Key Points - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

Key Points

Description:

Customized/'home grown' solutions higher system maintenance requirements but ... required, ROI difficult to measure, easier to sell as 'insurance policy' ... – PowerPoint PPT presentation

Number of Views:20

Avg rating:3.0/5.0

Slides: 31

Provided by: mistr8

Category:

more less

Transcript and Presenter's Notes

Title: Key Points

1
(No Transcript)
2
Key Points

Regulatory business requirements
Identity management or role based access (RBAC)
planning implementation
Maintenance audit requirements
Barriers to successful implementation
Build or buy?
Resources

3
Regulatory Business Requirements

HIPAA Privacy Rule minimum necessary
requirement
Concept of least privilege
Legal operational risk management
Limit access creep or increased access due to
longevity
Operational efficiencies match data access to
position

4
Regulatory Business Requirements

Access limited by data sensitivity
Identity management not limited to just workforce
need to account for external entity access
Identity management tied to authentication,
authorization and access management
Requires reqular audits

5
Identity Management Planning Implementation

Project management required
Definition phase -
Goals what do you want to accomplish (e.g.,
financial controls, limit access to proprietary
data, manage employee data access when positions
change, etc.)
Define access methodology (e.g., geographic, by
job classification, by data type, etc.

6
Identity Management Planning Implementation

Definition phase continued -
Estimate number of roles required
System, folder and data inventory (manual or
automated)
Identify resources (IT business)
Identify resource constraints (development and
production support)
How tos of maintenance audit

7
Identity Management Planning Implementation

Definition phase continued -
Regulatory requirements (I.e., HIPAA,
Gram-Leach-Bliley, Medicare, state statute, etc.)
Time line account for regulatory requirements
reality
Identify applications data repositories that
require controlled access

8
Identity Management Planning Implementation

Project charter, plan time line development
review (see sample)
Define project in phases (I.e., business
inventory, establishing infrastructure, etc.)
Business community buy in requires significant
resource investment
Resource allocation software acquisition (if
appropriate for inventory, maintenance, etc.)

9
Identity Management Planning Implementation

Requires application functionality evaluation
can applications and data repositories support
access management?
May require upgrading or replacing applications
Define budget determined by development costs,
upgrade costs, acquisition costs, on-going
maintenance costs

10
Identity Management Planning Implementation

Initial planning phase should be tied to risk
analysis (e.g., where are threats
vulnerabilities to inappropriate data exposure)
Application/data repository initial assessment
needs to account for on-going audit capability
Include audit program development in planning
phase

11
Identity Management Planning Implementation

Role inventory involves business, IT and human
resources (HR)
Survey management and staff (see sample surveys)
sample or census
Survey results determine business needs and
privacy risks

12
Identity Management Planning Implementation

Active Directory as a management tool
Match positions to roles and roles to systems,
screens and data
Determine on-going maintenance audit
requirements who does it and what does it
entail?

13
Identity Management Planning Implementation

Maintenance and audit processes critical
Test and implement maintenance tool
Load role and user data
Management and staff training
Implement with defined review periods does it
work?
Audit and update role integrity and exception
limitation

14
Maintenance Audit Requirements

Resource process required to maintain
accuracy/integrity part of on-going budgeting
Lack of attention to detail after rollout negates
up front resource investment
Tie to position number and job classification
(where appropriate)
Maintain role definition separate from user
tracking

15
Maintenance Audit Requirements

Limit exceptions and track
Tracking must include history audit, system
troubleshooting and forensic investigation
Back up data, staff and documentation
Regular role review and update
Audit at regularly scheduled intervals, annually
and whenever major system or business changes
occur

16
Maintenance Audit Requirements

Maintenance and audit production and test
Remember external user tracking contractors,
business associates, affiliates, etc.
New system implementation embed identity
management controls within development cycle

17
Barriers to Successful Implementation

No standard healthcare identity management model
Access provisioning relatively new to healthcare
and vendors (especially EHR vendors)
Enterprise solutions may be costly and not suited
for small organizations
Confusion abounds how complex does this have to
be?

18
Barriers to Successful Implementation

Business resources critical IS cant define
roles
Because HIPAA says so doesnt work
Timing issues privacy/security risks currently
exist
Skimping at any phase limits project success

19
Barriers to Successful Implementation

Difficulties in tracking employee movement within
departments and non-permanent staff
Too many roles difficult to maintain
Too few roles increase exceptions and defeat
purpose of identity management

20
Barriers to Successful Implementation

Insufficient maintenance resources
Weak processes equal weak protections
Audit logs/reports if produced must be looked at
to avoid legal risk
Weak authentication, authorization, access
termination controls limit effectiveness

21
Build or Buy?

Large vs. small organizations
Manual systems for small offices
The greater the complexity, the greater the
justification for automated identity management
Support staff resource availability also drives
solution

22
Build or Buy?

Computer Associates, BMC, etc. large
organizations only need apply
Open Network and others more targeted solutions
with a price tag
Tools standardize at a cost but may limit staff
resource requirements
Customized/home grown solutions higher system
maintenance requirements but designed to meet
specific organizational needs

23
Build or Buy?

Determine current application/data repository
limitations (e.g., EHR capabilities, database
logging capabilities, etc.)
Existing system functionality assists in
determining build or buy decision
Current application may suffice if provide
identity management functionality, controls,
audit logs, etc. may not need to do more than
adjust current applications and practices

24
Build or Buy - Example

Simple tools in a small to medium sized
organization to track roles
Database (desktop or server) or spreadsheet
development
Limited roles require minimal complexity
Combine manual processes with electronic tracking

25
Build or Buy - Example

Large organizations
Computer Associates, BMC, etc. enterprise tool
for more than identity management
Limiting roles when configuring systems
Automated system queries role integrity
validation (more difficult with legacy systems)

26
Summary

Regulatory requirement and good business sense
Dont skimp on planning or resources
Sell it resources required, ROI difficult to
measure, easier to sell as insurance policy
Adequate maintenance resources regular audits
key to reap identity management benefits
Identity management complexity depends on needs
and not regulations

27
Resources

National Institute of Standards Technology
(NIST) RBAC Web Site http//csrc.nist.gov/rbac
Hewlett Packard on Identity Management
http//www.hpl.hp.com/techreports/1999/HPL-1999-59
.html
SANS on Identity Management http//www.sans.org/
infosecFAQ/securitybasics/RBAC.htm

28
Resources