Implementing an enterprise-class identity management application can be difficult for any organization. But few would have to overcome the hurdles that Childrens Hospital Boston did when it deployed Courion Corp.s Identity Management Suite to handle password resets and account provisioning.
eWEEK Labs recently went on-site at Childrens to learn why the hospital decided to implement a new identity management system and how the hospitals IT staff and end users solved the problems that inefficient password management and multiple authentication authorities were causing to their security infrastructure.
In addition to treating more than 300,000 patients each year, Childrens is the worlds largest pediatric research facility. As such, it deals with unique challenges, including (but not limited to) 300 new interns each spring, each of whom must be provided passwords and system accounts; a highly mobile work force that needs to access information from surgical units, inpatient floors and offices; high-ranking researchers and surgical chiefs who arent employees of the hospital; lots of legacy systems and applications; departmental IT groups that run their own account management systems; and the need to comply with strict government regulations such as HIPAA (Health Insurance Portability and Accountability Act).
The hospital also faced many of the same password management problems that other organizations do, such as account sharing and passwords written on sticky notes.
Before Version 6.0 of the Courion suite was implemented in late 2002, many authentication systems were in place, including those in PeopleSoft Inc.s HRMS, Netscape Communications Corp. e-mail, Oracle Corp.s Oracle database, and several vertical health care and internally built applications. This led to many orphaned accounts and bad passwords.
Making matters worse was the inefficiency of Childrens old account creation process. Users would send a fax requesting an addition or a change to an account, and a help desk staffer would enter this request by hand into the hospitals help desk system. New users would then be created in each of the different authentication areas. “It would take eight days at best and often three weeks for new accounts to be created,” said Scott Lenzi, information security analyst at the hospital. “The user community was frustrated.”
When Childrens decided to look for a more automated system, a positive user experience was at the top of its priority list. “We were looking for a solution that would provide a quick win,” said Kevin Murray, operating systems manager at the hospital.
After deciding in early 2002 that the efficiency of password and account management needed improvement, the IT staff evaluated several solutions. These included products from Access360 (since acquired by IBM), BMC Software Inc., Business Layers (since acquired by Netegrity Inc.), M-Tech Information Technology Inc. and Waveset Technologies Inc.
The decision was made to go with Courions Identity Management Suite, said Murray, in large part because of its superior password reset capabilities, but even more so for its account creation capabilities. In addition, unlike other products the Childrens IT staff evaluated, Courions suite integrates with the hospitals legacy Hewlett-Packard Co. VMS and Alpha systems, as well as with its diverse application infrastructure.
The payoff: The successful implementation of the password and account management features of Courions Identity Management Suite has resulted in 2,000 fewer support calls and more than $200,000 in recovered costs, according to Murray.
-In”> Getting Buy-In
Leading up to the initial pilot implementation, the Childrens IT staff did a lot of upfront work with power users and department heads to find out how to make the system work in a way that would be the least painful to users and would cause minimal disruption to routines. “These groups were valuable to helping us find out where we had it right and where we had it wrong [in terms of initial plans],” said David Leary, desktop service integrator at Childrens.
The Childrens Hospital team also had to deal with the conflicting requirements of keeping processes simple while not being able to use lots of default user templates because of the diverse nature and cultural issues of hospital and research workers.
Seemingly simple issues, such as what questions could be asked when users were resetting their own passwords, turned into big hurdles. “It took longer than the technical issues,” said Leary. And unlike IT departments at many other organizations, the IT staffers at Childrens cannot mandate requirements. “You cant just say to the chief of surgery, You will do it this way,” said Murray.
After just two or three days of training with Courion, said Lenzi and Leary, it took only one day to install the initial testing implementation of PasswordCourier and ProfileCourier. However, while this went quickly, Lenzi and Leary took their time with the production rollout to make sure things went smoothly.
“We launched an internal campaign to clean up the ID info across all the hospital systems and applications,” said Lenzi. “We werent going to allow bad data and bad account info into the system.” The group also developed internal tools to identify and manage differences in directories and to find problems such as duplicate and orphaned accounts.
Lenzi said the IT department also did a kind of internal marketing campaign to let workers know that PasswordCourier would be implemented and to provide information on how users could access accounts. “We realized that once we had the name players engaged, the effort it would require to get things moving would lessen,” he said.
Although the IT group didnt have to do any direct scripting to integrate PasswordCourier, it did perform several interesting customizations to ease the user experience and remove hurdles to adoption.
One of the more interesting customizations: The IT staff used scripting to make the Direct password reset client appear in place of the normal log-in when Windows started up, with similar functionality (see screen, left). In this way, the button for changing a password is in front of the user at the moment he or she is most likely to realize there is a password issue. “I felt that if we had just delivered the standard client as it was on the first day, there would have been widespread panic,” said Leary.
Childrens IT staff also wrote a script that reminded users when their Windows NT password—the gateway password for most users—was about to expire and sent them to PasswordCourier via a link to the applications Web interface.
Although it may seem surprising, the Childrens Hospital IT staff chose not to remove any native password applications. “We let the power users do what they want,” said Lenzi.
While the password reset features provide the most visible and obvious benefits to users and were what originally got Courion through the door at the hospital, the Childrens IT staff knew that the biggest payoff would come from implementing the AccountCourier module to improve account management.
The upfront work the staff did in deploying PasswordCourier greatly reduced the time and effort required to deploy the account management piece. “Because of the work we did with PasswordCourier and ProfileCourier, we were able to shave three weeks off the rollout of AccountCourier,” said Lenzi.
Much of the planning focused on making the AccountCourier rollout essentially invisible to users and managers. To help with this, the IT staff tied existing applications into AccountCourier. “We already had a Web form where managers could request account access for users,” said Lenzi. “We hijacked that form and rearchitected it for AccountCourier.”
AccountCourier has significantly reduced the amount of time it takes IT staff to create accounts—from as long as three to four weeks in the old system to about 10 minutes now.
Currently, the IT staff has decided against implementing workflows that would allow managers to grant account access themselves. “We havent given anyone the keys, but we have removed a lot of the upfront work,” said Leary.
The improved efficiencies and return on investment were key benefits of moving password and account management to Courion, said Murray, but these paled in comparison with the ability the IT staff now has to bring security management practices in line with regulations and to help hospital staff do their jobs more effectively. “The business impact was tertiary behind helping with HIPAA and providing a better user experience,” said Murray. “The faster physicians are able to access information, the better the care.”
While some kind of single-sign-on implementation seems logical for the hospitals needs, the IT staff has not brought anything in yet. There is a big drive to do so, said Leary, but for now, Childrens is satisfied with the advances it has achieved. “While we dont have single sign-on now,” Leary said, “we have currently achieved less frequent sign-on.”
Lenzi said the hospital is also looking at building a more centralized directory to help offset the problems of dealing with many separate user directories and authentication mechanisms. To help address password and authentication issues, the IT staff has also considered biometric solutions. However, that initiative has been put on the back burner because of the ever-present cultural problems at the hospital, said Lenzi, as well as more practical problems, such as the difficulty that biometric systems might have with hospital gloves and masks.
Hospital IT staffers are currently evaluating Version 6.5 of the Courion software and said they think it will be a quick and simple process to update the suite. Among the new features the team is interested in is the ability to send XML to Courion to start workflows.
Labs Director Jim Rapoza can be reached at [email protected].
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: