Healthcare organizations continually seek greater levels of efficiency, network security and compliance with industry standard regulations.
While security issues heat up with the news of breach and illegal access of information, internal IT resources diverge to non-critical functions where, often, a tremendous amount of time and effort are spent in the deluge of manual processes. For such complex businesses, health systems are mired in their own tremendously complicated technology and IT advancements, dealing with issues that are well documented and some that, well, don't get so much of the attention. To a degree, many of the processes in place at health systems are simply bureaucratic – "This is the way we've done it from the start and that's why we're doing now; never thought of doing it differently. Why do you ask?"
The lesser known and discussed issues are countless; too many to mention or name and far too many to even identify. One such arduous and overwhelming (and useless) process is the manual creation of user accounts and access rights. Seemingly simple, the importance of effectively managing these processes and tasks can open an organization to exposing critical and confidential information to parties and sources that should not have access to the information.
No doubt it's important to protect security rights in any environment, but it's extremely important in healthcare to ensure that internal employees have only the correct access rights and are only able to obtain access to information that only they are allowed. More often than not, employees have too many access rights and are able to view and retrieve information that should have been kept out of their grasp. Since account management is usually done manually, many times employees are accidentally given incorrect rights from the beginning of employment, acquiring them over time or they are not ever revoked when the employee is no longer with the organization. Because frequent movement of employees to different positions within health systems often occurs, it can be difficult to track of who has access to what information when.
CentraState Healthcare System, based in Freehold, New Jersey, is a nonprofit community health organization that says regulatory compliance and the ever growing need to do more with less is a reason it's on the hunt to continually improve its internal IT processes. Thus, it recently embarked on a journey to secure an automated method for managing user accounts throughout its swath of care facilities. Lauro Araya, network administrator there, said, "When the search started, our IT staff was managing the process manually. This was a time-consuming process and we wanted to avoid this manual intervention."
Instead of manually adding and subtracting access rights for employees, the health system has changed the way it does things since implementing an access management system. As employees are hired their pertinent information is entered into the hospital's HR system. Conversely, as employees resign, a termination date is placed in the HR system. On a regularly scheduled basis, the user management application starts a query to capture all employee data and begin the process of updating the employee rolls. If an employee account already exists in the system, any updates -- such as name, location or department changes -- are appropriately processed. If an employee account does not exist, it is created along with a mailbox and home directory and is assigned to the appropriate group profiles and access based on job title and department.
Finally, if the new employee's employment start date is in the future, their user account is created, but put in a disabled state until the start date is reached then the account is activated for use. Likewise, when an employee termination occurs, the information is processed by the user management system and accounts are appropriately disabled on the date and then deleted after a specific period of time has passed. All employee information is then fed back to the HR database twice a day to ensure that it is accurate. Mark Handerhan, IT manager for the health system, said, "We have taken the manual intervention out of the equation for many mundane tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in HR.
"Besides the time reduction, the access management solution provides us with a greater level of network security, while also assuring compliance with industry standard regulations, such as HIPAA." The internal IT department at CentraState now is able to spend more time on mission-critical support and planning while eliminating the requirements to spend time on routine user account tasks, he said.
The need to standardize the setup of user accounts proliferates across healthcare and is not unique to CentraState. Other than serving as a first step in ensuring who is active among employees of a hospital, this process is used to automate and strip access rights of employees for the irrespective positions and roles, but is the foundation of security. By knowing who has access to what and when, health system leaders can see who views patient or other protected health information, as well as can conduct information and access audits more easily and in a timelier manner than in the case of manual discourse.
Providence Hospital, located in downtown Columbia, South Carolina, a 247-bed hospital with a staff of more than 2,000 nurses, doctors and hospital administrators, needed to standardize setup of user accounts and reduce the amount of time network engineers spent assigning rights. Tony McNeil, the IT technical manager there, said, "We have more demands on our department and we are not getting any additional staff because of the economic situation. Therefore, we have to work smarter and we need tools that help us work more efficiently."
Providence Hospital followed the example of CentraState, enlisting a process to automatically manage its user account life cycles. From the time an employee is hired and entered into the hospital's web-based security application to the time they are entered into the hospital's employee roles, the entire process is now automated. Prior to doing so, the process took nearly two days to complete before a user was ultimately allowed access in all operating systems. Now the process allows for an almost immediate creation of a user account with the correct access to systems and records. A web form allows for the assignment of group privileges and permissions to individual users, and also creates the appropriate email mailbox and a home folder for the employee on the appropriate shared drive.
The hospital's user accounts are disabled in a similar fashion when an employee is terminated or leaves the health system. Because of HIPAA compliancy requirements, employees may not be deleted from the rolls for an extended period of time. The hospital's access management system not only disables the accounts, but also removes all security privileges from any future access. In fact, the software is able to complete this process in bulk for a group of 1,000 deactivated users in less than 10 minutes.
The immediate results of implementing the access management system have been time and money savings for the IT department. John Postiglione, system administrator for Providence Hospital, said, "(The access management system) has saved us time and money. We have probably cut our admin time for new users by 80 percent, and the work is now done by non-admins. Additional technical time for user updates has been reduced by 50 percent, and (the system) has allowed us to spread the workload of network administration out to other employees in information systems to perform basic user administration tasks, so network administrators have more time to work on other projects."
In addition to time and money savings, Providence Hospital now has a defined process for user account and access management that can be viewed and audited at any time, including one-off requests.
Same goes for South Jersey Healthcare, based in Vineland, New Jersey. It had no standard method in place for user account creation, which lead to many errors in account information. The organization, consisting of three major hospitals and more than 60 outpatient care locations and more than 6,000 employees, faced problems with account management and assigning access rights. Doing so was a tedious task filled with many errors. The problem from an IT perspective was that the organization used several employees, each with their own conventions, to manage user accounts and provision their access to them. Some would fill out all required information while others would leave out important components. Without a standardized method in place, each employee would not follow proper protocols; for example, some would label a department "emergency room" while others called it "ER."
The health system customized several secure electronic forms in its access management system to simplify the account creation process and reduce errors. Instead of free-form data entry, the electronic templates feature drop-down menus with department names, radio buttons with locations and addresses built in, as well as mandatory fields required to create the account. This ensures that all employees in charge of creating accounts are doing so in a consistent fashion instead of using their own techniques.
And in an effort to increase organization security, South Jersey Healthcare leaders also wanted to ensure that all employees had the appropriate access to systems and applications required of their work. Certain employees needed to be delegated the task of account management, but not have full access, which could be a security risk. Other employees, though, needed additional access to perform their jobs. With the access management solution, security more easily assigned rights to the correct employees, starting with the team that manages the servers all the way to customer service desk who reset passwords. This had increased the overall security of their systems by reducing the number of users who have full access to secure data.
With the access management system, South Jersey Healthcare knows that its account information is correct and no longer needs to focus time on cleaning up messes from accounts that were not created correctly. Only the appropriate employees have full access to information, which is beneficial for audits and meeting strict healthcare regulations.
Additionally, such technologies eliminate "noise" surrounding password resets and allow for more efficient management of account access. South County Hospital, in Wakefield, Rhode Island, a 100-bed acute care hospital with more than 1,200 employees and a focus on lean management, made extensive efforts to make password management processes as efficient as possible, and look for ways to reduce the number of support calls to the helpdesk, which was averaging 20 to 25 password resets a month, each requiring about half an hour to complete. By improving this process, the hospital also wanted to enhance the user's experience so they did not have to wait on helpdesk personnel and could easily reset their own passwords and get on with their jobs.
South County Hospital installed an access management system and was able to integrate with all the applications at the hospital. The hospital was even able to modify the security questions which users would be asked when resetting their passwords. "The ability to choose questions that have an answer that only the user would know yet are easy to remember is important," said Ken Hedglen, information technology manager at the hospital.
Employees no longer spend time contacting the helpdesk and waiting for a reply to their password reset requests. They are now able to answer a series of security questions and quickly reset their own password, a major time saver for all formerly involved in the process.
Dean Wiech is managing director of Tools4ever, a global supplier of identity and access management and governance solutions for healthcare.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.