THE MAGAZINE

Automating Access Rights

By Ann Longmore-Etheridge

The convergence of security and information technology (IT) can lead to one group or the other becoming tasked with duties not traditionally their own; this work can consume many hours of labor that could be more productively spent in other ways. Gundersen Lutheran Health System’s IT staff, for example, was heavily burdened by assigning access rights to thousands of employees, volunteers, and visiting students, until a combination of software solutions automated the process.

Gundersen Lutheran, a not-for-profit healthcare system, is headquartered in La Crosse, Wisconsin. A teaching hospital with 325 beds and a Level II trauma and emergency center, it is the designated Western Clinical Campus for the University of Wisconsin-Madison Medical School and School of Nursing. Additionally, it includes one of the nation’s largest multi-specialty group medical practices, regional community clinics, hospitals, nursing homes, home care, behavioral health services, vision centers, pharmacies, and more. The system cares for patients at facilities located throughout western Wisconsin, northeastern Iowa, and southeastern Minnesota.

Dawn Comeau-Johnson, technical systems administrator, says that only a few years ago, the IT team manually managed computer network accounts not only for approximately 6,000 employees but also for an additional 4,000 volunteers, medical students, and temporary employees.

The turnaround time on these secondary groups is quite high, she says. “Employee turnover is about 10 to 15 per week,” and “at the start of a school year, there might be a group of 200 students coming in at once who may only stay for a week,” Comeau-Johnson says.

Short-term students had to be granted this temporary access by the IT team on a timely basis. “We’re a teaching hospital, and if we couldn’t give the students that kind of computer-based training, they probably wouldn’t come here,” she states.

Requests for new, temporary, or changed accounts came to the IT team from various managers, she explains. Adding to the challenge, IT didn’t have to create just one account per person—a myriad of permissions needed to be created for access to Microsoft Word, Lotus Notes, Excel, and other programs that managed health and human resource records, scheduled clinic appointments, and more.

There was also no security-based role chart defining which job position should have access to which network programs. The managers themselves often didn’t know which programs a new employee should be given rights to. “[The manager] would say, ‘Set them up just like so-and-so,’” says Comeau-Johnson. “But years before, that person may have been given access rights that were above and beyond the normal job—so now the replacement also had extra access.”

Removal of access for resigned or terminated employees was also less than perfect—and in a healthcare industry under the rule of the Health Insurance Portability and Accountability Act (HIPAA), says Comeau-Johnson, former employees still having access to patient charts “was a huge deal.”

When a search for a solution was launched, the IT team consulted research from Gartner, Inc., a leading provider of studies and analysis on the industry, as well as explored available options on the market. They eventually chose two Novell software products, Identity Manager and ZENworks, to automate identity management and manage workstations and handheld devices. “We needed an identity management solution to work across all our platforms,” says Comeau-Johnson, “Only the Novell products could provide the cross-platform functionality.”

The two software packages, which create and operate automating drivers, were installed in the appropriate PCs in Gundersen Lutheran’s two secure IT centers. They have been updated several times since, with the first install to enhance automation. The latest update, says Comeau-Johnson, is Web-based.

Along with the original installation, Comeau-Johnson says that existing user lists for the network’s programs were cleaned up, old accounts deleted, and current users assigned rights from a new role-based security table that has “all of the departments and job codes and the types of access each employee should have,” she states. The table is managed by an authorized application specialist who can add or remove access rights for each job via a simple PC user interface of dropdown boxes.

For the employees of Gundersen Lutheran, the system is completely transparent. “They know nothing about it,” Comeau-Johnson states, explaining that when a new hire comes aboard, the recruiter in the human resources division opens the HR personnel management program, called Lawson, and inputs the employee’s basic information, including the position and start date.

“As soon as the recruiter does that, the Lawson driver creates the employee in the workforce tree and then the e-driver creates the person in the resource tree, then that information automatically goes out to the other drivers, and access rights are created where they need to be, based on the role-based security table,” she says.

The new users are created in a disabled state, and a utility, which looks for an activation date, is run nightly. “When that date comes along, the utility enables the account, so that on midnight of the date the new hire is supposed to start, their account is activated” with correct access levels.

When employees change jobs, access rights are modified based on changes made in HR’s Lawson program. “It automatically causes their accounts to be deleted, then recreates the accounts with the new role-based security table job code and changes all access rights, but the passwords stay the same,” she says. This allows employees to log in as usual, but they see only the programs that the new job position can access.

The deletion of accounts is also triggered by changes made in Lawson by HR; however, if a terminated account needs to be processed immediately, the manager can call the IT help desk anytime around the clock. The IT staff at the help desk can have the account shut down within minutes.

According to Comeau-Johnson, the automation provided by the Novell software has saved the IT team an estimated 90 percent of the time it used to spend processing accounts, and control of information has been increased.

“We deal with such a large volume of sensitive and HIPAA-regulated information. Now we have the right tools to manage it,” says Comeau-Johnson.


(For more Information: Novell, 800/858-4000; Web: www.novell.com; e-mail: crc@novell.com.)

Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.