Despite the requirements for information security and the move to electronic health records or similar systems that reduce a practice's need for paper, many hospitals and healthcare systems continue to manually manage their internal user accounts process.

In most cases, information regarding new employees is being passed, typically on paper, between the hiring manager, human resources and the IT department, who, in the end, manually create user accounts based on available – and often inaccurate – information.

A less-than-optimal process, this system can often lead to variety of risks, such as:

  • A large workload for the IT department with manual and repetitive tasks;
  • Long turnaround time for creating user accounts and the risk of making errors during the manual copying of data (such as typos in the name of an employee);
  • The risk that new employees receive the same rights as an employee in a similar function when they should not. When rights are copied, there is a risk that employees receive access rights to applications and systems they really don't require access to;
  • Risk of pollution in Active Directory, because accounts of employees who have left the organization remain active; this has a negative effect on the score of an audit and compliancy regulations.

For healthcare organizations to mitigate these risks, they need to take control of their authentication and authorization management.

By using an automated solution for user account management, organizations can greatly optimize the processes and reduce administrative risks.

A real-life example of authentication and authorization management

CentraState Healthcare System, a nonprofit community health organization in Freehold, N.J., featuring a 284-bed medical center and 171,000-square-foot outpatient medical center, uses automated identity and access management solutions to achieve an efficient and streamlined process for user account management.

Regulatory compliance and the ever-growing need to do more with less are reasons that CentraState Healthcare System sought to improve its internal IT processes. CentraState recently embarked on a project to find a secure and automated method for managing the user account lifecycle in Active Directory and Exchange.

Active Directory is the central source for users to access applications and systems. In the context of information security, it is important to keep user accounts in the Active Directory up to date and accurate to prevent former employees from being able to access your network and systems if their user account is left active.

“When our search started for an automated solution, our IT staff was managing the process manually utilizing Microsoft Active Directory,” says Lauro Araya, CentraState's network administrator. “This was a time-consuming process, and we wanted to avoid this manual intervention because it led to risks and errors.”

To be able to effectively manage the user account lifecycle, CentraState Healthcare System needed to create a connector, or link, between its human resources system and its Active Directory of employees and their access rights.

The process now begins when pertinent information of a newly hired employee is entered into the human resources system. Conversely, as employees resign, a termination date is placed in the HR system. On a scheduled basis, CentraState's news system executes an internal query to capture all employee data and begins the process of updating Active Directory. If the account already exists in AD, any updates – such as name, location or department changes – are appropriately processed.

If the account does not exist, it is created along with an exchange mailbox, home directory and assigned to the appropriate group profiles based on job title and department. If the employee start date is in the future, the account is created, but put in a disabled state until that date is reached. When an employee termination occurs, the information is processed by the software, and accounts are immediately disabled then deleted after a specific period of time has passed.

This information is also utilized to ensure mailboxes are created within the proper mail server. Information that is created during the Active Directory process, such as user account name and email address, is fed back to the HR database twice a day. This is done to ensure that the human resources system has accurate information whenever anything changes in Active Directory.

About two weeks after CentraState initially began the implementation of its identity and access management system, the entire automation project was implemented and operational. Since then, the paper-based system has now been completely replaced.

The reduction in time spent by the staff managing the user account lifecycle has been significant, and the healthcare facility is now much more capable of managing its internal accounts and granting or revoking access to certain information.

“This was one of the most highly valuable, cost-effective solutions that I've ever implemented,” Mark Handerhan, IT manager says. “We have taken the manual intervention out of the equation for many mundane AD/user tasks, such as disabling network accounts. User accounts are now disabled in real time once terminated in the human resources system.

“Besides the reduction in time spent managing a manual process, implementing the identity and access management system provides us with a greater level of network security, while also assuring compliance with industry standard regulations, such as HIPAA,” says Handerhan.

In summary, the IT staff at CentraState can spend more time on mission critical support and planning while eliminating the requirements to spend time on routine user account tasks.

About the author

Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign-on and access management, serving more than five million user accounts worldwide. Learn more at