Securing Access of Health Information Using Identity Management Steve Whicker Manager – Security Compliance HIPAA Security Officer AHIS – Central Region St Vincent Health [email protected]Chris Bidleman Director of Healthcare Novell, Inc [email protected]
24
Embed
Securing Access of Health Information Using Identity ......HR/manager is notified of new hire (associate/ non-associate) Start 1 2. HR/manager enters hire data into PS (associate
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Securing Access of Health Information Using Identity Management
Steve WhickerManager – Security ComplianceHIPAA Security OfficerAHIS – Central RegionSt Vincent [email protected]
Healthcare Industry Themes for 2010• Reduce healthcare costs: Surveys indicate HIT budgets will
stay the same or slightly increase but CIO's will still look for ways to save money. IT Departments still resource constrained.
• Deal with aftermath of healthcare reform: New regulations, incentives to adopt electronic health records, and changes in reporting, breach notification and audits plus higher violation fines. Achieve Meaningful Use criteria.
• Expanded use of Health IT: HITECH and Meaningful Use guidelines will drive HIT adoption with it will also bring focus on privacy and security of protected health information (PHI) by encrypting data, role-based access controls, and audit trails.
• More communication between patient and provider: Incentives for increase programs of preventative medicine will require more electronic communication with patient and families, secure exchange of health data (eg. patient, doctor, referrals, public health orgs), and better patient identification
Meaningful Use Criteria - Stage 1Starting January 1, 2011 from CMS-0033-P
• Improve quality, safety, efficiency, and reduce health disparities
• Engage patients and families in their health care• Improve care coordination • Improve population and public health• Ensure adequate privacy and security protections for
Today, who typically cares about Identity and access management?• Chief Information Officer (CIO)• Director of Infrastructures• Network/Server Manager• IT Security• Application Administrators
With ARRA and Meaningful Use — Who SHOULD care about Identity and Access Management?• Application owners• Audit committee• Lines of Business owners• Director of Applications• Chief Executive Officer (CEO)• Chief Financial Officer (CFO)• Chief Information Officer (CIO)• Chief Technology Officer (CTO)• Chief Operating Officer (COO)• Chief Medical Information Officer
• Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo)
• Two separate and overlapping access request processes for identity and access management (ID Request & IS Request), made it difficult to centrally manage the access request and change logs
• Identity creation and management was a manual process
• No centralized process to document request completion
• No formal validation process to verify the authenticity of requesting manager
• Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user
• De-provisioning process was not consistently followed
Impermissible uses and disclosures of protected health information (PHI)
Novell Compliance Management Platform (CMP) provides identity management, audit reporting, and web access control to network resources
Lack of safeguards of protected health information such as logging and monitoring to detect suspicious system activities
Novell SecureLogin (NSL) provides enterprise single sign-on and fast user switching for shared workstations. Novell Sentinel can provide real-time auditing, monitoring and remediation of user access to PHI with powerful correlation engine
Enhance role-based access control based on the minimum necessary principle
Novell Access Governance Suite (AGS) can manage roles and security policies as well as access certification. Novell Identity Manager (IDM) can provision/deprovision resources based on roles and provide self-service and workflow.
Breach notification procedure updates with monitoring and reporting
Novell Sentinel Log Manager can store and analyze who had access to what, when, where and how for all connected devices and apps
Encryption of mobile devices and other data sources storing PHI plus reducing data leakage
Novell ZENworks Endpoint Management solutions can secure devices including USB ports, encrypt data, application virtualization, patch management and make upgrades easy (e.g. Windows 7)
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.