Healthcare organizations use a variety of systems containing personal data and collected information. As the quantity of this data continues to increase over time, and as the organizations continue to expand and develop, merge and downsize, not to mention constant employee turnover, there are a great many changes and countless systems managing this information, making it difficult to implement changes across the network in a convenient way. Moreover, if the wrong authorizations are assigned, it is not possible to ensure proper information security.
The ability to quickly anticipate the inflow, transfer and outflow of staff requires a transparent and uniform overview of all the personal data in a single source system. This is called core registration. In many organizations, core registration is absent or incomplete. In such a case, the security officer must ask the various systems administrators for information to find out exactly who an employee is, what they are authorized to do and to which resources they are able to access. After all, the required information is fragmented across various systems, such as the facility management system, Active Directory, the electronic health record and other systems involving complex authorizations, such as planning and scheduling applications.
Active Directory as a source system
Active Directory is often used as a source system for assigning authorizations, as well as keeping track of additional personal or organizational information. Authorizations may find expression, for instance, in Active Directory groups, with information such as the room number, title and department being added to user accounts. However, organizations that do so run into a number of limitations. First of all, Active Directory does not offer a location for arranging physical access. Neither is it very suitable for mapping out persons with multiple employment contracts that are active in various different departments.
In addition, probably the most important limitation for using Active Directory as a source system is authorizations, as a too limited overview of a person is obtained. Active Directory groups are often used to manage access to applications. However, with certain healthcare applications, authorizations are often not handled via Active Directory as it does not “dig deep enough” for this purpose. Users can only see whether someone has access to the application and not what somebody is allowed to do inside the application.
Human resources management system as a source
Some organizations use their human resources management (HRM) system as the source for implementing changes across the network. When an employee is added to the HRM system, a user account is created immediately. However, the HRM system is not exhaustive; freelancers, medical specialists from partnerships and other third parties are often not or only partially included in the system. Furthermore, although the HRM system contains a host of data, it does not contain all the information that is important for IT.
A HRM system only answers the question of “Who is this person and which role does he or she fulfil in the organization?” However, it does not contain information on the permissions people have (which user rights does an employee have in a certain system, for example) or the resources (phone, access pass, laptop) they have at their disposal.
This type of information must be derived from other systems. When somebody leaves the organization, the corresponding Active Directory account will be disabled automatically. Unfortunately, it is not easy to perform other required measures, such as blocking the access pass, collecting the mobile phone and removing the phone number from the phone systems. Disabling user accounts in cloud-based systems usually is an even more complex affair.
There are organizations that use role-based access control (RBAC) alongside the HRM system to set up authorization management. In this approach, authorizations are not assigned on an individual basis, but are based on pre-determined roles. These roles in turn comprise information on the department, title, location and cost center of an employee.
However, RBAC is not all encompassing when it comes to staff transfers. RBAC provides an overview of the authorizations an employee should receive for their new role and what their authorizations are in their current role. The current situation may indicate that an employee has received manual authorizations since they were initially provisioned, and they should be re-validated during their transfer to determine if these rights need to persist.
Identity Vault
Rather than using Active Directory or the HRM system as a source, a better solution would be to deliver these and other data in a single, uniform pane of glass: the core registration.
The objective of core registration is to have a single, leading registration for all identities across the organization. With core registration, personal data are retrieved from all sorts of sources (e.g. the HRM, scheduling, flex pool management, Active Directory and facility management system). These may include name, address and town details, information on the employment contract, the room number, title, manager of the employee, as well as used resources, such as the phone and access pass. All data are compiled in the core registration. This set of data is also known as an identity vault.
The core registration is leading for the assignment of physical and logical access. All authorizations across the network are loaded and stored in the core registration and made searchable. The core registration provides a 360-degree overview of people’s identity, what they are allowed to do and which resources they have at their disposal. If employees are not listed in the core registration, they will not have access to the network and no physical access to (parts of) the building.
Every change in the source system will result in a modification in the core registration. Since the data is searchable, the security officer can look up a person and directly see in which systems the person is present, under which identities and what the person in question is allowed to do. The security officer can also see for each department and team which rights are used by whom, so that any anomalies can be quickly identified.
License management and more
In addition to the benefits of setting up more efficient processes for the inflow, transfer and outflow of employees and proactively identifying and responding to security incidents, core registration can be used for audits. Because of the availability of a centralized dashboard for keeping track of who has access to which applications, it will be easier to pass software license audits. In this scenario, the dashboard will work as a business intelligence tool for authorizations.
Core registration can also be used to control the license costs. Using the technique role mining, insight can be provided into which applications are available on average for each organizational role. This matching may result in the conclusion that 90 percent of employees in a particular organizational role (e.g. nurse at the cardiology department) use a particular application, like the scheduling system. When it has been identified which applications are required for a particular organisation role, it will be easy to pinpoint employees in the same role who use different applications. In such cases, an additional check can be performed. After all, it is more than likely that the employee in question is unnecessarily incurring license costs.
Finally, any events triggered by the core registration will result in a network action. By linking the core registration to a provisioning system, these network actions can be implemented automatically. When an employee leaves the organization, the provisioning system will set in motion the procedure for shutting down the user account.
For more information, please visit our website.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment