Identity Management: Front and Center for Healthcare Providers

Identity Management: Front and Center for Healthcare Providers

2SailPoint Technologies Confidential & Proprietary Do Not Distribute

Welcome Thank You for attending today’s webinar The webcast is being recorded and will be available shortly after the event Webcast audio is in listen only mode. You can communicate via the

GoToWebinar question panel.

Glossary of Terms

IDENTITY GOVERNANCE – Next-Generation approach to identity management that goes beyond provisioning, allowing clients to sustainably govern how they manage access. Enabling organizations to determine who has access to what resources, if that access is appropriate and if it threatens security or compliance posture.

ROLE LIFECYCLE MANAGEMENT (RLM) – Process that enables organizations to mine, map, manage and report on the complex relationships of users, business rules and the entitlements assigned to them within the IT infrastructure.

PREVENTATIVE AND DETECTIVE CONTROLS – Preventative controls are designed to keep errors or irregularities from occurring in the first place. Detective controls are designed to detect errors and irregularities which have already occurred and to assure their prompt correction.


Agenda

Speaker Introductions Healthcare Providers

Changing Landscape of Business and IT Identity and Access Management Business Drivers

Case Study: Presbyterian Healthcare Services IAM Journey IAM Revelation and Program Lesson Learned

A Word from Our Sponsors


Speakers

Andrew AmesVP MarketingLogic Trends

Larry WolfRegional DirectorLogic Trends

Aaron FrankelSecurity Operations Manager, Presbyterian Health Systems

Jackie GilbertVP Marketing & FounderSailPoint


Company Overview

National services, consulting and systems integration firm focused on Security, Identity and Access Management (IAM)

Proven, repeatable IAM deployment methodology: IAM5™ Hundreds of successful IAM Engagements executed in nearly every industry Regional offices: Atlanta, Dallas, Chicago, New York

New Mexico’s only private, non-profit healthcare system serving over 700,000 patients at over 30 different clinics and 7 hospitals

Largest health care provider and managed care organization in New Mexico Fastest growing physician group, employing more than 500 physicians

and practitioners

Award-winning identity governance software, SailPoint IdentityIQ™, provides superior visibility into and control over user access to sensitive applications and data while streamlining the access request and delivery process

Helps the world’s largest organizations to mitigate risk, reduce IT costs and ensure compliance

Customers include top healthcare, pharmaceutical, health/life insurers, financial services, property & casualty insurers, and other highly regulated industries

http://www.sailpoint.com/index.php


IAM BUSINESS DRIVERS FOR HEALTHCARE PROVIDERS

Section 1


Business Drivers for Healthcare Providers

CURRENT STATEHIPAA audit; HHS Oversight

HITRUST Maturity & CSF, SAS70

CURRENT STATEClinician survey results:

#1 request: Simplified app access. Approx. 40% of help desk calls

were password reset.

CURRENT STATEIT teams pale in comparison tocorporate standards. HITECH

driving more IT adoption.Increased security scrutiny.

CURRENT STATE30% of Stage 1 Meaningful Use

Criteria are IAM related. Increased scrutiny and penalties

assoc with HIPAA alignment.

Risk and Compliance

End User Experience

Operational Efficiency

Meaningful Use


Healthcare Provider Industry Survey Results

Industry survey provided by Zoomerang Polled 600 healthcare decision makers

10%

38%

38%

10%4% Inadequate application

access security

Breach of confidential information

Unauthorized access to clinical applications and patient data

Audit failure

OtherThey aren't considered very much

They aren't a factor at all

They are the primary drivers

They are an influence

They are strongly considered

1%

2%

15%

29%

53%

What is your greatest security concern? How much do HIPAA/HITECH drive your organization’s IT purchasing decision?

Direct correlation between “security concerns” and purchasing decisions.


40%

24%

6%

12%

6%

9%3%

Top 3 IAM Drivers for Healthcare Providers

70% of registered attendees identified: 1. Improved user experience2. Automated user lifecycle mgmt3. Tighter compliance related controls


PRESBYTERIAN HEALTHCARE SERVICES’ CASE STUDY

Section 2


Company Overview

Established in 1908, New Mexico’s largest non-profit healthcare system, largest health care provider and largest managed care organization with:

7 hospitals and 40 clinics Over 9,000 employees, including 500+ physicians &

clinicians and 3,000+ contractors Over 700,000 patients generating over 1.2M visits/yr Top 10 integrated healthcare delivery network

INDUSTRY, PERSONNEL AND COMMUNITY EXCELLENCE


IAM Journey @ PHS

2008 20112009 2010

Influential and vocal Cardiology Group seeks to invest heavily in IT

to improve patient care. Heart Glass (single pane) initiative begins to

address patient data management for cardiology physicians. Auditors

seek more granular insight into access and IT controls.

PHS seeks to address several business & IT

requirements with IAM. Conducts internal discovery,

and interfaces with IT analyst. Initial focus was

technical in nature, with an appetite for eProvisioning.

PHS’ users clamor for improved experience and

self-service. IT and Security collaborate to

build upon the IAM platform to enable these

end-user services.

ARRA & HITECH Act provide PHS with a renewed vision on simplification, both infrastructure and

clinical IT.

Multiple PHS groups collaborate to understand and define key IT, audit,

security, clinical and business goals, and the

role of IAM. Logic Trends works as advisor to

establish program that aligns with key initiatives.

PHS looks to further leverage the eProvisioning

platform and introduces Patient Context

Management to support data integration of several key clinical applications.


IAM Revelation & Goals

2008 20112009 2010

Influential and vocal Cardiology Group seeks to invest heavily in IT to improve patient care. Heart Glass (single pane) initiative begins to address patient data management for cardiology physicians. Internal and external audit seek more granular insight to access and IT Controls.

Presbyterian Healthcare seeks to address several business & IT requirements with IAM…conducts internal discovery, purchases and implements a solution. Initial focus was technical in nature, with an appetite for eProvisioning.

PHS’s user community clamors for improved experience and self-service. IT and Security collaborate to build upon the IAM platform to enable these end-user services.

ARRA & Health Information Technology for Economic and Clinical Health (HITECH) Act provides PHS with a renewed vision on simplification, both infrastructure and clinical IT.

PHS looks to further leverage the eProvisioning platform and introduce Context Management, supporting the data integration of several key clinical applications.

IAM is a business challenge first and a technology issue, second. What does the business need?

Multiple PHS groups collaborate to understand and define key IT, Audit, Security, Clinical and Business goals, and the role of IAM. Logic Trends works as advisor to establish program that aligns with key initiatives.

Multiple PHS groups collaborate to understand and define key IT, Audit, Security, Clinical and Business goals, and the role of IAM. Logic Trends works as advisor to establish program that aligns with key initiatives.

Enable simplified access reporting and demonstration of IT controls to best support the many needs of Audit

Expose user-friendly entitlements to business users so access decisions can be made efficiently and effectively

Automate application access based on authoritative user events, to create agility and speed when dealing with patient-care

Improve and simplify the user experience thereby empowering users with the tools to do their job

Mature the IT, Identity and Application infrastructure to enable more rapid adoption of solutions


IAM Program Development

With a clear understanding of the business needs, PHS set out to align the proper activities

Leveraging the Logic Trends IAM5 methodology, PHS embraced:

Phased approach with prioritization of initiatives

Data & process focus first Maturity model to enable future

functionality Business case and frequent solution

release schedule


Role Development

“smart” eProvisioning of new users based upon roles

Full user lifecycle with approval and controls

Zero-day user and application enablement

Enterprise risk management Strengthen IT controls Compliance reporting alignment

IAM Program Execution

Phase 1

Phase 2

Phase 3

Top Down (business) and Bottom-Up (app / entitlement) analysis

Business and technical role development (model)

Policy alignment with role and business functions

Business-aligned definition of “Who Has (and needs) Access to What”

Flexible yet accountable model for identity and access management

Least privilege without role explosion

Applications

Managers

FUNCTIONALITY BUSINESS VALUE

Enterprise identity data collection, reconciliation & cleansing

Defining “Who Has Access to What” Policy awareness and definition User access certification

Identity, access & entitlement maturity Enhanced IT controls Audit alignment IAM platform enabler End user empowerment & efficiency


Lessons Learned

IAM is always evolving and the business will remain dynamic… remain agile and annually assess priorities, technology and alignment

Focus on your data & entitlements first (who has access to what). Everything else in your IAM program builds upon that.

Quick Wins are critical for maintaining momentum and organizational support for Identity and Access Management initiatives.

Develop an IAM strategy, and seek support and contributions from key business and clinical stakeholders.

Experienced partners can help navigate the process to ensure objectives are met.


A WORD FROM OUR SPONSORSSection 3


Logic TrendsA leading professional services firm focused on Identity & Access Management and Governance

Corporate Profile Founded in 2002 Inc. 500 Fastest Growing US private

company honoree for five years Logic Trends services its National

client base through operations in Atlanta (HQ), Dallas, Chicago, New York, and Baltimore

Services Profile 300+ Engagements Completed Repeatable IAM5 Services Framework Full IAM Lifecycle Service Delivery including:

Strategic Advisory Program/Project Management Full IAM SDLC Support Cloud-Based IAM offering 24X7 Support Center

Resource Snapshot Senior Delivery Team, 12+ years of IAM delivery 70 employees nationally Regionally focused

with national coverage

Sample Healthcare Clients

http://www.horizon-bcbsnj.com/index.asp

https://www.bcbsal.org/index.cfm

https://integrisok.com/

http://www.sw.org/web/patientsAndVisitors

http://www.fmolhs.org/index.htm


IAM5 – Approach & Methodology

Identity and Access Management often represents the first truly enterprise solution an organization will deploy. Consequently, IAM is an organizational, process, and corporate culture challenge first and a technology challenge second. Our broad experience with

Enterprise IAM has led to the following methodology development:

The IAM5 Methodology is positioned to deliver incremental wins and outputs for the business and technical audiences


IAM for Healthcare

Perfect storm of… Compliance needs Provider consolidation Patient access IT adoption End user experience

improvements

Requires a partner with healthcare, business, IT and security knowledge capital


Introducing SailPoint Leading identity and access governance (IAG)

solution provider Founded in 2005 Headquartered in Austin, Texas Over 140 employees around the world

Our global customer base Over 75 companies in 14 countries Our specialty: security & privacy regulatory

challenges in healthcare, financial services and insurance

We help our customers to Reduce risk of non-compliance Proactively manage security and identity risk Lower administration and compliance costs Enhance employee productivity Pave the way for future initiatives


SailPoint IdentityIQ SuiteA unified solution for automating compliance and user lifecycle processes – built on a common roles, policy, and risk model

Compliance Management

Lifecycle Management

Automates regular review of user access

Proactively detects and notifies managers of policy violations

Detects and mitigates identity & access risks

Provides analytics & reporting for proof of compliance

Provisions new users Automates routine

user administration tasks Job changes Location changes Forgotten or expired

passwords De-provisions

terminated users


Determine Current State

Who has access to what?Is that access appropriate?

Automate User Lifecycle Processes

Access RequestEvent Lifecycle MgmtWorkflow/Connectors

Model Desired StateMine, model & define roles

Define access policiesConfigure risk model

SailPoint’s Unique Governance-Based Approach

Aggregate and correlate data Data cleanup Access reviews Remediation & critical

corrective actions

Mine, model & create roles Define role assignment rules Define business policies (SoD

and other) Define risk model components

Configure access request Define lifecycle events

(joiner, mover, leaver) Establish approval

workflows and policies Define change management

processes Deploy connectors

where needed


SailPoint: Fast Results, Fast ROI

Immediate value to the business Identify potential risks and vulnerabilities Remediate problems to reduce risk Automate strong controls and reliable, repeatable oversight Provide proof of compliance on demand Ensure compliance with these safeguards by all staff

Measurable results in weeks Reduced compliance costs and staffing requirements Revocations of inappropriate access (avg. 20-30%) Detection and remediation of policy violations Elimination of high-risk accounts

Q&A