Healthcare providers, in particular, must prove that their organization and operational standards establish the proper quality and safety measures to meet strict regulation, reform and privacy requirements. However, even with “proper” protocols in place, most healthcare organizations often are unable to prove whether they have properly managed secure and protected information.
Improper user account management can lead to breeches of security, fines, penalties, lack of trust from the community and failed audits. Hospitals and healthcare providers need to take the necessary measures to ensure sensitive information is not available to employees without proper access rights. For instance, former employees and contractors who are still able to access and use a former employer’s e-mail network because their user account has not been deactivated immediately upon their departure present a definite security risk.
In addition to being able to report on the accuracy of user accounts within an organization and what access rights are granted to each user, hospital leaders also need to create a system of breadcrumbs to establish an audit trail of the who, what and when for all changes of a user access management system.
However, it can often be challenging for organizational leaders to make every action of every person within the network traceable because the organizations generally have complex IT infrastructures.
There is a simple solution to automatically circumvent these problems, though, according to Dean Wiech, managing director of Tools4ever.
“Many organizations have the problem of employees leaving the organization or moving to another department, and their accounts and access rights remaining active for months,” Wiech said. “Or the reverse occurs: a new employee may have to wait up to a week before he or she can access certain information or applications.
“Since the HR department usually has the most up-to-date information related to employees because it needs to update its system with name or job changes or changes arising from employees leaving the organization, by connecting the user account management process to the HR system, the entire issue, is resolved,” Wiech added.
An example of this working well is at CentraState Healthcare System in Freehold, New Jersey. CentraState is a nonprofit community health organization with an acute-care hospital, three senior living centers, a health education and activities center and a family medicine residency program.
With continued regulatory compliance and the ever growing need to do more with less, CentraState made changes to automate its user account management process through the HR department. The healthcare organization employed a secure and automated method for managing user account lifecycle in through its active directory and and Exchange portals.
Now, as employees are hired by CentraState, their pertinent information is entered into the hospital’s Lawson HR system. Conversely, as employees resign, a termination date is placed in the system. On a regularly scheduled basis, the organization’s user management application (User Management Resource Administrator) starts a query to capture all employee data and begin the process of updating active directory.
If the account already exists in the active directory, any updates — such as name, location or department changes — are appropriately processed. If the account does not exist, it is created along with an Exchange mailbox, home directory and assigned to the appropriate group profile based on job title and department. If the employee’s start date is in the future, the account is created but put in a disabled state until the date is reached when it is activated.
With the changes, CentraState now easily enters the information of new employees into its Lawson HR system. The user management resource administrator system then starts a query to check for updates or new accounts and performs the appropriate action. If a new account is found, it is added to active directory and an Exchange mailbox, a home directory is created and the account is assigned to a group profile. The Tools4ever system also disables employee accounts when an employee termination occurs and after a certain predefined period of time, the account is deleted.
“The benefits of this approach are that user accounts are created faster, are error free and employees are granted the correct access rights based on their function as dictated by the HR system in a much quicker time period,” said Wiech. “Furthermore, because UMRA automatically logs all activities that occur in the network, it is easy to find out who performed what activity to an employee record in the network. This detailed data is available for auditing and reporting purposes.”
In the two years since CentraState implemented UMRA, its IT department has generated a tremendous amount of efficiency and saved time performing tasks that were previously performed manually, said Mark Handerhan, CentraState IT Manager.
“The implementation of Tools4ever’s UMRA was one of the most highly valuable, cost effective solutions that we’ve ever put in place,” said Handerhan. “We have taken the manual intervention out of the equation for many mundane active director user tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in Lawson. I believe efficiency is the best seller here.”