transforming logical access control for a hospital network
TRANSCRIPT
![Page 1: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/1.jpg)
1
Transforming Logical Access Control for a Hospital Network
Session 408, March 7, 2018
Scott Ellis, Interim CISO, St. Luke’s University Health Network
Andrew Tarbox, CEO, Thornebrook, LLC
![Page 2: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/2.jpg)
2
Scott Ellis, CISSP, HCISPP, PCIP
Andrew Tarbox, B.S.
Have no real or apparent conflicts of interest to report.
Conflict of Interest
![Page 3: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/3.jpg)
3
Agenda• St. Luke’s Then and Now
• Access Control System Goals
• Identity Management Overview
• IDAM is a Program not a Project
• Strategy and Approach
• Lessons Learned
• Round Table Discussions
![Page 4: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/4.jpg)
4
Learning Objectives• Analyze the time and budget required to transform a hospital system
to automated access control
• Explain the value of using a hybrid access control using both Role Based and Attribute Based Access Control (RBAC + ABAC)
• Preform an analysis of the number, type and access requirement for the organizations applications
• Illustrate a methodology to build a comprehensive organizational chart and reporting structure
• Discuss the differences between job titles and access roles and attributes
![Page 5: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/5.jpg)
5
Transforming Logical Access Control
for a Hospital Network
HIMSS 2018
![Page 6: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/6.jpg)
6
Proud Heritage at St. Luke’s• Founded March 1872
• Oldest Nursing School in the Country - Established 1884
![Page 7: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/7.jpg)
7
St. Luke’s Today• 7 Major Campuses - Acquiring 2 more Hospitals in early 2018
• 350 Locations, 14,000+ Staff, 1,000+ Students – Full Teaching Hospital
• St. Luke's is a Stage 7 HIMSS Analytics EMR Adoption Model hospital
• Covering Eastern Pennsylvania and Western New Jersey
![Page 8: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/8.jpg)
8
Staffing by Major Groups
Clinical
AdminEducation
![Page 9: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/9.jpg)
9
Headcount by General Ledger Coding
Campuses
Campuses
Admin - IT
St Luke’s
Physicians Group
![Page 10: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/10.jpg)
10
Access Control System Goals
• Improved Security
• Privacy Enhancing
• Easier To Use
• More Efficient
• Cost Effective
![Page 11: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/11.jpg)
11
Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right
times for the right reasons.
Authentication
•Single Sign On
•Password Services
•Multi Factor Authentication
•Device Management
Authorization
•Role & Attribute Based Access
•Provisioning
•Audit and Review
User Management
•Delegated Administration
•User and Role Management
•Provisioning
•Password Management
Central User Repository
•Integration directly to Workday
•Organized Directory
•Data Synchronization
•Link with applications and systems
Identity and Access Management
Source: The Hong Kong Polytechnic University
![Page 12: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/12.jpg)
12
Benefits of Identity and Access Management
• 95% increase in productivity in account activity
• One username and password - Extends SSO capability to software, cloud services, web and virtual applications
• 80% reduction in security risk caused by unmanaged user access
• Clearly defined and segregated business roles
• Proactive and secure response to BYOD access to the network
• Increased visibility and clarity into change control process
• Improved Audit and Compliance
![Page 13: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/13.jpg)
13
IDAM is Program not a Project• Impacts EVERYONE – A Corporate Program
• As much a business change as a technical change
– This is not an IT Program
– Involve Stakeholders across the organization - Our Governance Committee meets monthly
– Inform and continually advise senior management
• Implementing a full IDAM system is a journey
• Time is our friend
– Seeking quick results can lead to disaster
• Think of this as a sweeping program
– With a number of significant projects
![Page 14: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/14.jpg)
14
Program Timeline
• Estimated Three Year Program
• Four Major Phases
Planning and Preparation
Deployment
• Epic – A Separate Project Within Deployment
Optimize
Maintenance
Phase Jun Jul Aug Sep Oct Nov Dec J F M A M J J A S O N D J F M A M J J A S O N D
Plan & Prep
Deploy
Optimize
Maintenance
2017 2018 2019
![Page 15: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/15.jpg)
15
5 Year Budget
Identity, Access Management, Governance Software $ 750,000
Staff Realignment – 10 people @ $90K/year (fully loaded) -$ 4,500,000
Savings $ 3,750,000
![Page 16: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/16.jpg)
16
Learn
Policy
Pilot
Deploy
Evaluate
Tracks can be overlapped
Advise
Source: Thornebrook Associates
Deployment Process
![Page 17: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/17.jpg)
17
Waterfall vs Agile• It’s a moving target
• You will never know enough to write the plan
• Gather the data
• Go with the flow
• Demonstrate Success
• Know the end goal
• Optimize later
![Page 18: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/18.jpg)
18
RBAC / ABAC Hybrid Solution• Roles are not enough
– Roles alone will yield thousands of roles
• You also need attributes
– Location
– Certifications
– Department
• Role + Attributes = Manageable Access Control
![Page 19: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/19.jpg)
19
Determining Roles is a Challenge• Job Profiles a bit of a mess
– Cleanup under way by HR
– Mixed Job Profile with other Attributes
• General Ledger Codes plus attributes cleaner
– Location(s)
– Supervisor(s)
– Options from Supervisor
![Page 20: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/20.jpg)
20
We will apply lessons learned early from simple small departments to more complex and larger departments later in the deployment
Simple to Complex AccessRN
Warren
Oncology
Internal Epic Attributes
Small to Large Groups
Maintenance
![Page 21: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/21.jpg)
21
Current Access Request MethodsUsers Requester Process
Employees - SLUHN Any Manager Service Now Onboarding Form
Employees - SLPG Any Manager Web Form/Paper Process
Non-Employed Credentialed Staff Medical Affairs Paper Process
Contractors Any Manager Paper Process
Volunteers Volunteer Services Paper Process
Students Dept of Medical Education, Nursing
Services, Volunteer Services,
Physician Services, and Medical
Affairs
Paper Process
Community Referring Physicians Medical Affairs Paper Process
Vendors Any Manager Paper Process
![Page 22: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/22.jpg)
22
Fine Grained Access Control• Many Applications have access control within the application – Fine
Grained Control
– Epic, MSCM, Finance, ServiceNow
• Where possible – do this in the optimization phase
– Time consuming
– Requires connectors and more
– May require a lot of input from Managers
• The Big Apps have a small team managing the App
– Lots of nuances and exceptions
![Page 23: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/23.jpg)
23
Lessons learned – So Far• Take time to understand and plan
– Know the adversary – Lack of Knowledge
• HR will not solve the Role Challenge
• One Source of Truth but many Authoritative Sources
– Workday – HR System is our Source of Truth
– Epic, Echo, Active Directory, ServiceNow and more have important data
• If Possible, One Unique Identity per Person
• Meet Face to Face with Application Owners
• Meet Face to Face with Department Managers
![Page 24: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/24.jpg)
24
Round Table Discussion
![Page 25: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/25.jpg)
25
Source of Truth & Authoritative Sources
• Source of Truth – HR System – Workday
– Job Title
– Cost Center
– Supervisor
• Authoritative Sources
– Epic
– Echo
– ServiceNow
– Active Directory
![Page 26: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/26.jpg)
26
Strategy - Empowering Managers
• Managers are the front line to success
• Follows the current model and process
– Current 5 page online form to select applications for their staff
– In the future much shorter – only options that are relevant
• Managers know what their staff needs
– Default applications that fit the role and attributes
– Select other applications that are options for that department
• Managers will attest to access requirements
– Periodically
![Page 27: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/27.jpg)
27
246 Major Applications to Migrate 250+ Unknown Applications
Level 1 – Most Critical
Source: St. Luke’s Internal Data
Do you know what applications you have?
How many to support automatically?
![Page 28: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/28.jpg)
28
How will you Approach IAM?
• Business change or IT
• Project or Program
• How Long will it take
![Page 29: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/29.jpg)
29
What are your Goals?
• Improved Security
• Privacy Enhancing
• Easier To Use
• More Efficient
• Cost Effective
![Page 30: Transforming Logical Access Control for a Hospital Network](https://reader031.vdocument.in/reader031/viewer/2022012014/61599abdbff65f1da2659a3e/html5/thumbnails/30.jpg)
30
Scott Ellis
Interim CISO
St. Luke’s University Health Network
Andrew Tarbox
CEO
Thornebrook, LLC
Mobile 518-301-0731