How to control authentication and authorizations in healthcare environments?

Active Directory is the central source for users to access applications and systems. In the context of information security, it is important to keep user accounts in the Active Directory up-to-date and accurate. As an example, this will prevent former employees from being able to access the network and systems if their user account is left active. Despite the high requirements for information security, many healthcare organizations are still manually managing user accounts on a routine basis. Information regarding new employees is being passed, typically on paper, between the hiring manager, HR department and the IT department, who, in the end, manually create accounts based on the available - and often inaccurate - information. This situation is less than optimal and can lead to risks, such as:

• A large workload for the IT department with manual and repetitive tasks;
• Long turnaround time creating user accounts and the risk of making errors during the manual copying of data (such as typos in the name of the employee);
• The risk that new employees receive the same rights as an employee in a similar function when they should not. When rights are copied there is a risk that employees receive access rights to applications and systems they really don’t require access to;
• Risk of pollution in Active Directory due to accounts of employees that have left the organization remaining active. Pollution in the Active Directory due to user accounts of former employees has a negative effect on the score of an audit and compliancy regulations.

In order for healthcare organizations to mitigate these risks, they need to take control over their authentication and authorization management. By using an automated solution for user account management, organizations can greatly optimize the processes and reduce risks. CentraState Healthcare System, a non-profit community health organization in Freehold (New Jersey) is a leader in this regard and has achieved an efficient and streamlined process for user account management.

Do more with less
Regulatory compliance, and the ever growing need of doing more with less, are reasons that CentraState continually strives to improve their internal IT processes. CentraState Healthcare System recently embarked on a project to find a secure and automated method for managing the user account lifecycle in Active Directory and Exchange. Lauro Araya, Network Administrator, stated, “When the search started, our IT-staff was managing the process manually utilizing Microsoft Active Directory Users and Computers. This was a time consuming process and we wanted to avoid this manual intervention because it led to risks and errors.”

To be able to effectively manage the user account lifecycle, CentraState Healthcare System asked Identity & Access Management vendor Tools4ever to create a connector between their HR system Lawson, and Active Directory. The process begins when pertinent information of a newly hired employee is entered into the Lawson HR system. Conversely, as employees resign, a termination date is placed in the HR system. On a scheduled basis, Tools4ever’s User Management Resource Administrator application executes a query to capture all employee data and begins the process of updating Active Directory. If the account already exists in AD, any updates, such as name, location or department changes are appropriately processed.

If the account does not exist, it is created along with an Exchange mailbox, home directory and assigned to the appropriate Group Profiles based on job title and department. If the employee start date is in the future, the account is created but put in a disabled state until that date is reached and then it is activated.  When an employee termination occurs, the information is processed by the software and accounts are immediately disabled and then deleted after a specific period of time has passed.

Tools4ever made several customizations to suit the special needs of CentraState, such as the naming conventions for Active Directory and Exchange mailboxes. Business logic was also defined within the product to allow the automatic placement of users into the correct OU based upon their specific location and department. This information is also utilized to insure mailboxes are created within the proper mail server. Information that is created during the Active Directory process, such as user account name and e-mail address, is fed back to the Lawson database twice a day. This is done to insure that Lawson has accurate information whenever anything changes in Active Directory.

Compliance with industry standard regulations
Approximately two weeks after commencement, the entire project was implemented and operational. The reduction in time spent by the staff managing the user account lifecycle was tremendous. Commenting on the project, Mark Handerhan, IT Manager, stated, “This implementation was one of the most highly valuable, cost effective solutions that I’ve ever implemented. We have taken the manual intervention out of the equation for many mundane AD /user tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in Lawson. I believe efficiency is the best seller here.”

Mark Handerhan continues: “Besides the time reduction, the implementation provides us with a greater level of network security, while also assuring compliance with industry standard regulations such as HIPAA.” In summary, the IT staff at CentraState can spend more time on mission critical support and planning while eliminating the requirements to spend time on routine user account tasks.

For more information, please visit our website.

Allow the helpdesk focus on more important issues than simple password resets

Using a username and password to log on to applications and systems is a common method of authentication. Various laws and regulations in the healthcare industry require that access security is tightened and that passwords meet certain complexity requirements such as minimum length, use of special characters, use of an uppercase letter, etc. In addition, a frequent requirement is for passwords to be changed after a certain period of time has elapsed. With the introduction of complex passwords, it is often difficult for employees to remember their Active Directory password, especially after a vacation. This leads to a significant increase in the number of password reset calls to the helpdesk.
On average, 25% of the calls to a helpdesk are estimated to be password-related, such as resetting forgotten passwords. The IT staff is burdened with resolving these calls, resulting in an increased administrative load for the IT department. At the same moment, the end-user also loses productive time because he or she is locked out of the network temporarily. Wouldn’t it be great if the IT department was less burdened with their duties and could focus on resolving more critical calls?

Improvement of password management
South County Hospital, a 100 bed, 1,200 employee acute care hospital located in Wakefield, Rhode Island, was facing this exact problem. The hospital’s helpdesk was averaging between 20 to 25 password resets a month, each requiring about half an hour to complete due to the arduous process of receiving the call, placing a work order, resetting the password and then contacting the users, most of whom are busy clinicians.

With a focus on lean management, and an effort to make processes as efficient as possible, the hospital began to look for ways to improve password management and reduce the number of support calls to the helpdesk. By improving this process, the hospital also wanted to enhance the user’s experience so users did not have to wait on the process and could easily reset their own passwords to get on with their jobs.

When looking for a vendor with a solution to their password management issues, Tools4ever was a front runner as South County had previous experience utilizing another of their products, RealLastLogon. Tools4ever’s Self Service Reset Password Manager (SSRPM) was able to resolve all of the password reset issues in their environment and integrate with their Outlook web access page, a top priority at the hospital. SSRPM was also capable of integrating with Meditech, the hospital information system, to synchronize the password resets.

Self service password reset
With SSRPM, users can always reset their password and will no longer depend on the operating hours of the service desk or helpdesk. Before resetting the password, it is critical that users identify themselves by answering a few personal challenge questions. This is safer than the current method where it is possible for the user to call the helpdesk and can claim to be someone else. On the Windows login screen a new button is added, "Forgot My Password" which the end user can click if the password is forgotten. By answering a challenge questions such as, "What is my mother’s maiden name?” the user can identify themself and securely reset their password.

The helpdesk can also directly ask personal questions to identify a caller. The helpdesk employee does not see the full answers but, for example only the second and last character of the answer to positively identify the caller.

When entering the new password the end user is required to comply with the password complexity requirements of the organization. While entering the password the complexity rules that are met are flagged with a green check. For example: "Minimum password length of 10 characters: OK". There are no longer the cryptic error messages.

Besides the possibility of identifying the user by answering personal questions, Advanced Authentication is also possible, via enhanced authentication including email and SMS authentication. This means in addition to  the regular questions that need to be answered,  there is an an additional question of  "What is the PIN code you just received on your cell phone?". This form of authentication is referred to as two-factor authentication; something you know (answers) and something you have such as a mobile phone.

Easily customize and integrate with systems
South County implemented SSRPM in their environment and were able to integrate the solution with all of the applications at the hospital. SSRPM is set up to work with three different technologies at the hospital; Outlook Web Access for email, the standard Windows credential provider when logging onto to the computer, as well as web access for people working outside the network. The hospital was also able to modify the security questions which users would be asked when resetting their passwords. “The ability to choose questions that have an answer that only the user would know, yet are easy to remember, is important”, said Ken Hedglen, Information Technology Manager at South County Hospital.

With SSRPM, South County’s users no longer need to spend precious time contacting the helpdesk and waiting for a reply to their password reset request. They are now able to answer a series of security questions and quickly reset their own password. The hospital liked that they did not need to provide any training on the product due to it being self-explanatory. “Any system that we implement that we don’t hear anything about after the fact is good, because no news is good news when it comes to systems” said Hedglen. SSRPM has also been beneficial to the helpdesk as they can handle other types of work orders. “The helpdesk can now focus on more important issues rather than simple password resets and are much more productive.”


For more information on Tools4ever solutions, please visit our website.