Oxford Computer Group works with a significant number of large healthcare providers who leverage Cerner as their core Electronic Medical Record (EMR) application. The data stored in the Cerner app represents the crown jewels for healthcare organizations, and inappropriate use of the data represents a significant risk in the form of regulatory fines, damaged reputation and high costs of mitigating the damage to customers with compromised credentials.
Numerous industry data breach studies show that identity related vectors are the most exploited weakness in a healthcare organization’s cyber defense posture. A strong identity governance and administration program is a critical component of securing the identity related vector.
What are the necessary actions for maintaining an effective identity governance and administration program?
Understand who has access to what information and what they are doing with it
Report on who has access to which systems and data by user, job role, or by company. Build access reports, even for users with no assigned positions, and use identity analytics to determine risk of individual users.
Perform Segregation of Duties (SOD) Analysis
Leverage an out-of-the box ruleset specifically designed for Cerner to report on any existing SOD violations. The capability exists to perform this SOD analysis internally, and for cross-application violations. Simulation of SOD rulesets is an important part of deployment, as is modifying rulesets to give visibility into the impact of rules within an organization.
Conduct Critical Access Reviews
Analyze the behavior of users with critical access based on usage analytics via Cerner’s specific out-of-the-box rules. Access reviews can also be triggered from identity lifecycle events such as a department or role change. During such a transition, you can certify access in both roles until the transfer is complete and then take the action to revoke access to the pretransition system. Taking these steps will reduce entitlement creep throughout the identity lifecycle and ensure access audits produce acceptable results.
Conduct Access Review / Certifications
Conduct periodic and/or event-based access reviews by managers or resource/process owners to ensure that existing access is appropriate to a user’s role.
Certification of roles allows application owners to take responsibility for the access assigned in their application and again produce better audit results.
Role, Design Management and Review
Provide the ability to create and modify roles to Cerner positions so that they do not create any inherent SOD violations. Roles are far from static and must respond to changing business and regulatory requirements. So these roles have version history, the ability to roll back to a previous version, and a preview feature to simulate the access changes that will occur when a role is modified.
Enable User Access Request
A huge overhead with more traditional ways of managing identities and access, the user request process needs to be as streamlined as possible. Enable a shopping cart-based user access request process that performs preventative SOD analysis and provides a risk-based approve/deny recommendation to the approver prior to provisioning access. Rather than relying on the approver to research non-standard requests to ensure SOD integrity, use Identity Analytics to suggest access end users should request, based on access in their peer groups. Identity Analytics can also identify patterns of access requests triggered by organizational, business process or regulatory changes.
To help our Cerner customers to properly secure their identity environment and maintain the appropriate compliance posture, OCG has partnered with Microsoft and Saviynt to build an effective identity management solution that spans EMR, HR systems, on-premises Active Directory and Azure Active Directory (including Office 365). The solution includes capabilities for fine-grained provisioning, Role-Based Access Control (RBAC), and Segregation of Duties (SOD) management with pre-defined Cerner-specific SOD rules.
Want to know more?