How to control authentication and authorizations in healthcare environments?

Active Directory is the central source for users to access applications and systems. In the context of information security, it is important to keep user accounts in the Active Directory up-to-date and accurate. As an example, this will prevent former employees from being able to access the network and systems if their user account is left active. Despite the high requirements for information security, many healthcare organizations are still manually managing user accounts on a routine basis. Information regarding new employees is being passed, typically on paper, between the hiring manager, HR department and the IT department, who, in the end, manually create accounts based on the available - and often inaccurate - information. This situation is less than optimal and can lead to risks, such as:

• A large workload for the IT department with manual and repetitive tasks;
• Long turnaround time creating user accounts and the risk of making errors during the manual copying of data (such as typos in the name of the employee);
• The risk that new employees receive the same rights as an employee in a similar function when they should not. When rights are copied there is a risk that employees receive access rights to applications and systems they really don’t require access to;
• Risk of pollution in Active Directory due to accounts of employees that have left the organization remaining active. Pollution in the Active Directory due to user accounts of former employees has a negative effect on the score of an audit and compliancy regulations.

In order for healthcare organizations to mitigate these risks, they need to take control over their authentication and authorization management. By using an automated solution for user account management, organizations can greatly optimize the processes and reduce risks. CentraState Healthcare System, a non-profit community health organization in Freehold (New Jersey) is a leader in this regard and has achieved an efficient and streamlined process for user account management.

Do more with less
Regulatory compliance, and the ever growing need of doing more with less, are reasons that CentraState continually strives to improve their internal IT processes. CentraState Healthcare System recently embarked on a project to find a secure and automated method for managing the user account lifecycle in Active Directory and Exchange. Lauro Araya, Network Administrator, stated, “When the search started, our IT-staff was managing the process manually utilizing Microsoft Active Directory Users and Computers. This was a time consuming process and we wanted to avoid this manual intervention because it led to risks and errors.”

To be able to effectively manage the user account lifecycle, CentraState Healthcare System asked Identity & Access Management vendor Tools4ever to create a connector between their HR system Lawson, and Active Directory. The process begins when pertinent information of a newly hired employee is entered into the Lawson HR system. Conversely, as employees resign, a termination date is placed in the HR system. On a scheduled basis, Tools4ever’s User Management Resource Administrator application executes a query to capture all employee data and begins the process of updating Active Directory. If the account already exists in AD, any updates, such as name, location or department changes are appropriately processed.

If the account does not exist, it is created along with an Exchange mailbox, home directory and assigned to the appropriate Group Profiles based on job title and department. If the employee start date is in the future, the account is created but put in a disabled state until that date is reached and then it is activated.  When an employee termination occurs, the information is processed by the software and accounts are immediately disabled and then deleted after a specific period of time has passed.

Tools4ever made several customizations to suit the special needs of CentraState, such as the naming conventions for Active Directory and Exchange mailboxes. Business logic was also defined within the product to allow the automatic placement of users into the correct OU based upon their specific location and department. This information is also utilized to insure mailboxes are created within the proper mail server. Information that is created during the Active Directory process, such as user account name and e-mail address, is fed back to the Lawson database twice a day. This is done to insure that Lawson has accurate information whenever anything changes in Active Directory.

Compliance with industry standard regulations
Approximately two weeks after commencement, the entire project was implemented and operational. The reduction in time spent by the staff managing the user account lifecycle was tremendous. Commenting on the project, Mark Handerhan, IT Manager, stated, “This implementation was one of the most highly valuable, cost effective solutions that I’ve ever implemented. We have taken the manual intervention out of the equation for many mundane AD /user tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in Lawson. I believe efficiency is the best seller here.”

Mark Handerhan continues: “Besides the time reduction, the implementation provides us with a greater level of network security, while also assuring compliance with industry standard regulations such as HIPAA.” In summary, the IT staff at CentraState can spend more time on mission critical support and planning while eliminating the requirements to spend time on routine user account tasks.

For more information, please visit our website.