It's an ideal in identity management: a centralized role-based access control system that supports single-sign-on (SSO) user access to authorized applications tied into the human resources systems for automated provisioning and de-provisioning, and the ability to integrate physical-security identity badges for room access.
Such a system doesn't usually happen overnight and in fact it often doesn't happen at all. But this Holy Grail of identity management is something that's been pursued by Health Quest, the healthcare group of hospitals and other facilities in counties north of New York City with more success than you usually hear about.
For Health Quest, it's been a multi-year project at a cost that has reached "into the low seven figures," according to Chief Information Security Officer David Sheidlower. The long-term commitment to a unified identity management system for 6,000 employees as well as authorized physicians with outside practices that regularly use Health Quest resources has netted the kind of information security controls that aren't usually achieved.
Take, for instance, the physical-access badges based on HID Global technology that about 4,000 medical staff use for entry into restricted rooms in the medical facilities. With help from technology provider Identropy, the HID-based physical-access control identity badge system was integrated into the logical-access controls so that the badges can also be used for computer authentication as well. There is controlled access to what clinical applications are appropriate to each person.
With help from a USB interface from RFIdeas, the badges used by medical staff can now authenticate to the hospital's computers, which are often set up like kiosks, to the network's SSO control point, Novell Identity Manager.
Novell Identity Manager is the SSO check point in the network for Health Quest's 6,000 employees to gain authorized entry to computer applications, including the hospital medical records. Identropy worked on custom coding that was needed to bridge the physical-access control and Novell Identity Manager systems.
"Identropy took charge of putting technical specs to the architecture, and interfacing with the relevant vendors," says Sheidlower. One advantage of the system is that when there are employee changes, it's simple to provision or de-provision access to both Health Quest computer systems and the identity badges for room access all at the same time. That's because it's all tied into the H.R. system, where the decision about employee status is electronically recorded.
The next identity-management project at Health Quest is further refining the access to the back-office business and billing systems for employees, including supervisors and billing specialists working there. There's a general access control in place but the idea is to enhance that with more fine-grained application-level access controls.
Sheidlower emphasized that these identity management projects not only greatly simplify IT operations because provisioning is automatically linked into the Health Quest human-resources applications, but because they also support security auditing, regulations and rules, such as the federal HIPAA guidelines.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.