Identity Management System Helps Cure Hospitals Security Ills

An identity management system helped Children's Hospital Boston surmount problems with passwords and system accounts.

Implementing an enterprise-class identity management application can be difficult for any organization. But few would have to overcome the hurdles that Childrens Hospital Boston did when it deployed Courion Corp.s Identity Management Suite to handle password resets and account provisioning.

eWEEK Labs recently went on-site at Childrens to learn why the hospital decided to implement a new identity management system and how the hospitals IT staff and end users solved the problems that inefficient password management and multiple authentication authorities were causing to their security infrastructure.

/zimages/6/28571.gifFor eWEEK Labs review of Courions Identity Management Suite 6.5, click here.

In addition to treating more than 300,000 patients each year, Childrens is the worlds largest pediatric research facility. As such, it deals with unique challenges, including (but not limited to) 300 new interns each spring, each of whom must be provided passwords and system accounts; a highly mobile work force that needs to access information from surgical units, inpatient floors and offices; high-ranking researchers and surgical chiefs who arent employees of the hospital; lots of legacy systems and applications; departmental IT groups that run their own account management systems; and the need to comply with strict government regulations such as HIPAA (Health Insurance Portability and Accountability Act).


The hospital also faced many of the same password management problems that other organizations do, such as account sharing and passwords written on sticky notes.

Before Version 6.0 of the Courion suite was implemented in late 2002, many authentication systems were in place, including those in PeopleSoft Inc.s HRMS, Netscape Communications Corp. e-mail, Oracle Corp.s Oracle database, and several vertical health care and internally built applications. This led to many orphaned accounts and bad passwords.

Making matters worse was the inefficiency of Childrens old account creation process. Users would send a fax requesting an addition or a change to an account, and a help desk staffer would enter this request by hand into the hospitals help desk system. New users would then be created in each of the different authentication areas. "It would take eight days at best and often three weeks for new accounts to be created," said Scott Lenzi, information security analyst at the hospital. "The user community was frustrated."

When Childrens decided to look for a more automated system, a positive user experience was at the top of its priority list. "We were looking for a solution that would provide a quick win," said Kevin Murray, operating systems manager at the hospital.

After deciding in early 2002 that the efficiency of password and account management needed improvement, the IT staff evaluated several solutions. These included products from Access360 (since acquired by IBM), BMC Software Inc., Business Layers (since acquired by Netegrity Inc.), M-Tech Information Technology Inc. and Waveset Technologies Inc.

The decision was made to go with Courions Identity Management Suite, said Murray, in large part because of its superior password reset capabilities, but even more so for its account creation capabilities. In addition, unlike other products the Childrens IT staff evaluated, Courions suite integrates with the hospitals legacy Hewlett-Packard Co. VMS and Alpha systems, as well as with its diverse application infrastructure.

The payoff: The successful implementation of the password and account management features of Courions Identity Management Suite has resulted in 2,000 fewer support calls and more than $200,000 in recovered costs, according to Murray.


Next page: Getting buy-in.