CAMP Med

Academic Medical Centers: Requirements and Challenges

Dwight RaumDirector Enterprise Services,

Johns Hopkins University

Sandra SentiCIO, Biological Sciences Division

University of Chicago Copyright Dwight Raum, Sandra Senti, 2005. This work is the intellectual property of the author. Permission is granted for

this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

CAMP Med

Topic Overview

• Organizational issues• Major initiatives• Audit and regulatory compliance• Summary

CAMP Med

Organization at Johns Hopkins

• Traditionally the Hospital was a separate/distinct institution from the University

• About 6-7 years ago the information technology efforts were merged into IT @ Johns Hopkins

• Unification of IT resources for reasons of cohesion and cost

• Though we are the largest IT organization in the Institution, there are still other divisional IT shops

• Change takes time

CAMP Med

One IT Organization

• One Institution – 2 different philosophies– Academic computing

• Shared systems• Research• Open computing• Fewer rules

– Medical computer information systems• Clinical applications• Mission critical applications directly affecting patient care• All aspects of the computing environment- network, security,

database, interfaces and application must be fault-tolerant and highly available

CAMP Med

Progress

• These differences in philosophy and need stayed divergent until about 3-4 years ago

• Internally the organization began to cross over the old boundary lines

• Collaboration across the IT organization really began to take root

• Key initiatives have really begun to erase these boundaries altogether

CAMP Med

Organization at University of Chicago

• Hospital is a separate corporation with its own board, but still comes together

• Primary UC medical organization is the Division of Biological Sciences led by Dean

• School of Medicine overlays the Division• Hospital, Division, & University each have

their own IT groups

CAMP Med

Organization & Business Drivers

• Hospital – supports clinical medicine and applications, business of the Hospital

• Division – supports some clinical medicine and applications, research, business of the Division

• School of Medicine – supports academic medicine, business of teaching and learning

• University – supports academic and administrative needs of the University

CAMP Med

IT Philosophy/Support

• Hospital supports standard hardware with standard software installs

• Division supports broader range of both plus allows flexibility for research

• University supports general tools for entire community

• Not always clear who to call

CAMP Med

Shared Physical Facilities

• Large complex is shared by the Hospital and Division, often interspersed in same area

• University IT owns and supports network for the Division

• Some areas also have a network owned and supported by the Hospital

• Some faculty have both networks• Wireless is a problem

CAMP Med

JH Major Initiatives

• Enterprise Directory• Integrated Network Operating System Directories• Same/Single Sign-On• Electronic & paper phone books• Integrated email systems• Library resource access• ERP Project (HopkinsOne)• Implementation of FERPA, HIPAA and GLB rules

CAMP Med

Enterprise Directory

• We initially rolled out our Enterprise Directory in Fall of 2001 using SunOne Directory Server

• We populate our Enterprise Directory with feeds from all of the constituent institutions in Johns Hopkins

• Automatically controls the hires/fires for Institution– Internal Audit and Security management deem this critical for

HIPAA compliance• Enterprise Directory and supporting application provide for a

very high level of user self-service including:– User self-registration, Forgotten password reset, Email provisioning

• Acts as our central authentication database• Authorization decisions are local• Foundation of our identity management

CAMP Med

Enterprise Directory Challenges

• Contact information, and title information has not proven accurate

• Community of users not accustomed to updated Payroll, HR or Student Information systems with new contact information

• Constant challenge to educate users and administrators alike on how/where to update their information

• Enterprise Directory follows the eduPerson standards for the most part– Some important deviations that we are working to address

CAMP Med

Enterprise Directory Challenges

• Ownership of data and who is responsible for updating the information

• Not all Systems of Record fully participate – this leads to confusion for some subsets of our user population

• Future SoR’s are balking at sending SSN for join purposes

• Divisions that still do not take advantage of the central Enterprise Directory

CAMP Med

Network OS Integration

• Since 2003 our central Active Directory tree receives changes, adds & deletes from the Enterprise Directory

• Actively bringing non-centrally supported LAN’s into our AD• This effort has been highly successful because of the central

control of user objects & passwords and the local control of resources

• Achieved central authentication and delegated resource authorization

• Password synchronization has turned into a significant selling point, has the effect of simplifying user experience

CAMP Med

Network OS Integration Challenges

• “losing control” of user’s• Synchronization of password rules has been

challenging• Technology challenges

– Achieving interoperability between SUN & Microsoft– Generally our MS people are not Sun people and vice-versa– Need a person who can understand the broader needs and

drive the implementation without regard to technological “religion”

CAMP Med

Same Sign/Single Sign On

• Our Enterprise Directory has been the cornerstone of all same sign on initiatives

• Limited password synchronization from the Enterprise Directory to AD only – we do not provide this sort of service to other directories or applications

• Off the shelf LDAP enabled applications use our Enterprise Directory for authentication

• Just started deployment of our Web Single Sign on product - SiteMinder

CAMP Med

Same Sign/Single Sign On Challenges

• Technology curve for implementation of LDAP is not trivial for application developers

• Using WebISO (SiteMinder) to address limitations– Very discreet application control to attributes– Central credential collectors simplify security requirements

on applications– Flattens the application implementation curve

• WebISO is still a new technology in our environment, and we’re still uncovering the challenges

• There are resource considerations for retrofitting LDAP enabled applications to use WebISO

CAMP Med

Phone Books

• Our Enterprise Directory has a web front end providing white pages functionality

• In 2003 we tried to produce our paper directory from the data in the Enterprise Directory– Discovered undocumented requirements for the paper

directory– Physician referral directory

• Spotlighted issues with incorrect information in the Enterprise Directory

• Changed strategies to “loosely” couple the paper directory with the Enterprise Directory

CAMP Med

Integrated Email Systems

• Two major email systems in use at Johns Hopkins– SunOne Messaging– Novell GroupWise

• Completed projects to integrate both systems with the Enterprise Directory– Provisioning– UserId and account management

• Challenges include continued support of 2 major email systems– User’s aren’t always clear on which system to use

CAMP Med

Library Resources

• Libraries license access to different services• These licenses are tied to campus, and indirectly to

the campus community• We have a large number of people who have

affiliations with multiple institutions, and should have aggregate access

• Access to the licensed content has been restricted to IP address ranges

• This extremely blunt approach leads causes problems – users who shouldn’t have access get access, others have problems accessing content remotely

CAMP Med

ERP Project

• The largest IT undertaking ever at Hopkins• It will unify the human resource and financial

functions of our constituent institutions• Long term project, where tangible benefits will not

likely be seen until late 2006• The affects on identity management cannot be

understated– Correct the aforementioned data issues– Provide more/better role information for faculty/staff– Improve our chances of centralizing authorization based on

role (RBAC)

CAMP Med

UC Major Initiatives

• ERP projects• Enterprise Directories• Communication/Email• Same & single sign-on• Institutional password policy• Access to applications across boundaries• Data sharing for research

CAMP Med

ERP Projects

• Hospital has 7 year plan to replace clinical systems

• University is replacing some central admin systems over next several years

• Division is caught in the middle

CAMP Med

Enterprise Directory

• Hospital converged on Active Directory• Division working with central IT to deploy

Active Directory University-wide• Trust relationship between the two will have

many advantages• Challenge of individual fiefdoms

CAMP Med

Communication/Email

• Hospital recently consolidated to a single email system (Exchange)

• Residents and Fellow considers Hospital employees, expected to use Hospital email

• Division still has multiple email providers and technologies

• Maintaining a global address list is challenging

• Secure email is an issue

CAMP Med

Same & single sign-on

• Many doctors now have 8 or more id’s and passwords to access clinical systems

• Citrix may provide interim relief on number of passwords

• Active directory provides hope for future applications

CAMP Med

Institutional Password Policy

• Have a common HIPAA password policy followed by Hospital and Division

• Developing password policy classes

CAMP Med

Access to Applications across Boundaries

• Hospital does not want to support clients on Division owned machines

• Some faculty have two desktops• Hospital employees do not currently get

CNET ids• Access from home requires VPN

CAMP Med

Data Sharing for Research

• Hospital owns data needed for clinical research

• Access is difficult for research purposes• Lack of infrastructure for sharing data and

data management

CAMP Med

JH Regulatory Compliance and Audit

• As new applications are rolled out they all must eventually be audited

• A critical audit point is how users are managed• Ensure terminated users no-longer have access• Adequate password controls• Using our Enterprise Directory eliminates these

issues at the application level• Technically, we are challenged to provide user

reports to applications

CAMP Med

UC Regulatory Compliance and Audit

• Medical Center-wide compliance office with single point of responsibility

• Oversees HIPAA training and other medical compliance requirements

• Audit is separate for Hospital and University