The Importance of Planning an Identity Management Strategy in Healthca

Views:
 
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

The  importance  of  planning  an  identity   management  strategy A  Case  Study  at  South  Jersey  Healthcare (SJHS) :

The  importance  of  planning  an  identity management  strategy A  Case  Study  at  South  Jersey  Healthcare (SJHS) François Bodhuin Technology Director, South Jersey Healthcare Frank Villavicencio Executive Vice President, Identropy Annual DV-NJ HIMSS Conference Atlantic City, NJ September 22-23, 2011

Outline:

Outline

Why is Identity & Access Management (IAM) Important?:

Why is Identity & Access Management (IAM) Important?

Concepts and Strategy:

Concepts and Strategy First let’s define I&AM IM – Directory, … AM – Complex Passwords, two factor authentication … $ savings – Provisioning … In order to make above workable and acceptable with users … Single sign On Follow me desktop Follow me Printing Tap &Go Case of an application which went bad and lessons learned – first implementation of SSO at SJHS

Different Interests in IAM…:

Different Interests in IAM…

What Do I Care?:

What Do I Care?

IAM and Meaningful Use:

IAM and Meaningful Use Identity assurance is at the heart of the Health IT agenda for electronic health information Excerpt from 45 CFR Part 170 - §170.210 “Standards for health information technology to protect electronic health information created, maintained, and exchanged” (d) Cross-enterprise authentication. A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails must be used. (t) Authentication. (1) Local. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. (2) Cross network. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in §170.210(d).

What nobody tells you about IAM:

What nobody tells you about IAM

Slide 9:

The Top 10 Common Pitfalls of an IAM Initiative Focusing on technology before business processes Automating bad processes Having an unsupportable infrastructure (leads to abandoning the roadmap) Lack of a roadmap (the initiative loses direction) Lack of executive sponsorship Treating IAM as a project, not as a program Too much, too soon Not managing expectations for the dollars allotted Lacking the necessary combination of skills Poor technical architecture

It is a Lifecycle Process… You’re Never Done:

Access Certification Identity Management Roles Management Simplified Secure Access Password Management It is a Lifecycle Process… You’re Never Done

Plan-Build-Run (PBR) Team Org:

Plan-Build-Run (PBR) Team Org

IAM Program Governance Model:

IAM Program Governance Model Lean Model Formal Model Regardless of your preference, you must define and adopt a governance model for your program

IAM strategy at South Jersey Healthcare:

IAM strategy at South Jersey Healthcare

Our Thought Process:

Our Thought Process

SJHS’s Identity Initiative Definition:

SJHS’s Identity Initiative Definition Define Identity Governance Processes Improve Security Posture Operational Efficiency Adopt appropriate balance of security tools and procedures to mitigate internal and external threats, in adherence to best industry practices. Define and implement the appropriate business process to govern the identity and access lifecycle of the various SJHS users, with an eye towards visibility and accountability on the access that a given user is granted. Streamline and simplify end user experience and reduce time to complete daily tasks relating to identity and access management (i.e. reduced or single sign-on, self-service, workflow-driven request and approval, audit and compliance reporting automation, etc.)

SJHS’s IAM Roadmap :

Phase I (3 months) Phase II (5 – 6 months) Phase III (5 months) Phase IV (4 – 5 months) Identity data mapping and namespace design SJHS’s IAM Roadmap Reduced sign-on Streamline termination process Perform Identity data cleanup and reconciliation Automate access request workflow process: Consolidate & automate access granting workflows Implement identity audit reporting solution Consolidate interfaces for requesting access Implement access re-certification solution Identity activity monitoring SSO & graded authentication Adopt 45 CFR Part 170 authentication Identity federation Identity governance processes definition Automated provisioning & de-provisioning – Part I (including birthrights) Password management Automate termination process Automated provisioning & de-provisioning – Part II Roles management Roles strategy definition and mining

Proposed Implementation Team:

Core Implementation Team Proposed Implementation Team Application Development ISO DBA Facilities (Security) Compliance Officer Human Resources Information Systems Networking IS Operations Other Business Stakeholders*

Where are we at? :

Where are we at? IAM Roadmap Reconciled with overall IT Strategy 2012 Funding Request Submitted …

Some Lessons Learned :

Some Lessons Learned

Q&A:

Q&A

Contact Us:

Contact Us François Bodhuin Technology Director, South Jersey Healthcare franbodh@sjhs.com Frank Villavicencio Executive Vice President, Identropy frank@identropy.com www.identropy.com/blog

authorStream Live Help