The health system closes security loopholes and automates processes while giving employees more options for managing their own user accounts.
With a hospital staff of more than 2,000 nurses, doctors and administrators, leadership at Sisters of Charity Providence Hospital, a two-hospital health system in Columbia, S.C., recently went on the hunt for an easy way to increase internal efficiency and allow employees to have greater ownership of their internal accounts.
In addition, Providence’s IT administrators wanted to streamline and automate the user account creation and de-provisioning process of their employees’ accounts and limit the access rights of employees to only those systems that they needed to perform their jobs. Doing so would mean tighter internal security and limit access to information for individuals not authorized to view some of the data within the hospital’s records.
A common developing practice among the nursing staff had been the sharing of user account logins. For example, several individuals used the same log-in credentials to access information within the hospital’s electronic health record (EHR) and other systems, meaning that no matter an employee’s role or responsibility at the hospital, by using the shared log-in information an individual could see all of the information contained in a record rather than only the information needed to perform his or her specific task in the care setting.
One of the highest priorities for the IT administrators of the project was identifying a secure solution that also allowed employees to take on more of the administrative workload associated with managing their user accounts, such as resetting their passwords, which would mean eliminating a great deal of unproductive helpdesk investment.
According to Jon Postiglione, system administrator for Providence Hospital, IT leaders really wanted to find a solution that allowed them to easily create individual accounts for nurses, physicians and caregivers based on their roles in the hospital – and to move away from using shared accounts.
“Shared access to accounts can lead to security breaches and access to information by employees who should not have the rights to view certain information,” Postiglione says. The practice of sharing account access was a huge concern for him and quickly became more of a pressing priority for the hospital.
Though most health systems and practice leaders are currently focused on meaningful-use upgrades and EHR implementations, Postiglione says identity and access management issues are just as pressing. In addition to creating tighter security protocols, identity and access management systems move much of the basic account administration to the employee level and eliminate the need for IT staff to be so heavily involved in time-consuming, lower priority tasks.
Moving through the implementation process with its solution provider, Tools4ever (a provider of identity and access management tools), Postiglione and Providence identified four goals to help the hospital resolve its user access issues:
- Integrate user security elements and employee directory management with the hospital’s Web-based security application;
- Create Web forms to easily allow users to perform complex tasks without their having knowledge of advanced scripts to administer their employee accounts;
- Create a simple and easy method for making bulk changes to user systems within the hospital’s employee directory; and
- Provide transparent auditing and reporting to verify that Providence is operating within HIPAA guidelines and regulations.
“Of these, the most important may be mainstreaming the provisioning process from the time an employee is hired and entered into the hospital,” says Dean Wiech, managing director of Tools4ever. “For example, using a newly enhanced, Web-based security application, new employees now have access to all of the accounts they need to work from the moment of hire, a process that previously took the hospital nearly two days to complete.
“Now, the process allows for an almost immediate delivery of the account information to the employee’s manager, including a record that tracks the assignment of group privileges and permissions to individual users,” Wiech says.
The hospital’s new application also creates the Exchange mailbox for the employee and creates a home folder on the appropriate internal shared drive. In the same manner, Tools4ever configured the hospital’s systems to function similarly when an employee is terminated or leaves. The user management tool not only disables an employee’s account, but also removes all security privileges from any future access – a process that can actually be done in bulk for a group of 1,000 deactivated users in less than 10 minutes – which eliminates any concern for meeting HIPAA compliancy requirements.
In addition to the user management resource administrator system, Providence also added a self-service password reset management tool that allows users to manage their own account access, reset passwords and access their information.
“Providence Hospital also chose to deploy a self-service password reset management tool allowing our internal end-users to enroll and reset their password without involvement of the helpdesk,” says Postiglione. “After a one-day installation, the immediate results have been a dramatic reduction in the number of calls to an over-worked helpdesk.
“The tool has been easily accepted by our user community and it allows employee to get back to work quicker, especially third-shift employees, by providing an immediate password reset,” Postiglione says.
In addition to the time savings associated with the password reset software, Providence Hospital now has a defined process for user account management that can be audited at any time, and the tool accommodates one-off requests with ease, as well as allows IT and hospital administrators to perform security audits based on system user information to determine who has accessed what information and when.
“Providence continues to refine, improve and make additions to their processes, and additional functionality is going to be rolled in to more completely integrate with attributes of employee account databases,” says Wiech.
The tools implemented by Providence have saved the health system money and time, says Postiglione, and allowed the hospital IT leaders to spread the workload of network administration out to other employees who are able to perform basic user administration tasks.
Learn more about Tools4ever at www.Tools4ever.com.