View
4
Download
0
Category
Preview:
Citation preview
1
Transforming Logical Access Control for a Hospital Network
Session 408, March 7, 2018
Scott Ellis, Interim CISO, St. Luke’s University Health Network
Andrew Tarbox, CEO, Thornebrook, LLC
2
Scott Ellis, CISSP, HCISPP, PCIP
Andrew Tarbox, B.S.
Have no real or apparent conflicts of interest to report.
Conflict of Interest
3
Agenda• St. Luke’s Then and Now
• Access Control System Goals
• Identity Management Overview
• IDAM is a Program not a Project
• Strategy and Approach
• Lessons Learned
• Round Table Discussions
4
Learning Objectives• Analyze the time and budget required to transform a hospital system
to automated access control
• Explain the value of using a hybrid access control using both Role Based and Attribute Based Access Control (RBAC + ABAC)
• Preform an analysis of the number, type and access requirement for the organizations applications
• Illustrate a methodology to build a comprehensive organizational chart and reporting structure
• Discuss the differences between job titles and access roles and attributes
5
Transforming Logical Access Control
for a Hospital Network
HIMSS 2018
6
Proud Heritage at St. Luke’s• Founded March 1872
• Oldest Nursing School in the Country - Established 1884
7
St. Luke’s Today• 7 Major Campuses - Acquiring 2 more Hospitals in early 2018
• 350 Locations, 14,000+ Staff, 1,000+ Students – Full Teaching Hospital
• St. Luke's is a Stage 7 HIMSS Analytics EMR Adoption Model hospital
• Covering Eastern Pennsylvania and Western New Jersey
8
Staffing by Major Groups
Clinical
AdminEducation
9
Headcount by General Ledger Coding
Campuses
Campuses
Admin - IT
St Luke’s
Physicians Group
10
Access Control System Goals
• Improved Security
• Privacy Enhancing
• Easier To Use
• More Efficient
• Cost Effective
11
Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right
times for the right reasons.
Authentication
•Single Sign On
•Password Services
•Multi Factor Authentication
•Device Management
Authorization
•Role & Attribute Based Access
•Provisioning
•Audit and Review
User Management
•Delegated Administration
•User and Role Management
•Provisioning
•Password Management
Central User Repository
•Integration directly to Workday
•Organized Directory
•Data Synchronization
•Link with applications and systems
Identity and Access Management
Source: The Hong Kong Polytechnic University
12
Benefits of Identity and Access Management
• 95% increase in productivity in account activity
• One username and password - Extends SSO capability to software, cloud services, web and virtual applications
• 80% reduction in security risk caused by unmanaged user access
• Clearly defined and segregated business roles
• Proactive and secure response to BYOD access to the network
• Increased visibility and clarity into change control process
• Improved Audit and Compliance
13
IDAM is Program not a Project• Impacts EVERYONE – A Corporate Program
• As much a business change as a technical change
– This is not an IT Program
– Involve Stakeholders across the organization - Our Governance Committee meets monthly
– Inform and continually advise senior management
• Implementing a full IDAM system is a journey
• Time is our friend
– Seeking quick results can lead to disaster
• Think of this as a sweeping program
– With a number of significant projects
14
Program Timeline
• Estimated Three Year Program
• Four Major Phases
Planning and Preparation
Deployment
• Epic – A Separate Project Within Deployment
Optimize
Maintenance
Phase Jun Jul Aug Sep Oct Nov Dec J F M A M J J A S O N D J F M A M J J A S O N D
Plan & Prep
Deploy
Optimize
Maintenance
2017 2018 2019
15
5 Year Budget
Identity, Access Management, Governance Software $ 750,000
Staff Realignment – 10 people @ $90K/year (fully loaded) -$ 4,500,000
Savings $ 3,750,000
16
Learn
Policy
Pilot
Deploy
Evaluate
Tracks can be overlapped
Advise
Source: Thornebrook Associates
Deployment Process
17
Waterfall vs Agile• It’s a moving target
• You will never know enough to write the plan
• Gather the data
• Go with the flow
• Demonstrate Success
• Know the end goal
• Optimize later
18
RBAC / ABAC Hybrid Solution• Roles are not enough
– Roles alone will yield thousands of roles
• You also need attributes
– Location
– Certifications
– Department
• Role + Attributes = Manageable Access Control
19
Determining Roles is a Challenge• Job Profiles a bit of a mess
– Cleanup under way by HR
– Mixed Job Profile with other Attributes
• General Ledger Codes plus attributes cleaner
– Location(s)
– Supervisor(s)
– Options from Supervisor
20
We will apply lessons learned early from simple small departments to more complex and larger departments later in the deployment
Simple to Complex AccessRN
Warren
Oncology
Internal Epic Attributes
Small to Large Groups
Maintenance
21
Current Access Request MethodsUsers Requester Process
Employees - SLUHN Any Manager Service Now Onboarding Form
Employees - SLPG Any Manager Web Form/Paper Process
Non-Employed Credentialed Staff Medical Affairs Paper Process
Contractors Any Manager Paper Process
Volunteers Volunteer Services Paper Process
Students Dept of Medical Education, Nursing
Services, Volunteer Services,
Physician Services, and Medical
Affairs
Paper Process
Community Referring Physicians Medical Affairs Paper Process
Vendors Any Manager Paper Process
22
Fine Grained Access Control• Many Applications have access control within the application – Fine
Grained Control
– Epic, MSCM, Finance, ServiceNow
• Where possible – do this in the optimization phase
– Time consuming
– Requires connectors and more
– May require a lot of input from Managers
• The Big Apps have a small team managing the App
– Lots of nuances and exceptions
23
Lessons learned – So Far• Take time to understand and plan
– Know the adversary – Lack of Knowledge
• HR will not solve the Role Challenge
• One Source of Truth but many Authoritative Sources
– Workday – HR System is our Source of Truth
– Epic, Echo, Active Directory, ServiceNow and more have important data
• If Possible, One Unique Identity per Person
• Meet Face to Face with Application Owners
• Meet Face to Face with Department Managers
24
Round Table Discussion
25
Source of Truth & Authoritative Sources
• Source of Truth – HR System – Workday
– Job Title
– Cost Center
– Supervisor
• Authoritative Sources
– Epic
– Echo
– ServiceNow
– Active Directory
26
Strategy - Empowering Managers
• Managers are the front line to success
• Follows the current model and process
– Current 5 page online form to select applications for their staff
– In the future much shorter – only options that are relevant
• Managers know what their staff needs
– Default applications that fit the role and attributes
– Select other applications that are options for that department
• Managers will attest to access requirements
– Periodically
27
246 Major Applications to Migrate 250+ Unknown Applications
Level 1 – Most Critical
Source: St. Luke’s Internal Data
Do you know what applications you have?
How many to support automatically?
28
How will you Approach IAM?
• Business change or IT
• Project or Program
• How Long will it take
29
What are your Goals?
• Improved Security
• Privacy Enhancing
• Easier To Use
• More Efficient
• Cost Effective
30
Scott Ellis
Interim CISO
St. Luke’s University Health Network
scott.ellis@sluhn.org
Andrew Tarbox
CEO
Thornebrook, LLC
awt@thornebrook.com
Mobile 518-301-0731
Recommended