This healthcare organization needed to improve its inefficient manual process for provisioning user access. It engaged GCA Technology Services to implement an identity management system using NetIQ Identity Manager. This reduced provisioning time from 24 hours to just 4 minutes. It also improved compliance by reducing audit times by over 90%. The project won awards for successfully supporting over 220,000 users across 134 hospitals.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
GCA Technology Healthcare Identity Management Case Study
1. GCA TECHNOLOGY SERVICES GETS HEALTHCARE
GROUND BREAKING IDENTITY MANAGEMENT IMPLEMENTATION
www.gca.net | 888.422.9786
THE HEALTHCARE CUSTOMER
Our customer is one of the leading operators of general acute care hospitals in the
United States. The organization was founded in 1985 and has 220,000+ users. Our
customer is one of the largest publicly-traded hospital companies in the United
States and a leading operator of general acute care hospitals in non-urban and
mid-size markets throughout the country.
The organization and its affiliates own, operate, or lease over 134 hospitals in 29 states. This brings the total
licensed bed count to approximately 20,000. Its hospitals offer a broad range of inpatient and surgical services,
outpatient treatment and skilled nursing care. The organization also provides management and consulting
services to non-affiliated general acute care hospitals located throughout the United States.
THE CHALLENGE
The healthcare organization was manually provisioning rights and access to new employees (corporate
employees, physicians, nurses, etc). Provisioning new users (and deprovisioning terminated users) took 24 hours.
On average, it took up to three weeks for those employees to gain access to the systems they are required to use
based upon their job function/role. These timely delays were due to the manual process for workflow approvals.
Like the majority of organizations, the customer had an inconsistent process for archiving for roles based
exceptions (needed for compliance), undefined employee to manager relationships, no synchronization across
multiple applications/platforms, no auditing or mapping of users to applications and access, and limited
password self-service. Clinicians were required to remember multiple usernames and passwords, causing an
influx of password reset calls to the help desk.
It was decided that its process for managing the lifecycle of its employees was not as efficient and cost-effective
as it could be. The overall goal of the Identity Management project tuned, expanded and enhanced the current
provisioning system that allowed the organization to maintain an employee’s complete set of identity
information, which span multiple business and technical contexts. This allowed the IS team to condense identity
and access provisioning methods that ultimately improved data consistency and accuracy as well as security
across multiple systems that clinicians access to provide patient care.
User Count vs Time
250000
The user count grew rapidly as the organization acquired
200000 new hospitals. The local IT team had to import the new
identities to the IDM system and make sure they were set
150000 up the same as existing users within the organization’s
user provisioning environment.
100000
On average, it took up to three weeks for the employees
50000
of the newly acquired hospital to be fully provisioned to
0
their applications and systems. It now takes 5-15 minutes.
2004 2005 2006 2007 2008 2009 2010 2011 2012
Page 1 of 4
2. PROJECT STAKEHOLDERS AND GOALS
GCA Technology Services planned the project in several phases. Phase I was an infrastructure and application
upgrade slated to start in October 2009. Phase II and III (A) consisted of expanding and enhancing clinical applica-
tions. Phase III (B) added many more premise based clinical applications and connected to several cloud (SAAS)
applications. The ongoing Phase IV expanded upon the clinical application connectors and assisted the customer
with production rollouts to newly acquired hospitals. GCA Technology Services worked alongside the healthcare
organization’s team of information security professionals to complete each project phase on time and on budget.
At the time of implementation, the project supported 140,000 employees including physicians, clinicians, hospital
administrators, information systems staff, consultants, and physician office staff. The project also supported
approximately 60,000 remote users. As of March 2012, the project reportedly supports over 220,000 users,
with more users being added daily.
Our customer listed the following as goals for their identity management project:
- Reduce multiple user accounts to a single account for system access
- Provision a single user account for multiple applications
- Real time provisioning of new and terminated users
- Password reset capabilities for multiple systems
- Create manager to employee relationships for organizational charts
- Reduce support calls handled by local facility IS
- Time bound provisioning for consultants / contractors
- Compliance auditing and reporting of provisioning
- User to application access mapping and reporting
THE PROJECT DETAILS
NetIQ Identity Manager 4.0 was recommended as an upgrade to the existing Identity Manager 2.0
solution, thus preventing relicensing and reworking of their existing architecture. Utilizing the 5 existing physical
servers, we extended these by adding 25 virtual servers to encompass a larger portion of their provisioning. The
number of servers added was based on the sheer scale of the solution. Additionally, high availability was built into
the solution so that one third of the solution can be down at any given time. Due to the hundreds of
connections being made to different systems, the architecture was chosen for its highly scalability.
Old Environment: 5 Servers New Environment: 5 Physical Servers
25 Virtual Servers
Page 2 of 4
3. THE PROJECT DETAILS
The project team from GCA Technology Services custom developed clinical drivers along with workflows and
entitlements for the McKesson, Ultipro, Meditech, AllScripts, HMS, and Keane suite of clinical products.
GCA Technology Services’ engineers were able to work with these healthcare applications and custom develop
drivers with enhanced functionality. These drivers enabled NetIQ Identity Manager to automatically provision,
deprovision, and modify user accounts to each of the application based on the user’s role.
Determining the access required for each user was a problem. Utilizing a paperwork approval process slowed the
came to their department. There are multiple areas where an employee could make a mistake on the form. This
payroll database, the customer was able to get up to the minute status of new and terminated users. GCA
Technology Services decided to connect to payroll because the information contained in such a database is
typically the most accurate source of user’s information within an organization. The payroll information also gave
insight to help determine a baseline role for most of the provisioning required such as, assigned position,
134
locations.
Access Approver
User
Employees now request access directly
Identity Management System through the IDM system. The access approver
They now are able to grant access immediately
through the IDM system which provisions the
employee directly to the application.
Application A
Based on the data mined from the payroll system, the project team was able to determine the facility and
department of a user, which allowed the provisioning of the user automatically to only the clinical applications that
they need access to. They standardized their facilities on the same applications across those hospitals and the
automated provisioning based on the roles. This allowed the organization to rollout the applications at their
application could be performed in a matter of minutes, not days or weeks. These clinical drivers, the key to
project delivered a single username and password to all locations for 16 applications and that list is growing today.
Page 3 of 4
4. THE RESULTS
Identity Management improved user provisioning for our customer by reducing the amount of time to add,
modify or remove users in under 4 minutes. The previous provisioning process took 24 hours. The call volumes
for password resets were around 60% of the service desks requests. Today, the volume of password related calls is
now less than 10% of the total service desk call volume. Identity Management support resources have
transitioned into other areas of support since the implementation. The time to provision users at the time of a
audits have been reduced by over 90% for terminated users and roles based violations.
The project team also integrated NetIQ Sentinel (SIEM) to the Identity Manager. This allows the organization to
see all IDM processes in real time and log all activity for regulatory compliance. They can watch the Role Processor
(brain behind the role based engine) determine the role of a new user as he/she is entered into payroll while
watching each of the connectors provision the role in real-time. When a user is terminated, the customer can see
each account as it is disabled, one-by-one throughout the system. If, for any reason, a connection goes down
(VPN tunnel outage, local IS takes the application down for maintenance, etc.), Sentinel will show that IDM could
not connect to the remote system and is waiting for it to come back online. This increased level of visibility will
ensure everthing within the user provisioning environment will run smoothly.
The time to add, modify or remove users once took 24 Time to provision new users at the time of a hospital
hours. With the new identity management system in aquisition took 3 weeks. The new identity management
place, provisioning users takes just 4 minutes. system can now provision access to the new users in 5-15
minutes.
SOUTHEAST PROJECT OF THE YEAR, 2011
On March 16, 2011, the Identity Management project won the “Project of the Year” award at the Information
Security Executive (ISE) of the Year Awards in Atlanta, GA. The ISE Southeast Award recognizes the information
security executives and their teams who have demonstrated outstanding leadership in risk management, data
asset protection, regulatory compliance, privacy, and network security. There was stiff competition as they were
nominated along with Equifax, Thomson Reuters, and the Internal Revenue Service to name a few. However, the
project prevailed and took home 2011’s top honor from the ISE. Additionally, the project was named a finalist for
the 2011 North American Project of the Year.
GCA TECHNOLOGY SERVICES
1511 N. WESTSHORE BLVD. SUITE 700
TAMPA, FL 33607 sales@gca.net
www.gca.net | 888.422.9786