Identity Management System Helps Cure Hospitals Security Ills - Page 2

-In"> Getting Buy-In

Leading up to the initial pilot implementation, the Childrens IT staff did a lot of upfront work with power users and department heads to find out how to make the system work in a way that would be the least painful to users and would cause minimal disruption to routines. "These groups were valuable to helping us find out where we had it right and where we had it wrong [in terms of initial plans]," said David Leary, desktop service integrator at Childrens.

The Childrens Hospital team also had to deal with the conflicting requirements of keeping processes simple while not being able to use lots of default user templates because of the diverse nature and cultural issues of hospital and research workers.

Seemingly simple issues, such as what questions could be asked when users were resetting their own passwords, turned into big hurdles. "It took longer than the technical issues," said Leary. And unlike IT departments at many other organizations, the IT staffers at Childrens cannot mandate requirements. "You cant just say to the chief of surgery, You will do it this way," said Murray.

After just two or three days of training with Courion, said Lenzi and Leary, it took only one day to install the initial testing implementation of PasswordCourier and ProfileCourier. However, while this went quickly, Lenzi and Leary took their time with the production rollout to make sure things went smoothly.

"We launched an internal campaign to clean up the ID info across all the hospital systems and applications," said Lenzi. "We werent going to allow bad data and bad account info into the system." The group also developed internal tools to identify and manage differences in directories and to find problems such as duplicate and orphaned accounts.

Lenzi said the IT department also did a kind of internal marketing campaign to let workers know that PasswordCourier would be implemented and to provide information on how users could access accounts. "We realized that once we had the name players engaged, the effort it would require to get things moving would lessen," he said.

Although the IT group didnt have to do any direct scripting to integrate PasswordCourier, it did perform several interesting customizations to ease the user experience and remove hurdles to adoption.

One of the more interesting customizations: The IT staff used scripting to make the Direct password reset client appear in place of the normal log-in when Windows started up, with similar functionality (see screen, left). In this way, the button for changing a password is in front of the user at the moment he or she is most likely to realize there is a password issue. "I felt that if we had just delivered the standard client as it was on the first day, there would have been widespread panic," said Leary.

Childrens IT staff also wrote a script that reminded users when their Windows NT password—the gateway password for most users—was about to expire and sent them to PasswordCourier via a link to the applications Web interface.

Although it may seem surprising, the Childrens Hospital IT staff chose not to remove any native password applications. "We let the power users do what they want," said Lenzi.

While the password reset features provide the most visible and obvious benefits to users and were what originally got Courion through the door at the hospital, the Childrens IT staff knew that the biggest payoff would come from implementing the AccountCourier module to improve account management.

The upfront work the staff did in deploying PasswordCourier greatly reduced the time and effort required to deploy the account management piece. "Because of the work we did with PasswordCourier and ProfileCourier, we were able to shave three weeks off the rollout of AccountCourier," said Lenzi.

Much of the planning focused on making the AccountCourier rollout essentially invisible to users and managers. To help with this, the IT staff tied existing applications into AccountCourier. "We already had a Web form where managers could request account access for users," said Lenzi. "We hijacked that form and rearchitected it for AccountCourier."

AccountCourier has significantly reduced the amount of time it takes IT staff to create accounts—from as long as three to four weeks in the old system to about 10 minutes now.

Currently, the IT staff has decided against implementing workflows that would allow managers to grant account access themselves. "We havent given anyone the keys, but we have removed a lot of the upfront work," said Leary.

The improved efficiencies and return on investment were key benefits of moving password and account management to Courion, said Murray, but these paled in comparison with the ability the IT staff now has to bring security management practices in line with regulations and to help hospital staff do their jobs more effectively. "The business impact was tertiary behind helping with HIPAA and providing a better user experience," said Murray. "The faster physicians are able to access information, the better the care."

While some kind of single-sign-on implementation seems logical for the hospitals needs, the IT staff has not brought anything in yet. There is a big drive to do so, said Leary, but for now, Childrens is satisfied with the advances it has achieved. "While we dont have single sign-on now," Leary said, "we have currently achieved less frequent sign-on."

Lenzi said the hospital is also looking at building a more centralized directory to help offset the problems of dealing with many separate user directories and authentication mechanisms. To help address password and authentication issues, the IT staff has also considered biometric solutions. However, that initiative has been put on the back burner because of the ever-present cultural problems at the hospital, said Lenzi, as well as more practical problems, such as the difficulty that biometric systems might have with hospital gloves and masks.

Hospital IT staffers are currently evaluating Version 6.5 of the Courion software and said they think it will be a quick and simple process to update the suite. Among the new features the team is interested in is the ability to send XML to Courion to start workflows.

Labs Director Jim Rapoza can be reached at

/zimages/6/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: