camp med academic medical centers: requirements and challenges dwight raum director enterprise...
TRANSCRIPT
CAMP Med
Academic Medical Centers: Requirements and Challenges
Dwight RaumDirector Enterprise Services,
Johns Hopkins University
Sandra SentiCIO, Biological Sciences Division
University of Chicago Copyright Dwight Raum, Sandra Senti, 2005. This work is the intellectual property of the author. Permission is granted for
this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
CAMP Med
Topic Overview
• Organizational issues• Major initiatives• Audit and regulatory compliance• Summary
CAMP Med
Organization at Johns Hopkins
• Traditionally the Hospital was a separate/distinct institution from the University
• About 6-7 years ago the information technology efforts were merged into IT @ Johns Hopkins
• Unification of IT resources for reasons of cohesion and cost
• Though we are the largest IT organization in the Institution, there are still other divisional IT shops
• Change takes time
CAMP Med
One IT Organization
• One Institution – 2 different philosophies– Academic computing
• Shared systems• Research• Open computing• Fewer rules
– Medical computer information systems• Clinical applications• Mission critical applications directly affecting patient care• All aspects of the computing environment- network, security,
database, interfaces and application must be fault-tolerant and highly available
CAMP Med
Progress
• These differences in philosophy and need stayed divergent until about 3-4 years ago
• Internally the organization began to cross over the old boundary lines
• Collaboration across the IT organization really began to take root
• Key initiatives have really begun to erase these boundaries altogether
CAMP Med
Organization at University of Chicago
• Hospital is a separate corporation with its own board, but still comes together
• Primary UC medical organization is the Division of Biological Sciences led by Dean
• School of Medicine overlays the Division• Hospital, Division, & University each have
their own IT groups
CAMP Med
Organization & Business Drivers
• Hospital – supports clinical medicine and applications, business of the Hospital
• Division – supports some clinical medicine and applications, research, business of the Division
• School of Medicine – supports academic medicine, business of teaching and learning
• University – supports academic and administrative needs of the University
CAMP Med
IT Philosophy/Support
• Hospital supports standard hardware with standard software installs
• Division supports broader range of both plus allows flexibility for research
• University supports general tools for entire community
• Not always clear who to call
CAMP Med
Shared Physical Facilities
• Large complex is shared by the Hospital and Division, often interspersed in same area
• University IT owns and supports network for the Division
• Some areas also have a network owned and supported by the Hospital
• Some faculty have both networks• Wireless is a problem
CAMP Med
JH Major Initiatives
• Enterprise Directory• Integrated Network Operating System Directories• Same/Single Sign-On• Electronic & paper phone books• Integrated email systems• Library resource access• ERP Project (HopkinsOne)• Implementation of FERPA, HIPAA and GLB rules
CAMP Med
Enterprise Directory
• We initially rolled out our Enterprise Directory in Fall of 2001 using SunOne Directory Server
• We populate our Enterprise Directory with feeds from all of the constituent institutions in Johns Hopkins
• Automatically controls the hires/fires for Institution– Internal Audit and Security management deem this critical for
HIPAA compliance• Enterprise Directory and supporting application provide for a
very high level of user self-service including:– User self-registration, Forgotten password reset, Email provisioning
• Acts as our central authentication database• Authorization decisions are local• Foundation of our identity management
CAMP Med
Enterprise Directory Challenges
• Contact information, and title information has not proven accurate
• Community of users not accustomed to updated Payroll, HR or Student Information systems with new contact information
• Constant challenge to educate users and administrators alike on how/where to update their information
• Enterprise Directory follows the eduPerson standards for the most part– Some important deviations that we are working to address
CAMP Med
Enterprise Directory Challenges
• Ownership of data and who is responsible for updating the information
• Not all Systems of Record fully participate – this leads to confusion for some subsets of our user population
• Future SoR’s are balking at sending SSN for join purposes
• Divisions that still do not take advantage of the central Enterprise Directory
CAMP Med
Network OS Integration
• Since 2003 our central Active Directory tree receives changes, adds & deletes from the Enterprise Directory
• Actively bringing non-centrally supported LAN’s into our AD• This effort has been highly successful because of the central
control of user objects & passwords and the local control of resources
• Achieved central authentication and delegated resource authorization
• Password synchronization has turned into a significant selling point, has the effect of simplifying user experience
CAMP Med
Network OS Integration Challenges
• “losing control” of user’s• Synchronization of password rules has been
challenging• Technology challenges
– Achieving interoperability between SUN & Microsoft– Generally our MS people are not Sun people and vice-versa– Need a person who can understand the broader needs and
drive the implementation without regard to technological “religion”
CAMP Med
Same Sign/Single Sign On
• Our Enterprise Directory has been the cornerstone of all same sign on initiatives
• Limited password synchronization from the Enterprise Directory to AD only – we do not provide this sort of service to other directories or applications
• Off the shelf LDAP enabled applications use our Enterprise Directory for authentication
• Just started deployment of our Web Single Sign on product - SiteMinder
CAMP Med
Same Sign/Single Sign On Challenges
• Technology curve for implementation of LDAP is not trivial for application developers
• Using WebISO (SiteMinder) to address limitations– Very discreet application control to attributes– Central credential collectors simplify security requirements
on applications– Flattens the application implementation curve
• WebISO is still a new technology in our environment, and we’re still uncovering the challenges
• There are resource considerations for retrofitting LDAP enabled applications to use WebISO
CAMP Med
Phone Books
• Our Enterprise Directory has a web front end providing white pages functionality
• In 2003 we tried to produce our paper directory from the data in the Enterprise Directory– Discovered undocumented requirements for the paper
directory– Physician referral directory
• Spotlighted issues with incorrect information in the Enterprise Directory
• Changed strategies to “loosely” couple the paper directory with the Enterprise Directory
CAMP Med
Integrated Email Systems
• Two major email systems in use at Johns Hopkins– SunOne Messaging– Novell GroupWise
• Completed projects to integrate both systems with the Enterprise Directory– Provisioning– UserId and account management
• Challenges include continued support of 2 major email systems– User’s aren’t always clear on which system to use
CAMP Med
Library Resources
• Libraries license access to different services• These licenses are tied to campus, and indirectly to
the campus community• We have a large number of people who have
affiliations with multiple institutions, and should have aggregate access
• Access to the licensed content has been restricted to IP address ranges
• This extremely blunt approach leads causes problems – users who shouldn’t have access get access, others have problems accessing content remotely
CAMP Med
ERP Project
• The largest IT undertaking ever at Hopkins• It will unify the human resource and financial
functions of our constituent institutions• Long term project, where tangible benefits will not
likely be seen until late 2006• The affects on identity management cannot be
understated– Correct the aforementioned data issues– Provide more/better role information for faculty/staff– Improve our chances of centralizing authorization based on
role (RBAC)
CAMP Med
UC Major Initiatives
• ERP projects• Enterprise Directories• Communication/Email• Same & single sign-on• Institutional password policy• Access to applications across boundaries• Data sharing for research
CAMP Med
ERP Projects
• Hospital has 7 year plan to replace clinical systems
• University is replacing some central admin systems over next several years
• Division is caught in the middle
CAMP Med
Enterprise Directory
• Hospital converged on Active Directory• Division working with central IT to deploy
Active Directory University-wide• Trust relationship between the two will have
many advantages• Challenge of individual fiefdoms
CAMP Med
Communication/Email
• Hospital recently consolidated to a single email system (Exchange)
• Residents and Fellow considers Hospital employees, expected to use Hospital email
• Division still has multiple email providers and technologies
• Maintaining a global address list is challenging
• Secure email is an issue
CAMP Med
Same & single sign-on
• Many doctors now have 8 or more id’s and passwords to access clinical systems
• Citrix may provide interim relief on number of passwords
• Active directory provides hope for future applications
CAMP Med
Institutional Password Policy
• Have a common HIPAA password policy followed by Hospital and Division
• Developing password policy classes
CAMP Med
Access to Applications across Boundaries
• Hospital does not want to support clients on Division owned machines
• Some faculty have two desktops• Hospital employees do not currently get
CNET ids• Access from home requires VPN
CAMP Med
Data Sharing for Research
• Hospital owns data needed for clinical research
• Access is difficult for research purposes• Lack of infrastructure for sharing data and
data management
CAMP Med
JH Regulatory Compliance and Audit
• As new applications are rolled out they all must eventually be audited
• A critical audit point is how users are managed• Ensure terminated users no-longer have access• Adequate password controls• Using our Enterprise Directory eliminates these
issues at the application level• Technically, we are challenged to provide user
reports to applications