaches in last 12 months.
–  Breaches now have monetary fines associated
–  Unauthorized access to sensitive patient data
–  Unauthorized access to sensitive member data
–  Breaches of employee & patient SSN s
2011 APTEC, LLC Confidential
4
More breaches than ever…
Data Breach
Once exposed, the data is out there – the bell can t be un-rung
PUBLICLY REPORTED DATA BREACHES
630%
Increase
Total Personally Identifying
Information Records
Exposed (Millions)
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
Source: DataLossDB, Ponemon Institute
2011 APTEC, LLC Confidential
5
More threats than ever…
70% attacks originate inside the firewall
90% attacks perpetrated by employees with privileged
access
2011 APTEC, LLC Confidential
6
Risk And Security Breach in Healthcare
•  Unauthorized Access to Patient Records.
•  Co-worker, Family Member, Neighbor, VIP
Record Snooping.
Access & Privacy
•  Access from unauthorized locations
•  Misuse Of Privileges
Fraud & Security Breach
•  Unauthorized Prescription to Patients
•  Patient Fraud (Illegal Drugs From Multiple
Providers)
Ø  Healthcare has suffered more data breaches than financial services so far in 2010 –
ITRC Report
2011 APTEC, LLC Confidential
7
What we typically see
in healthcare industry
•  Manual Processing
• 
• 
Manual Provisioning and Approval Workflows
Insufficient de-provisioning processes
•  Lack of Centralization and Delegated
Administration
• 
• 
Application silos and administration silos
Multiple credential stores
•  Home Grown Solutions
• 
• 
• 
• 
Good at provisioning
Inefficient or non-existent de-provisioning and
transfers
Inability to scale to meet growing demands
Inconsistent/ineffective auditing and reporting
•  Lack of Security Policies and Enforcement
2011 APTEC, LLC Confidential
8
8
What we typically see
at Healthcare Organization
2011 APTEC, LLC Confidential
9
Challenges and Issues
Data
Supportability
•  No single view of identity data
across applications
•  Administration performed both
centrally and locally
•  Inconsistent user identity data
•  Manual, paper-driven processes
work, but lack audit ability
•  Multiple repositories of user
identity data
•  Lack of defined standards for
user attributes
•  Many identity owners & sources
Typical HE
Challenges
and Issues
Growth
•  IT staff is stretched, especially
as new projects are defined and
started
•  Infrastructure support team has
a wide range of responsibility
with limited means
Institutional Culture
•  Use of web-based applications
continues to grow
•  Priorities may vary on a per
hospital basis
•  Increasing demands for new
services
•  Varied and complex user
populations
•  Need to support within current
spending levels
•  Many hospitals bend over
backwards to provide the
highest levels of service to their
doctors and nurses
•  Patient & Member community is
always growing
10
2011 APTEC, LLC Confidential
10
Healthcare IAM Reference
Architecture – General View
2011 APTEC, LLC Confidential
11
Provider Reference
Oracle IAM Architecture
2011 APTEC, LLC Confidential
12
IAM Business Drivers
• 
Business Facilitation
–  Improve productivity through streamlined, automated processes and efficient
provisioning and de-provisioning of user accounts.
–  Enable efficient deployment of new enterprise-wide applications and services in a
manner that provides ease of use for all constituents through use of standards
and automation.
• 
Cost Containment
–  Efficiently managing the growing number of users and network-accessible
resources by streamlining and centralizing business processes in support of new
users, end-user transfers/job changes, and user disablement.
–  Reduce errors and the time required to manually administer user accounts and
resources through automation of tasks.
• 
Security Effectiveness and IT Risk
–  Improve security and support high levels of security and privacy appropriate to
specific systems and services.
–  Improve system audit ability and access management to ensure compliance with
Federal, State and Local Regulations.
–  Improve audit readiness via a central audit log of accounts and privileges, as
well as reporting and auditing capabilities.
–  Create effective monitoring and control over identity-related processes to ensure
policies and practices are adhered to and security policies are consistently
followed.
2011 APTEC, LLC Confidential
13
IAM Deployment Benefits
• 
Solid Identity Management infrastructure built on standards that can serve
as the platform for supporting all future identity management services
• 
Automated provisioning and identity origination
• 
Clean identity data with processes in place to prevent re-corruption
• 
Elimination of the use of SSN as the primary unique identifier for all end
users
• 
Enterprise-level auditing with ability to track events across the entire
institution
• 
Drastic reduction of risk as it relates to provisioning users to new services
and the protection of those services due to all provisioning and access
control events being audited
• 
Drastic reduction of cost and overhead due to further automation of
manual administration process and introduction of delegated
administration models enterprise-wide
• 
Self-service services benefit the user by offering the ability to update
information from a central location for use throughout the enterprise
• 
Reduction of costs associated with manual provisioning and manual data
cleansing processes
2011 APTEC, LLC Confidential
14
Oracle IAM Solutions for Healthcare
Identity Admin.
Identity Manager
Access Management
Access Manager
Security Governor
Enterprise Single Sign-On
Identity Federation + Fedlet
Directory Services
Internet Directory
Virtual Directory
Directory Server EE
Identity & Access Governance
Manageability
Identity Analytics
Enterprise Manager IdM Pack
2011 APTEC, LLC Confidential
15
Oracle IAM Solutions for Healthcare
Provisioning &
Identity
Administration
Access
Management
Directory
Services
Authentication, SSO &
Fraud Prevention
Roles-based User
Provisioning
LDAP Storage
Virtualized Identity
Access
Password Management
Self Service Request &
Approval
Platform Security Services
Identity Analytics
Reporting
Attestation SoD
Mining
Identity Services for Developers
2011 APTEC, LLC Confidential
16
Identity Administration
Oracle Identity Manager
GRANT
REVOKE
GRANT
REVOKE
GRANT
REVOKE
Employee
Joins / Departs
HR System
Approval
Workflows
Applications
•  Automate Provisioning /
Deprovisioning
•  Identify orphaned accounts
•  Report on Who has access to what
•  Self-service requests
2011 APTEC, LLC Confidential
17
Identity Analytics
Rapid and Sustainable Compliance Automation
Oracle Identity Analytics
Role Governance
Oracle
Identity
Manager
Monitoring
Dashboards
Integrate
Reports
Identity
Warehouse
2011 APTEC, LLC Confidential
Segregation of
Duties
ETL
Access
Certification
Other Sources
of Identity
Data
18
Oracle eSSO Suite
Oracle eSSO
Password Reset
Password
Oracle eSSO Suite
Management
Console
Oracle eSSO
Provisioning
Gateway
Directory,
Domain,
Database
Oracle Identity
Manager (OIM)
Windows
Web Sites
PKI
Biometrics
Oracle eSSO
Logon Manager
Oracle eSSO
Authentication
Manager
(OS390, AS400)
Java
Oracle eSSO
Kiosk Manager
Token/ Smart card
User Auth
Mainframes
User s Desktop
2011 APTEC, LLC Confidential
Extranet
& Portal
Application Sign-On
19
Oracle Security Governor
What does it do?
Privacy & Security Breach
Detection/Prevention
Protection
Against Insider Snooping
And Identity Theft
Oracle
Security
Governor
Risk Assessment
And Rapid Incident
Investigation
Master Patient
Index (MPI)
Electronic
Health Record
Applications
Billing
2011 APTEC, LLC Confidential
20
Where to Start / IAM Roadmap
2011 APTEC, LLC Confidential
21
Ensuring Project Success
•  Phased project approach
•  Strong executive sponsorship
•  Strong project management and leadership
•  Governance / Steering committee monthly meetings
•  Integration of client personnel into project team
•  Knowledge transfer and on-going training
•  Weekly status meetings with the right people and right focus
•  Constantly clarifying IAM capabilities to project stakeholders
•  Proactive and open communication
2011 APTEC, LLC Confidential
22
Questions
Aaron Perry
President – APTEC, LLC
Phone 917.696.1450
Email aaron@aptecllc.com
Web www.aptecllc.com
Rich Fellmann
TSM – Oracle Corporation
Phone 781.238.9415
Email rich.fellmann@oracle.com
Web
http://www.oracle.com/us/products/
middleware/identity-management/index.html
2011 APTEC, LLC Confidential
23