Healthcare organizations use a variety of systems containing personal data and collected information. As the quantity of this data continues to increase over time, and as the organizations continue to expand and develop, merge and downsize, not to mention constant employee turnover, there are a great many changes and countless systems managing this information, making it difficult to implement changes across the network in a convenient way. Moreover, if the wrong authorizations are assigned, it is not possible to ensure proper information security.
The ability to quickly anticipate the inflow, transfer and outflow of staff requires a transparent and uniform overview of all the personal data in a single source system. This is called core registration. In many organizations, core registration is absent or incomplete. In such a case, the security officer must ask the various systems administrators for information to find out exactly who an employee is, what they are authorized to do and to which resources they are able to access. After all, the required information is fragmented across various systems, such as the facility management system, Active Directory, the electronic health record and other systems involving complex authorizations, such as planning and scheduling applications.
Active Directory as a source system
Active Directory is often used as a source system for assigning authorizations, as well as keeping track of additional personal or organizational information. Authorizations may find expression, for instance, in Active Directory groups, with information such as the room number, title and department being added to user accounts. However, organizations that do so run into a number of limitations. First of all, Active Directory does not offer a location for arranging physical access. Neither is it very suitable for mapping out persons with multiple employment contracts that are active in various different departments.
In addition, probably the most important limitation for using Active Directory as a source system is authorizations, as a too limited overview of a person is obtained. Active Directory groups are often used to manage access to applications. However, with certain healthcare applications, authorizations are often not handled via Active Directory as it does not “dig deep enough” for this purpose. Users can only see whether someone has access to the application and not what somebody is allowed to do inside the application.
Human resources management system as a source
Some organizations use their human resources management (HRM) system as the source for implementing changes across the network. When an employee is added to the HRM system, a user account is created immediately. However, the HRM system is not exhaustive; freelancers, medical specialists from partnerships and other third parties are often not or only partially included in the system. Furthermore, although the HRM system contains a host of data, it does not contain all the information that is important for IT.
A HRM system only answers the question of “Who is this person and which role does he or she fulfil in the organization?” However, it does not contain information on the permissions people have (which user rights does an employee have in a certain system, for example) or the resources (phone, access pass, laptop) they have at their disposal.
This type of information must be derived from other systems. When somebody leaves the organization, the corresponding Active Directory account will be disabled automatically. Unfortunately, it is not easy to perform other required measures, such as blocking the access pass, collecting the mobile phone and removing the phone number from the phone systems. Disabling user accounts in cloud-based systems usually is an even more complex affair.
There are organizations that use role-based access control (RBAC) alongside the HRM system to set up authorization management. In this approach, authorizations are not assigned on an individual basis, but are based on pre-determined roles. These roles in turn comprise information on the department, title, location and cost center of an employee.
However, RBAC is not all encompassing when it comes to staff transfers. RBAC provides an overview of the authorizations an employee should receive for their new role and what their authorizations are in their current role. The current situation may indicate that an employee has received manual authorizations since they were initially provisioned, and they should be re-validated during their transfer to determine if these rights need to persist.
Identity Vault
Rather than using Active Directory or the HRM system as a source, a better solution would be to deliver these and other data in a single, uniform pane of glass: the core registration.
The objective of core registration is to have a single, leading registration for all identities across the organization. With core registration, personal data are retrieved from all sorts of sources (e.g. the HRM, scheduling, flex pool management, Active Directory and facility management system). These may include name, address and town details, information on the employment contract, the room number, title, manager of the employee, as well as used resources, such as the phone and access pass. All data are compiled in the core registration. This set of data is also known as an identity vault.
The core registration is leading for the assignment of physical and logical access. All authorizations across the network are loaded and stored in the core registration and made searchable. The core registration provides a 360-degree overview of people’s identity, what they are allowed to do and which resources they have at their disposal. If employees are not listed in the core registration, they will not have access to the network and no physical access to (parts of) the building.
Every change in the source system will result in a modification in the core registration. Since the data is searchable, the security officer can look up a person and directly see in which systems the person is present, under which identities and what the person in question is allowed to do. The security officer can also see for each department and team which rights are used by whom, so that any anomalies can be quickly identified.
License management and more
In addition to the benefits of setting up more efficient processes for the inflow, transfer and outflow of employees and proactively identifying and responding to security incidents, core registration can be used for audits. Because of the availability of a centralized dashboard for keeping track of who has access to which applications, it will be easier to pass software license audits. In this scenario, the dashboard will work as a business intelligence tool for authorizations.
Core registration can also be used to control the license costs. Using the technique role mining, insight can be provided into which applications are available on average for each organizational role. This matching may result in the conclusion that 90 percent of employees in a particular organizational role (e.g. nurse at the cardiology department) use a particular application, like the scheduling system. When it has been identified which applications are required for a particular organisation role, it will be easy to pinpoint employees in the same role who use different applications. In such cases, an additional check can be performed. After all, it is more than likely that the employee in question is unnecessarily incurring license costs.
Finally, any events triggered by the core registration will result in a network action. By linking the core registration to a provisioning system, these network actions can be implemented automatically. When an employee leaves the organization, the provisioning system will set in motion the procedure for shutting down the user account.
For more information, please visit our website.
Friday, September 12, 2014
Friday, September 5, 2014
Four Simple Solutions for Introducing Complex Passwords
Passwords are a pain and you’re on the hunt to make the management of them easier and less offensive. Complex passwords were initially introduced to improve the security of your systems, but the introduction of such passwords -- which also have to be changed regularly -- leads to resistance among your employees. After all, they have to remember of multitude of password/user name combinations. This results in insecure situations where employees write down passwords on Post-Its and many password reset requests to the helpdesk.
Here are four simple solutions that you can introduce for managing complex passwords that won’t cause frustration among users.
Reduce the number of passwords with single sign-on. Reduce the number of passwords and ensure that employees only have to remember one (complex) password instead of dozens. Single sign-on (SSO) offers the ability to do this. SSO lets employees log in just once, after which access is automatically granted to all applications and systems the user might open. So the staff member doesn’t have to log in afresh for each application. And that saves an average of three to five logins with varying passwords each day.
Perhaps you want to do away with even this one remaining password? In that case, SSO can be deployed in combination with an access pass. The security card your employees use to gain access to the premises or parts of the premises, then replaces the final password/user name combination. By presenting a card to or into a reader and, if required, entering a PIN code, the user is automatically logged in. When the employee again presents the card to a reader, he or she is then logged out.
Automatic password synchronization. Wouldn’t it be ideal if the same password/username combination could be used for every application? The difficulty here is that the passwords almost always have an expiry date and need to be renewed regularly. Typically, the expiry date is not the same for every application. For some applications a new password has to be set monthly, while other software might only require it once a year. It’s virtually impossible for users to reset a newly introduced password in all the other required applications so that the password would then indeed be identical everywhere.
However you can actually automate this very well with solutions for password synchronization, which ensure that passwords are and remain synchronous in multiple systems. The newly set password is then immediately intercepted and forwarded to all other applications.
Help users to create strong passwords. Employees often find it difficult to come up with complex passwords. Some applications insist that the password must contain an uppercase letter, a punctuation mark or a figure. Or that the password must differ from the old one by X percentage.
That’s why users need some help in creating new, strong passwords. Password creation tools assist users in producing their passwords. The established complexity rules are shown when users configure a new password, and they are notified whether the relevant requirements have been met.
Let users reset their passwords themselves. As mentioned earlier, the introduction of complex passwords leads to an increase in the number of password reset requests to the helpdesk. To ease the burden on the helpdesk, it’s possible to let users reset their passwords themselves. Users identify themselves by correctly answering a number of personal questions (e.g. “What’s your mother’s maiden name?”) and can then reset their own passwords, without the intervention of the helpdesk.
A combination of these solutions means time-consuming registration procedures are a thing of the past and the helpdesk is relieved of the problems. Users benefit from maximum user-friendliness, while productivity rises.
Learn more at our website.
Here are four simple solutions that you can introduce for managing complex passwords that won’t cause frustration among users.
Reduce the number of passwords with single sign-on. Reduce the number of passwords and ensure that employees only have to remember one (complex) password instead of dozens. Single sign-on (SSO) offers the ability to do this. SSO lets employees log in just once, after which access is automatically granted to all applications and systems the user might open. So the staff member doesn’t have to log in afresh for each application. And that saves an average of three to five logins with varying passwords each day.
Perhaps you want to do away with even this one remaining password? In that case, SSO can be deployed in combination with an access pass. The security card your employees use to gain access to the premises or parts of the premises, then replaces the final password/user name combination. By presenting a card to or into a reader and, if required, entering a PIN code, the user is automatically logged in. When the employee again presents the card to a reader, he or she is then logged out.
Automatic password synchronization. Wouldn’t it be ideal if the same password/username combination could be used for every application? The difficulty here is that the passwords almost always have an expiry date and need to be renewed regularly. Typically, the expiry date is not the same for every application. For some applications a new password has to be set monthly, while other software might only require it once a year. It’s virtually impossible for users to reset a newly introduced password in all the other required applications so that the password would then indeed be identical everywhere.
However you can actually automate this very well with solutions for password synchronization, which ensure that passwords are and remain synchronous in multiple systems. The newly set password is then immediately intercepted and forwarded to all other applications.
Help users to create strong passwords. Employees often find it difficult to come up with complex passwords. Some applications insist that the password must contain an uppercase letter, a punctuation mark or a figure. Or that the password must differ from the old one by X percentage.
That’s why users need some help in creating new, strong passwords. Password creation tools assist users in producing their passwords. The established complexity rules are shown when users configure a new password, and they are notified whether the relevant requirements have been met.
Let users reset their passwords themselves. As mentioned earlier, the introduction of complex passwords leads to an increase in the number of password reset requests to the helpdesk. To ease the burden on the helpdesk, it’s possible to let users reset their passwords themselves. Users identify themselves by correctly answering a number of personal questions (e.g. “What’s your mother’s maiden name?”) and can then reset their own passwords, without the intervention of the helpdesk.
A combination of these solutions means time-consuming registration procedures are a thing of the past and the helpdesk is relieved of the problems. Users benefit from maximum user-friendliness, while productivity rises.
Learn more at our website.
Subscribe to:
Posts (Atom)