GCA TECHNOLOGY SERVICES GETS HEALTHCARE

THE HEALTHCARE CUSTOMER

GROUND BREAKING IDENTITY MANAGEMENT IMPLEMENTATION

www.gca.net | 888.422.9786

Our customer is one of the leading operators of general acute care hospitals in theUnited States. The organization was founded in 1985 and has 220,000+ users. Our customer is one of the largest publicly-traded hospital companies in the United States and a leading operator of general acute care hospitals in non-urban and mid-size markets throughout the country.

The organization and its a�liates own, operate, or lease over 134 hospitals in 29 states. This brings the total licensed bed count to approximately 20,000. Its hospitals o�er a broad range of inpatient and surgical services, outpatient treatment and skilled nursing care. The organization also provides management and consulting services to non-a�liated general acute care hospitals located throughout the United States.

THE CHALLENGE

The healthcare organization was manually provisioning rights and access to new employees (corporate employees, physicians, nurses, etc). Provisioning new users (and deprovisioning terminated users) took 24 hours. On average, it took up to three weeks for those employees to gain access to the systems they are required to use based upon their job function/role. These timely delays were due to the manual process for work�ow approvals. Like the majority of organizations, the customer had an inconsistent process for archiving for roles based exceptions (needed for compliance), unde�ned employee to manager relationships, no synchronization across multiple applications/platforms, no auditing or mapping of users to applications and access, and limited password self-service. Clinicians were required to remember multiple usernames and passwords, causing an in�ux of password reset calls to the help desk.

It was decided that its process for managing the lifecycle of its employees was not as e�cient and cost-e�ective as it could be. The overall goal of the Identity Management project tuned, expanded and enhanced the current provisioning system that allowed the organization to maintain an employee’s complete set of identity information, which span multiple business and technical contexts. This allowed the IS team to condense identity and access provisioning methods that ultimately improved data consistency and accuracy as well as security across multiple systems that clinicians access to provide patient care.

The user count grew rapidly as the organization acquired new hospitals. The local IT team had to import the new identities to the IDM system and make sure they were set up the same as existing users within the organization’s user provisioning environment.

On average, it took up to three weeks for the employees of the newly acquired hospital to be fully provisioned to their applications and systems. It now takes 5-15 minutes.

Page 1 of 4

0

50000

100000

150000

200000

250000

2004 2005 2006 2007 2008 2009 2010 2011 2012

User Count vs Time

PROJECT STAKEHOLDERS AND GOALS

At the time of implementation, the project supported 140,000 employees including physicians, clinicians, hospital

approximately 60,000 remote users. As of March 2012, the project reportedly supports over 220,000 users, with more users being added daily.

Our customer listed the following as goals for their identity management project:

THE PROJECT DETAILS

Page 2 of 4

- Provision a single user account for multiple applications- Reduce multiple user accounts to a single account for system access

- Real time provisioning of new and terminated users

- Password reset capabilities for multiple systems- Create manager to employee relationships for organizational charts- Reduce support calls handled by local facility IS

- Time bound provisioning for consultants / contractors- Compliance auditing and reporting of provisioning- User to application access mapping and reporting

Old Environment: 5 Servers

administrators, information systems sta�, consultants, and physician o�ce sta�. The project also supported

NetIQ Identity Manager 4.0 was recommended as an upgrade to the existing Identity Manager 2.0 solution, thus preventing relicensing and reworking of their existing architecture. Utilizing the 5 existing physical servers, we extended these by adding 25 virtual servers to encompass a larger portion of their provisioning. The number of servers added was based on the sheer scale of the solution. Additionally, high availability was built into the solution so that one third of the solution can be down at any given time. Due to the hundreds of connections being made to di�erent systems, the architecture was chosen for its highly scalability.

GCA Technology Services planned the project in several phases. Phase I was an infrastructure and application upgrade slated to start in October 2009. Phase II and III (A) consisted of expanding and enhancing clinical applica-tions. Phase III (B) added many more premise based clinical applications and connected to several cloud (SAAS) applications. The ongoing Phase IV expanded upon the clinical application connectors and assisted the customer with production rollouts to newly acquired hospitals. GCA Technology Services worked alongside the healthcare organization’s team of information security professionals to complete each project phase on time and on budget.

New Environment: 5 Physical Servers 25 Virtual Servers

THE PROJECT DETAILS

entitlements for the McKesson, Ultipro, Meditech, AllScripts, HMS, and Keane suite of clinical products. GCA Technology Services’ engineers were able to work with these healthcare applications and custom develop drivers with enhanced functionality. These drivers enabled NetIQ Identity Manager to automatically provision, deprovision, and modify user accounts to each of the application based on the user’s role.

Determining the access required for each user was a problem. Utilizing a paperwork approval process slowed the

came to their department. There are multiple areas where an employee could make a mistake on the form. This

payroll database, the customer was able to get up to the minute status of new and terminated users. GCA Technology Services decided to connect to payroll because the information contained in such a database is typically the most accurate source of user’s information within an organization. The payroll information also gave insight to help determine a baseline role for most of the provisioning required such as, assigned position,

locations.

Page 3 of 4

Employees now request access directly through the IDM system. The access approver

They now are able to grant access immediately through the IDM system which provisions the employee directly to the application.

Access Approver

Identity Management System

User

Application A

Based on the data mined from the payroll system, the project team was able to determine the facility and department of a user, which allowed the provisioning of the user automatically to only the clinical applications that they need access to. They standardized their facilities on the same applications across those hospitals and the automated provisioning based on the roles. This allowed the organization to rollout the applications at their

application could be performed in a matter of minutes, not days or weeks. These clinical drivers, the key to

project delivered a single username and password to all locations for 16 applications and that list is growing today.

The project team from GCA Technology Services custom developed clinical drivers along with work�ows and

134

THE RESULTS

SOUTHEAST PROJECT OF THE YEAR, 2011

The project team also integrated NetIQ Sentinel (SIEM) to the Identity Manager. This allows the organization to see all IDM processes in real time and log all activity for regulatory compliance. They can watch the Role Processor (brain behind the role based engine) determine the role of a new user as he/she is entered into payroll while watching each of the connectors provision the role in real-time. When a user is terminated, the customer can see each account as it is disabled, one-by-one throughout the system. If, for any reason, a connection goes down (VPN tunnel outage, local IS takes the application down for maintenance, etc.), Sentinel will show that IDM could not connect to the remote system and is waiting for it to come back online. This increased level of visibility will ensure everthing within the user provisioning environment will run smoothly.

On March 16, 2011, the Identity Management project won the “Project of the Year” award at the Information Security Executive (ISE) of the Year Awards in Atlanta, GA. The ISE Southeast Award recognizes the information security executives and their teams who have demonstrated outstanding leadership in risk management, data asset protection, regulatory compliance, privacy, and network security. There was sti� competition as they were nominated along with Equifax, Thomson Reuters, and the Internal Revenue Service to name a few. However, the project prevailed and took home 2011’s top honor from the ISE. Additionally, the project was named a �nalist for the 2011 North American Project of the Year.

GCA TECHNOLOGY SERVICES1511 N. WESTSHORE BLVD. SUITE 700TAMPA, FL 33607 sales@gca.net

www.gca.net | 888.422.9786

The time to add, modify or remove users once took 24 hours. With the new identity management system in

place, provisioning users takes just 4 minutes.

Time to provision new users at the time of a hospital aquisition took 3 weeks. The new identity management

system can now provision access to the new users in 5-15 minutes.

Identity Management improved user provisioning for our customer by reducing the amount of time to add, modify or remove users in under 4 minutes. The previous provisioning process took 24 hours. The call volumes for password resets were around 60% of the service desks requests. Today, the volume of password related calls is now less than 10% of the total service desk call volume. Identity Management support resources have transitioned into other areas of support since the implementation. The time to provision users at the time of a

audits have been reduced by over 90% for terminated users and roles based violations.