How can healthcare organizations grant access to clinical data and applications, while protecting a patient’s privacy? For one integrated health system, automated provisioning held the key.
WellSpan is an integrated health system serving south central Pennsylvania and Northern Maryland. With more than 70 locations, operations include more than 8,000 physicians, employees, volunteers, board members, two hospitals, six retail pharmacy sites, 31 ambulatory care and outpatient sites, 24 primary care and 13 specialty care offices, one home health organization and two managed care plans.
How can healthcare organizations grant access to clinical data and applications, while protecting a patient’s privacy? For one integrated health system, automated provisioning held the key.
WellSpan is an integrated health system serving south central Pennsylvania and Northern Maryland. With more than 70 locations, operations include more than 8,000 physicians, employees, volunteers, board members, two hospitals, six retail pharmacy sites, 31 ambulatory care and outpatient sites, 24 primary care and 13 specialty care offices, one home health organization and two managed care plans.
Driven by mergers and new office openings, WellSpan has experienced immense growth in the number of clinical applications and users it supports. With more than 50 different clinical applications running across the organization and a user population that includes 300 to 350 employee physicians and 350 to 400 nonemployee affiliated physicians, managing all the user identities tapping into the systems can be a daunting and complex task.
Managing a Sea of Identities
WellSpan recently undertook the ambitious project of creating a comprehensive electronic health record (EHR) for every patient, which presented several privacy and security challenges. Each member of the WellSpan clinical workforce needs access to vital patient information through a variety of clinical systems to effectively and immediately provide patient care. How do healthcare organizations ensure that the right users have the correct access to patient data and clinical applications? Are we providing access immediately to ensure proper patient care? Is it being done in compliance with government regulations regarding patient privacy and minimum necessary access?
With the growth of electronic patient data exchanges, access to health information needs to be controlled without disrupting the clinical workflow, while at the same time ensuring that audit and compliance requirements are being met. Additionally, one issue that needs to be addressed by many in the healthcare industry is password management—consistently enforcing stronger passwords for workers who have been granted access to clinical systems and patient data. In an industry where employees, contractors and additional third parties constantly share systems and terminals, having tight control over access to clinical systems is at the core of a strong security policy.
WellSpan has four full-time resources supporting the thousands of identity management needs of our organization. It got to the point where we knew we had to either hire more people or automate the process. I needed to implement an automated solution that would enable us to increase the reliability of user IDs and passwords on a timely basis, maintain the integrity of information that was becoming unmanageable, and support a critical mass of users and applications. While regulations like HIPAA were also a consideration, it was widely recognized that we needed to address access issues regardless of industry regulations.
Provision Me a Solution!
When looking for a complete provisioning solution to automate all of our processes, we had four main areas we needed to address: 1) support merger and acquisition activity and continued growth in clinical applications and IT users; 2) streamline access changes, which was taking up to three months; 3) demonstrate HIPAA and other regulatory compliance; and, 4) enable care transformation and facilitate clinical application access control.
We selected Courion’s Enterprise Provisioning Suite solution because the company demonstrated the ability to streamline the user provisioning process, while providing the foundation for a strong identity management security policy and ensuring adherence to compliance requirements. Additionally, Courion demonstrated to us that their solution could easily integrate with the hundreds of healthcare-specific platforms currently deployed, such as Cerner, Eclipsys, Allscripts and GE Healthcare Centricity RIS/PACS.
We had many options for our starting point, but for us the initial focus of our identity management implementation was to automate the provisioning of new users and disabling accounts of exiting users to speed up the process and close security vulnerabilities. We wanted to achieve a “lights out” capability, meaning that a direct feed from our HR system would automatically feed the Courion application and establish the automatic baseline provisioning actions for our workforce. We then focused on automating other manual provisioning actions, followed by password reset and synchronization and then access compliance and policy verification.
Automating the Process
From a provisioning and access control perspective, the four most critical systems for automating the provisioning process were identified by the operational leadership as GE Healthcare Centricity RIS/PACS, Cerner for EMR, Allscripts for physician office EMR and Eclipsys for patient insurance, demographics and billing.
Prior to the implementation, all new user accounts were being provisioned to these systems manually. The human resources system would send an automatic notification, or paper access requests were faxed and entered into the help desk manually. It could take up to 20 minutes to an hour for one new user to be manually provisioned with the correct access.
However, the bigger problem was making changes to account access settings, which could take anywhere from a week to three months. The same was found to be true in disabling user accounts, a task mainly handled by one person. If that person was out sick or had the day off, disable requests would have to wait to be completed, creating orphaned accounts problems where access was left activated for users no longer with the organization, exposing serious security risks.
Now all provisioning of “basic access” is automated directly from our Lawson HR system. A new user is automatically provisioned with basic access and the hiring manager then initiates additional access using other workflows.
On the self-service password management side, we made sure we had the ability to connect to a number of key applications prior to deploying it to our user community in order to drive user adoption. Key applications included: Kronos, Eclipsys Web, Allscripts, Cerner Millenium and several target systems hosting other applications.
Access Granted
Since deploying Courion’s Enterprise Provisioning Suite, WellSpan has achieved a more timely and efficient approach to managing identities, avoiding the costs associated with hiring additional staff, demonstrating regulatory compliance by enforcing strong security policies, and streamlining access control and the auditing process.
By automating the provisioning process, we were able to drastically reduce time to access from months to mere minutes. When you are dealing with 40 to 60 new hires and 10 to 20 terminations per week, the time saved can be more than significant. Additionally, Courion enabled us to take a role-based approach to access control. With our business and clinical applications tied to the human resources systems, we are in the process of defining 100 roles for employees, credentialed doctors, nurses and departmental staff. Based on this definition, we can link individuals’ access rights to their roles in our organization, ensuring compliance with HIPAA and similar regulations.
Security and the Bottom Line
Automating the provisioning process enables us to avoid time-consuming manual processes and provides even greater confidence in our enforcement of tight security and strict privacy policies around systems access and patient health information. Most importantly, we are able to continue to provide a high level of patient care by ensuring that care givers have the required access to critical applications and systems, while safeguarding our patients’ privacy by securing patient data and information.
Immediate results were seen in the transformation of how password reset and synchronization were being handled. Prior to implementing Courion, passwords were reset as a manual process through the help desk, a time and resource drain for an organization with a four-person IT staff.
Since the implementation, we have been able to enforce a strong password management policy that eliminates loopholes and careless mistakes in the password-reset process. By reducing calls to the help desks, WellSpan has been able to free up a tremendous amount of resources to tackle more forward looking and ambitious projects. Most importantly, we have a system in place that allows our workforce population to securely reset and synchronize their own passwords on any system or application.
For more information on Courion’s Enterprise Provisioning Suite,
www.rsleads.com/703ht-201