- About Us
- Services
- Results
- Case Studies
- White Papers
- How to Fast-Track Your Meaningful Use Effort
- EMR Dress Rehearsal Best Practices
- How to Achieve an ROI for Healthcare BI
- EMR Adoption Best Practices
- IT Governance Best Practices
- Optimizing the Business and IT Relationship
- Meaningful Use Security Risk Analysis
- User Provisioning Best Practices
- Great Project Management = IT Success
- Three Steps IT Should Take in Response to Healthcare Reform
- iPad: A Tablet Computing Renaissance in Healthcare?
- A Field Guide to Online Personal Health Records
- Using SSO to Streamline Security and the Clinical Experience
- Guidelines for IT Planning for Healthcare Construction Projects
- Cloud Computing in Healthcare: Is there a Silver Lining?
- Careers
User Provisioning Best Practices
May 2011
By Parrish Aharam
Manager, Aspen Advisors
Identity management has become a priority for healthcare organizations as they rely on technology to support operations and care delivery. HIPAA privacy and security statutes, technology audit requirements, and the increase in users requiring access to multiple systems is driving the need to streamline the user provisioning process (automating and tracking user setup). Quicker and more accurate granting of user access rights to various IS applications increases IS efficiency, improves service, and decreases the reliance on IS security administration to perform these time consuming tasks. This article is Part II of the Identity Management series and focuses on user provisioning. The intent is to assist healthcare organizations with planning and implementing this important initiative.
Overview of User Provisioning
User provisioning automates the setup, termination, and modification of healthcare organizations’ staff in various systems based on the staff’s responsibilities and roles in the organization. User provisioning systems can be broken down into five components: triggering systems, provisioning system, role database, user authentication and the confidentiality repository, and reporting.
Triggering Systems
Triggering systems such as HR and credentialing applications initiate the majority of transactions in the provisioning system. Most healthcare organizations have at least one or two HR systems that store employee, non-employee, and physician data. The HR trigger systems kick-off activities in the provisioning system. For example, when a new employee is hired, they are typically entered into the HR system. On their first day, the HR system sends a message to the provisioning system that the new user has started. The provisioning system will execute the setup based on the information in that message.
There are cases in which organizations store their non-employee data and physician data in other systems. For example, some organizations maintain physician data in their credentialing system. If that is the case, it is necessary to create trigger mechanisms to these systems as well.
Provisioning System
The provisioning system automates the setup of the applications to which a user frequently requires access. For most provisioning system vendors, this includes automating the creation of the network account and the email account. The network account is a prerequisite to setup a user in many clinical and business systems as those systems require the user’s network ID. Setup of clinical and business applications can also be automated. To automate an application, the vendor will work with your organization to create a custom developed “bridge” which will completely automate the manual process that the security team currently performs to setup a user in that application. The bridge simulates what the security team does to create a user in a particular application.
Some vendors offer manual provisioning. Manual provisioning enables the security administrator to see all of the values required to setup a user in a system based on their job title and demographics. However, this relies on the security administration team to complete user provisioning in the applications as opposed to automated provisioning that handles all of these steps automatically. At each step of the workflow, the provisioning system will email or notify the particular end user, manager, or security administrator if an action needs to be taken to keep the process moving along.
In addition to user setup, the provisioning system will automatically process terminations and modifications. Modifications may include demographic changes or medical staff suspensions. The provisioning system will also serve as the main reporting tool to assist with HIPAA audits either performed by an outside organization or the internal audit department.
Role Database
The third component of the user provisioning system is the role database. This database stores all of the job titles, locations, etc. of all roles in the organization. It also contains the values, such as the level of access the user has in the system, which must be setup based on the role. The provisioning system uses the role database and the triggering system to setup the user in various applications. The role database takes the guesswork out setting up a user in the system. With a role database, the security administrator knows exactly how to setup users based on their job functions. This role database needs to be created by the provisioning team since there are currently no suitable products on the market to perform this functionality out of the box. Once created, the security administration team has to maintain this component to ensure that all roles have the correct access in applications administered by the provisioning system.
User Authentication and Confidentiality Repository
Two additional components are user authentication and the confidentiality repository. User authentication enables users to reset their network password themselves and allows the help desk or security administration to authenticate a user during a support call. User authentication is typically bundled with user provisioning systems. However, the authentication capabilities in user provisioning systems may not completely fulfill the needs of an organization.
The confidentiality repository contains IS access agreements signed by contractors (or non-employees). The confidentiality repository is an important method to authenticate non-employees that may not be in the user authentication system and simplifies obtaining non-employee data required for user provisioning.
Reporting
Finally, the reporting solution provides the ability to pull data for particular users or information about access to applications. Not all provisioning systems include out of the box reporting tools. Further, information required for a report may be scattered across multiple data sources such as the provisioning system or the user authentication system. A report repository allows security administration to use one tool to support user inquiries and audit requirements.
Benefits and Importance of User Provisioning
Benefits achieved by implementing a user provisioning system include: 1) security administration efficiency, 2) role-based system access, 3) audit capabilities, 4) staff satisfaction improvements, 5) integration with single sign-on, and 6) help desk efficiency.
Security Administration Efficiency
User setup in a healthcare organization can be a time consuming process. It can take up to a half hour just to setup a single user in a complex clinical system. Furthermore, most users require access to multiple systems. In an organization with a “best-of-breed” IT strategy, it may take two hours to setup a user in all of the systems they require access to. With the number of staffing changes at a typical healthcare organization – nurses, residents, physicians, and other allied health professionals – this can be a significant resource investment by the security administration and other IS staff. Additionally, calls to the help desk ensue due to end-user access issues. This puts a burden on the customer support team manning the service/help desk and decreases IS customer satisfaction.
Terminating user system access is also a challenging process. Without a central system to track applications a user has access to, security administrators often use their best guesses to terminate user access from all systems. This may result in audit issues if terminated user accounts are not disabled or worse yet, if malicious system access occurs.
Keeping demographic information updated in various clinical systems is extremely important yet may be difficult without a user provisioning system. For example, physician demographic information such as practice address must be kept up-to-date as it may be generated on a number of documents.
A user provisioning system will address security administration efficiency issues. It significantly reduces the amount of time required to setup and update system access and has the capability to modify demographic information or temporarily suspend a user. This time savings for the security administration staff can be redirected to other security-related tasks and programs to further improve the security administration function.
Role-Based System Access
Often it is difficult to track what systems a user may access unless you have an individual to “model the user after”. This is a common problem in user setup and can lead to providing inappropriate user access, potentially resulting in privacy and security issues.
Role-based system access is the foundation of a user provisioning system. This takes the guesswork out of user setup as access is given strictly based on a user’s role or job title in the organization. Instead of one nurse manager having one set of access rights and another having a completely different set, the staff only get the system access they should have based on the organizational standards.
Audit Capabilities
At times, an organization’s legal department may seek information on current or former users’ systems access. This is difficult to confirm if there isn’t a central repository that captures this information and may require significant effort across multiple constituents.
User provisioning systems automatically store the history of all user transactions, allowing a simple audit trail for active and inactive users. With automated provisioning, user access audits that used to take days take only hours — representing a significant time and labor savings.
Staff Satisfaction Improvements
As stated above, it can take a number of hours to provide user access to systems needed or longer if there are significant volumes of users starting in a single day or the security team has competing priorities. Provisioning systems automate system setup and allow users to be productive shortly after arriving their first day. This automation reduces help desk calls for system access for users to perform day-to-day job responsibilities.
Integration with SSO
Integration between SSO and provisioning systems is possible when using the same vendor. Any user changes in the provisioning system will be reflected in the SSO system. This integration saves security administration time and reduces the risk of manual errors. This functionality and integration is an important selection criteria when evaluating SSO and provisioning vendors.
Help Desk Efficiency
High volumes of help desk calls can result in wait times and may lead to dissatisfied users and potential impact to a clinician’s care delivery. User provisioning will decrease the amount of incoming help desk calls because users get correct system access immediately. A self service user authentication system, which can be done in a user provisioning system, will also decrease the volume of password reset calls. Both result in significant time savings.
Exploring Different User Provisioning Approach Options
It is not realistic to automate all applications in the environment at once. However, there are several deployment options for a user provisioning system, and the approach depends on the organization’s risk tolerance, budget, and resources available to support the initiative.
The three options include: 1) conservative, which only automates one or two applications (typically the network and email accounts), 2) moderate, which automates the network, email applications, and one or two of the major clinical / business applications, and 3) extensive, which automates network, email, and three to six of the most used clinical / business applications.
Conservative
A conservative approach focuses on automating the most heavily used applications: the network and email program. Some organizations may also implement a few manual applications as well. Manual provisioning displays all values required to setup a user in an application based on job functions and demographics. It also includes email notifications, such as notifications to setup a user or a user’s login information. This approach is recommended under the following circumstances:
- The security team does not have the bandwidth to support requirements, design, and testing of more than two applications;
- The organization has a limited budget and / or aggressive timeline;
- The organization’s network ID rules are comprehensive. For example, there is a character limitation on the network ID, policies against duplication, and / or multiple roles may be required for one user;
- Data cannot be easily obtained from the HR system; and / or
- The organization doesn’t have an IS development team that can dedicate resources to learning the automation of applications in the provisioning system.
Although this approach does not provide as much immediate benefit, due to less automation and greater reliance on manual provisioning workflow, it is the safest approach. A user provisioning implementation is complex both from a technical and end user perspective. Starting out small, getting used to the new processes, and then implementing other applications at a later date is a good choice for many organizations.
Moderate
In addition to automating the network and email account setup, the moderate approach automates access to one or two clinical applications. This is a more aggressive approach as the requirements, design, and testing is more complex for a clinical application. The user setup process is typically not straightforward for these systems and will require a significant amount of development and testing. This approach should be used if:
- The organization has the budget and resources to support it. This includes security administration, application development, and project management resources fully dedicated to the project;
- Leadership is expecting a greater return on investment day one. This means at least two core clinical applications are automated along with the network and email account;
- The security team is prepared for the change to current processes; and
- The likelihood of an upgrade for clinical applications during the implementation is low.
Extensive
This is the most aggressive approach and automates user setup to more than three applications in addition to the network and email systems. This is very risky approach and not advised unless sufficient resources, time, and money are available.
Key Implementation Considerations
Too often an organization assumes that a user provisioning implementation is a simple deployment. To ensure success, there are a number of considerations that must be accounted for during planning including: technology, existing user access standards and processes, end users, training and communication, resources, deployment and activation, and ongoing support.
Technology Considerations
When considering the infrastructure for a user provisioning solution, there are several areas to evaluate. Testing the user provisioning system is critical, yet testing is not feasible in the production environment. At a minimum, two separate environments should be used over the lifetime of the system. One environment can be used for development and testing. The second is for production. Optionally, during the initial implementation it is recommended to also have a development environment. This allows for parallel development and testing, which is important when there is an aggressive timeline. From a data standpoint, if possible, try and test with existing production data. This will help catch the unknowns that may occur after go-live.
During hardware sizing, organizations must consider the volume of users at a given period of time. For example, how many users attend orientation, and how often does it occur? Is there a large volume of nursing students or residents that all need system access at the same time? Are there any upgrades to the email system, network, standard operating systems, and / or applications during your implementation? The volume of users may impact the infrastructure sizing you’ll need to adequately support your provisioning implementation.
Existing User Access Standards and Processes
A user provisioning implementation provides an opportunity for business process improvements. Prior to developing the provisioning system requirements, security administration should map out their business processes for user setup, modification, and termination. Developing current state processes will expedite requirements elicitation for user provisioning. It will also enable the team to identify gaps and issues in the current state procedures. Process changes will be required and addressing these gaps during this time will improve the outcome of the implementation.
End User Considerations
The security team is primarily the end users of the provisioning system. However, there may also be other end users such as customer support (help desk) or system administrators that create user accounts. Customer support may be responsible for entering the initial demographic information for a user. System administrators may be responsible for completing user setup in applications that have a complex setup process.
Regardless of the team, it is critical that all members are engaged early in the lifecycle, in particular in the requirements and design phases of the project. They should participate in requirements and design reviews. It is not advised to wait until testing to engage all end users.
Prior to deployment, it is also important to review the new business processes with the security team and other end users. All users must be aware of how they’ll use the new user provisioning system.
Training and Communication
There are two reasons why training and communication are essential. First, there are significant process changes. Second, if users are not properly trained on the system and supporting processes, it will not be used. The project team should develop the training plan early in the project’s lifecycle. The plan should outline the audience, timing, and supporting material required. Training material should include both business and system processes to keep it as simple as possible.
Resource Considerations
The implementation team will require both business and technical resources. The number will vary based on size of organization and implementation approach. The following roles are recommended on the project team:
- Project manager to manage and support the organization’s and vendor’s activities;
- Analyst to represent the end users and support requirements and testing;
- Technical lead to obtain a strong understanding of the solution;
- System administrator to manage infrastructure;
- Database administrator to manage all databases; and
- HR analyst and / or database administrator to support the development and testing of the trigger file.
There are multiple moving parts within the IS organization that need to be managed as it relates to an initiative like this, so it’s especially important to assign a full-time project manager and analyst with a strong background in the security organization’s practices as well as the setup, modification, or termination processes of all affected systems.
Deployment and Activation Considerations
The user provisioning deployment should be treated just like any other major application go-live. A detailed cut-over checklist should be prepared outlining all tasks required by the vendor and the organization. Status meetings should be held frequently to ensure all activities are completed on schedule. Also try and deploy the software on a day where activity is not lighter (e.g., not the day of orientation).
All end users should be well prepared for the go-live. They need to understand the new processes, and it is good practice to have a mentor coach them over the first week.
Also, make certain that any existing user provisioning systems are not used. Retire them shortly after deployment of the new system. The deployment will not be successful if the users do not adopt the new processes.
Ongoing Support
After the deployment, regardless of how much you’ve tested, issues may arise. To alleviate these problems, make sure the core team, such as the project manager and analyst, is available 15 to 30 days after the release. The technical team should also be available to address defects and enhancements. Less support is required beyond 30 days assuming the system is stable and enhancements are not planned.
Organizations must consider how much they plan on using the vendor for post go-live support. If the organization plans on supporting everything, the development team must be engaged over the lifecycle of the project. The organization cannot expect the development team to immediately achieve proficiency during a training session or an hour conference call post go-live. Make sure you have very well structured and agreed upon operational support procedures where all parties understand their roles and responsibilities and have the proper training to take on those responsibilities.
Planning for the User Provisioning Future
Assuming all the organization’s applications were not automated during the first phase, a detailed plan for future deployment should be developed. Without this plan and the associated funding, the likelihood of enhancements and future automation is low. The plan should identify all of the applications in the organization and prioritize them based on numerous factors. Factors may include setup complexity, number of users, automation complexity, cost, and resource availability, etc. Once the applications have been prioritized, the team should determine the application phasing and whether they will be automated or manual. After the plan is complete, a dedicated team should be identified to manage the plan to completion. Additional enhancements from business process changes or system upgrades will surface frequently. This time should be accounted for when planning for future releases.
Vendor Considerations and Management
One of the most important pieces to a successful implementation is the vendor or third-party advisor. Having a dependable vendor and a partner that can be trusted will make the implementation and ongoing support much easier. There are a number of factors to consider when selecting a vendor:
- Does the vendor have a proven track record? Are they willing to share references?
- Does the vendor have appropriate project management practices in place? Do they supply their clients with a detailed work plan for the implementation?
- Is the vendor open to meeting with the team to discuss status, issues, and action items?
- Is the vendor’s team, along with roles and responsibilities of each team member, clearly defined?
- Has the vendor developed a contract that clearly lays out the scope and cost of the implementation and ongoing maintenance?
Conclusion
A user provisioning system should be considered if an organization has a large number of users and multiple systems that most users require access to. Once deployed, benefits will be realized immediately. IS customer service will be improved, and staff will be more efficient and have more time to focus on tickets and projects. The likelihood of adverse audit results will decline, and the security team can move towards being proactive rather than reactive. Users will have access to the systems they need on day one allowing them to focus on patient care. Finally, all of the history for user access will be stored and readily available as needed for customer support and other inquiries.