- Despite the lofty requirements for information security throughout healthcare environments, many healthcare organizations still manually manage user accounts and access to information. Information regarding new employees and their access rights is passed between the hiring manager, human resources and IT, who then create accounts based on the available and, often inaccurate, information.
This is less than optimal for the organization because it leads to several risks, including:
- An overwhelming workload for the IT department with manual and repetitive tasks
- Long turnaround times for creating user accounts
- Risk of making errors during the manual copying of data (such as typos in the name of the employee)
- Risking that new employees receive the same rights as an employee in a similar function when they should not. When rights are copied there is a risk that employees receive access rights to applications and systems they really don’t require access to
- Risk of pollution in Active Directory (AD) because of accounts of employees that have left the organization remaining active. Pollution in the AD due to user accounts of former employees has a negative effect on the score of an audit and compliancy regulations.
For healthcare organizations to mitigate these risks, they need to take control of their authentication and authorization processes. By using an automated solution for user account management organizations can greatly improve optimization and reduce risks. CentraState Healthcare System, a non-profit community health organization in Freehold, New Jersey, for example, tried this with the goal of more efficient and streamlined processes for managing its user accounts in mind.
Doing more with less
Regulatory compliance and the ever-growing need for efficiency drove CentraState to assess its internal IT processes, as well as the need to find a secure and automated method for managing the user account lifecycle in AD and Microsoft Exchange. According to Lauro Araya, network administrator, “When the search started, our IT staff was managing the process manually utilizing Microsoft AD Users and Computers. This was a time-consuming process and we wanted to avoid this manual intervention because it led to risks and errors.”
To be able to effectively manage the user account lifecycle, CentraState asked its identity and access vendor to create a connector between its HR system, Lawson and AD. Doing so allows pertinent information of a newly hired employee to be entered into the Lawson HR system. Conversely, as employees resign, a termination date is placed in the HR system. On a scheduled basis, CentraState’s identity and access management (IAM) solution executes a query to capture all employee data and begins the process of updating AD. If the account already exists in AD, any updates, such as name, location or department changes, are appropriately processed.
If the account does not exist, however, one is created along with an Exchange mailbox, home directory and assigned to the appropriate group profiles based on job title and department of the employee. If the employee start date is in the future, the account is created but put in a disabled state until that date is reached and then it is activated. When an employee termination occurs the information is processed by the IAM software and the account is immediately disabled and deleted after a specific period of time has passed.
CentraState also added several customizations to its IAM suit, such as the naming conventions for AD and Exchange mailboxes. Business logic was also defined within the product to allow the automatic placement of users into the correct operating units based upon their specific location and department. This information also is utilized to insure mailboxes are created within the proper mail server. Information that is created during the AD process, such as user account name and e-mail address, is fed back to the Lawson database twice a day. This is done to insure that Lawson has accurate information whenever anything changes in AD.
AD is the central source for users to access applications and systems. In the context of information security, it is important to keep user accounts in the AD up-to-date and accurate. As an example, this will prevent former employees from being able to access the network and systems if their user account is left active. “We have taken the manual intervention out of the equation for many mundane tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in Lawson, Mark Handerhan, IT manager, said. “Besides the time reduction, the implementation provides us with a greater level of network security, while also assuring compliance with industry standard regulations such as HIPAA,” Handerhan said.
Dean Wiech is managing director of Tools4ever and joined the organization in in April 2006 and is responsible for the Tools4ever, Inc. operations the United States. His duties include direct sales, as well as the responsibility for the sales, technology and consulting team along with the day-to-day operations for the company.