Overview
WellSpan selected Core Security’s Identity Governance & Administration Solution to ensure that access to information, buildings and systems were given to the right people at the right time.
Key Results Include:
- Increased operational efficiency and transparency
- Strengthened security
- Improved compliance
- Delivering fast time to value and the lowest total cost of ownership
Background
Serving south central Pennsylvania and Northern Maryland, WellSpan is a not-for-profit community resource that provides more than $18 million each year in uncompensated medical and outreach services, supplies and physician care.
The Challenge
Through its acquisition of medical offices and health centers, WellSpan has experienced significant growth, leading to a substantial increase in the number of clinical applications and users it supports. With more than 50 different clinical applications running across the organization and a user population that includes 300 to 350 employee physicians and 350 to 400 non-employee affiliated physicians, WellSpan recognized that it needed to make changes to its manual operations and pursue the implementation of automated identity management and user provisioning in order to provide the best employee experience and deliver superior patient care.
In its pursuit of an automated solution to address its identity management and user provisioning challenges, WellSpan identified the following key objectives in its effort to improve employee access and productivity while demonstrating the necessary security and regulatory compliance:
- Automating the provisioning process to grant employees access to the appropriate patient information to streamline patient care
- Implementing self-service password management
- Verifying access control
- Demonstrating HIPAA and other regulatory compliance
WellSpan used these objectives as a guideline for identifying the solution to meet its automation, security, and regulatory needs.
The Approach
WellSpan chose Core Security’s Identity Governance & Administration solution to automate user provisioning, account disabling, self-service password management and access verification. WellSpan selected Core Security because of the company’s proven ability to streamline the user provisioning process, while providing the foundation for a strong identity management security policy and ensuring adherence to compliance requirements. Additionally, Core Security had the only solution that demonstrated it could easily integrate with the hundreds of healthcare-specific platforms currently deployed such as Cerner Millennium, Eclipsys, and GE Healthcare Centricity RIS-PACS.
In advance of kicking off its automated user provisioning, WellSpan created a comprehensive Electronic Health Record (EHR) for every patient. While centralizing all patient data in one record improved efficiency for administrators and clinicians, WellSpan recognized that EHRs presented privacy and security challenges. WellSpan needed to ensure that access to health information was controlled without disrupting the clinical workflow, while at the same time ensuring that audit and compliance requirements are being met. Core Security’s Identity Governance & Administration solution demonstrated the ability to grant the appropriate user access to EHRs in the clinical systems, while doing it in compliance with government regulations for patient privacy.
Managing the Identity Crisis
A common challenge among healthcare organizations is to ensure that users have proper access to clinical applications and patient data so they can deliver effective patient care. Additionally, this access must be granted in compliance with government regulations requiring minimum necessary access and patient privacy. WellSpan’s challenge was no different – the need to provide its clinical workforce appropriate access to vital patient information through a variety of clinical systems to effectively and immediately provide patient care.
To manage the identity crisis resulting from granting application access, resetting passwords and adhering to compliance requirements, WellSpan decided to implement an automated solution that would increase the reliability of user IDs and passwords, maintain the integrity of information that was becoming unmanageable, and support a critical mass of users and applications.
Automated user provisioning and self-service password reset immediately improved WellSpan’s productivity, while still enabling WellSpan to maintain tight control over access to its clinical systems. Even while computer terminals we being shared by multiple employees, contractors, and additional third parties, WellSpan adhered to HIPAA regulations and its own security and compliance standards.
Moving From Manual to Automated Processes
In choosing an automated provisioning solution, WellSpan needed to address four main areas: supporting merger and acquisition activity and continued growth in clinical applications and IT users; streamlining access changes which were taking up to three months; demonstrating HIPAA and other regulatory compliance; and enabling care transformation by facilitating clinical application access control.
With a deep penetration in the healthcare market and a history of successful customers in production, Core Security’s Identity Governance & Administration solution demonstrated the ability to streamline the user provisioning process while providing the foundation for enforcing security policies and ensuring adherence to compliance requirements.
WellSpan’s starting point for implementation was to automate the provisioning of new users and disabling accounts of existing users to speed up the process and close security vulnerabilities. WellSpan wanted a direct feed from its Lawson HR system to automatically kick-off provisioning actions for its workforce.
From a provisioning and access control perspective, the most critical systems for automating the provisioning process were identified as GE Healthcare Centricity RIS-PACS, Cerner Millennium for EMR and Eclipsys for patient insurance and demographics.
Prior to the implementation, all new user accounts were being provisioned to these systems manually; the human resources system would send an automatic notification, or paper access requests were faxed and entered into the help desk manually. It could take up to 20 minutes to an hour for one new user to be manually provisioned with the correct access. However, the bigger problem was making changes to account access settings, which could take anywhere from one week to three months.
The same was found to be true in disabling user accounts–a task mainly handled by one person. If that person was out sick or had the day off, disable requests would have to wait to be completed, creating orphaned accounts problems where access was left activated for users no longer with the organization, exposing serious security risks. Now all provisioning of ‘basic access’ is automated directly from the Lawson HR system. A new user is automatically provisioned with basic access and the hiring manager then initiates additional access using other workflows.
The Result
Immediate results were seen in the transformation of how password reset and synchronization were being handled. WellSpan has been able to enforce a strong password management policy that eliminates loopholes and careless mistakes in the password reset process. By reducing calls to the help desk, WellSpan has been able to free up a tremendous amount of resources to tackle more forward-looking and ambitious projects. Most importantly, WellSpan has a system in place that allows its workforce population to securely reset and synchronize their own passwords on any system or application.
Additionally, Core Security provided the ability to take a role-based approach to access control. With business and clinical applications tied to the human resources systems, WellSpan has defined and plans to implement 100 roles for employees, credentialed doctors, nurses, and departmental staff. Based on this definition, individuals’ access rights will be linked to their roles in the organization, ensuring compliance with HIPAA and similar regulations.
By automating the provisioning process, WellSpan was able to drastically reduce time to access from months to mere minutes. The time and cost savings of provisioning 40 to 60 new hires and deprovisioning 10 to 20 terminations per week are more than significant. Automating the provisioning process has also provided even greater confidence in the enforcement of tight security and strict privacy policies around systems access and patient health information. Most importantly, WellSpan is able to continue to provide a high level of patient care by ensuring that caregivers have the required access to critical applications and systems, while safeguarding patient’s privacy by securing patient data and information.
Since deploying Core Security’s Identity Governance & Administration solution, WellSpan has achieved a more productive, efficient approach to managing identities, avoiding the costs associated with hiring additional staff, demonstrating regulatory compliance by enforcing strong security policies, and streamlining access control and the auditing process.
"By automating the provisioning process, WellSpan was able to drastically reduce time-to-access from months to mere minutes. The time and cost savings of provisioning 40 to 60 new hires and deprovisioning 10 to 20 terminations per week are more than significant."
See Identity Governance Solutions in Action
Find out how the right identity governance solution can help you mitigate identity risk in your organization.