Alegent Health Implements Courion Solutions to Deliver Access Assurance
Background: Alegent Health is the largest not-for-profit faith-based healthcare system in Nebraska and southwestern Iowa with 9 acute care hospitals and over 100 sites of care that employ 9000 employees and 1300 physicians. The provider was ranked #1 in the U.S. in 2008 for quality/patient satisfaction according to Network for Regional Healthcare Improvement (NRHI). The provider was ranked #1 in the U.S. in 2008 for quality/patient satisfaction according to Network for Regional Healthcare Improvement (NRHI).
Challenges: Developing implementing and managing both physical and IT access policies in a complex environment like Alegent Healthcare is challenging. As with all healthcare organizations there are critical issues pertaining to patient privacy and sensitive data the requirements of regulatory policies such as HIPAA employee turn-over and attrition and asset management that must be considered when planning a strategic user identity and access management (or Access Assurance) deployment.
Additionally there are operational requirements that need to be addressed in order to maintain internal service levels. For example when a new employee is hired they need access to clinical portals and applications facility doors and physical assets within short time period. The IT department needs to ensure that the right access is provided to meet individuals job requirements while at same time not providing more access than is necessary according for the person's role. And IT needs to manage access over the employee's entire life-cycle as job requirements change and applications are upgraded or replaced.
Managers are expected to know the appropriate access requirements when someone is hired transfers to another department or leaves the organization. Before implementing Courion's Access Assurance Suite Alegent Health implemented a manual process - termed "Model User" to provide users with the necessary access to applications work areas and assets to perform their job but these weekly process reviews were time-consuming complex and prone to human error.
The Model User was the template by which a manager based the request for an individual's access rights. However this approach had numerous flaws. For one thing the models multiplied rapidly so access was not being managed so much as it was just being granted with less attention to whether the access rights were actually appropriate.
Best Deployment Scenario - Compliance
Solution provided: Alegent Health evaluated their systems and processes and reached a number of conclusions. With a high number of users and resources traditional access control methods were labor intensive and error prone so they needed an automated solution to address these issues. Alegent Health decided to implement Courion's RoleCourier part of its comprehensive Access Assurance Suite. Role-Base Access Control (RBAC) would allow Alegent Health to reduce both labor and manual errors but before implementing the actual solution they would have to invest the cycles to plan for developing the key roles required to maximize efficiencies. What Alegent did first was engage the lines-of-business (LOB) to determine the primary benefits and governance requirements for the roles project. They also engaged the IT HR and Legal departments to define roles in business terms ultimately leading to an LOB acceptance review. They then took a phased approach to prioritizing access requirements starting with logical access then physical access then asset management.
The next step was to implement a pilot program which included broad roles and the required support and reporting for new hires and then for changes. Upon completion of this activity Alegent Health deployed these processes with the Courion Access Assurance Suite.
In order to ensure proper governance was achieved through the new role management processes Alegent's IT and HR teams worked together to map their existing structure of job families to specific accounts. This resulted in the ability to identify new revised and retired job codes and new upgraded and retired applications. Through both a top-down and bottom-up approach the team would scrub the list of proposed roles and review for: access exceptions over and/or under credentialing; policy conflicts such as segregation of duties; and least privilege and user activity to arrive at the specific roles they needed.
Summary: With Courion's Access Assurance Suite Alegent Health is now able to ensure that only the right people have access to the right resources and are doing the right things. While the role definition process took a lot of work from cross-functional teams the result of the effort is a better assessment of what access people have and how they are using this access.
Alegent Health has reduced user provisioning time from days to minutes and is able to demonstrate continuous compliance with a range of regulatory and audit requirements. It has also achieved more effective license management. They are able to avoid over-provisioning access that isn't required and automatically de-provision access if an application is not actively being used. The system allows them to easily understand necessary entitlement requirements and help identify the use of sensitive data. Not only has Alegent Health improved the process of defining applying and provisioning required access but they have streamlined business operations through automation and optimized their governance processes.
1881 Worcester Rd
Framingham MA 01701