2SailPoint Technologies Confidential & Proprietary Do Not Distribute
Welcome Thank You for attending today’s webinar The webcast is being recorded and will be available shortly after the event Webcast audio is in listen only mode. You can communicate via the
GoToWebinar question panel.
Glossary of Terms
IDENTITY GOVERNANCE – Next-Generation approach to identity management that goes beyond provisioning, allowing clients to sustainably govern how they manage access. Enabling organizations to determine who has access to what resources, if that access is appropriate and if it threatens security or compliance posture.
ROLE LIFECYCLE MANAGEMENT (RLM) – Process that enables organizations to mine, map, manage and report on the complex relationships of users, business rules and the entitlements assigned to them within the IT infrastructure.
PREVENTATIVE AND DETECTIVE CONTROLS – Preventative controls are designed to keep errors or irregularities from occurring in the first place. Detective controls are designed to detect errors and irregularities which have already occurred and to assure their prompt correction.
3SailPoint Technologies Confidential & Proprietary Do Not Distribute
Agenda
Speaker Introductions Healthcare Providers
Changing Landscape of Business and IT Identity and Access Management Business Drivers
Case Study: Presbyterian Healthcare Services IAM Journey IAM Revelation and Program Lesson Learned
A Word from Our Sponsors
4SailPoint Technologies Confidential & Proprietary Do Not Distribute
Speakers
Andrew AmesVP MarketingLogic Trends
Larry WolfRegional DirectorLogic Trends
Aaron FrankelSecurity Operations Manager, Presbyterian Health Systems
Jackie GilbertVP Marketing & FounderSailPoint
5SailPoint Technologies Confidential & Proprietary Do Not Distribute
Company Overview
National services, consulting and systems integration firm focused on Security, Identity and Access Management (IAM)
Proven, repeatable IAM deployment methodology: IAM5™ Hundreds of successful IAM Engagements executed in nearly every industry Regional offices: Atlanta, Dallas, Chicago, New York
New Mexico’s only private, non-profit healthcare system serving over 700,000 patients at over 30 different clinics and 7 hospitals
Largest health care provider and managed care organization in New Mexico Fastest growing physician group, employing more than 500 physicians
and practitioners
Award-winning identity governance software, SailPoint IdentityIQ™, provides superior visibility into and control over user access to sensitive applications and data while streamlining the access request and delivery process
Helps the world’s largest organizations to mitigate risk, reduce IT costs and ensure compliance
Customers include top healthcare, pharmaceutical, health/life insurers, financial services, property & casualty insurers, and other highly regulated industries
6SailPoint Technologies Confidential & Proprietary Do Not Distribute
IAM BUSINESS DRIVERS FOR HEALTHCARE PROVIDERS
Section 1
7SailPoint Technologies Confidential & Proprietary Do Not Distribute
Business Drivers for Healthcare Providers
CURRENT STATEHIPAA audit; HHS Oversight
HITRUST Maturity & CSF, SAS70
CURRENT STATEClinician survey results:
#1 request: Simplified app access. Approx. 40% of help desk calls
were password reset.
CURRENT STATEIT teams pale in comparison tocorporate standards. HITECH
driving more IT adoption.Increased security scrutiny.
CURRENT STATE30% of Stage 1 Meaningful Use
Criteria are IAM related. Increased scrutiny and penalties
assoc with HIPAA alignment.
Risk and Compliance
End User Experience
Operational Efficiency
Meaningful Use
8SailPoint Technologies Confidential & Proprietary Do Not Distribute
Healthcare Provider Industry Survey Results
Industry survey provided by Zoomerang Polled 600 healthcare decision makers
10%
38%
38%
10%4% Inadequate application
access security
Breach of confidential information
Unauthorized access to clinical applications and patient data
Audit failure
OtherThey aren't considered very much
They aren't a factor at all
They are the primary drivers
They are an influence
They are strongly considered
1%
2%
15%
29%
53%
What is your greatest security concern? How much do HIPAA/HITECH drive your organization’s IT purchasing decision?
Direct correlation between “security concerns” and purchasing decisions.
9SailPoint Technologies Confidential & Proprietary Do Not Distribute
40%
24%
6%
12%
6%
9%3%
Top 3 IAM Drivers for Healthcare Providers
70% of registered attendees identified: 1. Improved user experience2. Automated user lifecycle mgmt3. Tighter compliance related controls
10SailPoint Technologies Confidential & Proprietary Do Not Distribute
PRESBYTERIAN HEALTHCARE SERVICES’ CASE STUDY
Section 2
11SailPoint Technologies Confidential & Proprietary Do Not Distribute
Company Overview
Established in 1908, New Mexico’s largest non-profit healthcare system, largest health care provider and largest managed care organization with:
7 hospitals and 40 clinics Over 9,000 employees, including 500+ physicians &
clinicians and 3,000+ contractors Over 700,000 patients generating over 1.2M visits/yr Top 10 integrated healthcare delivery network
INDUSTRY, PERSONNEL AND COMMUNITY EXCELLENCE
12SailPoint Technologies Confidential & Proprietary Do Not Distribute
IAM Journey @ PHS
2008 20112009 2010
Influential and vocal Cardiology Group seeks to invest heavily in IT
to improve patient care. Heart Glass (single pane) initiative begins to
address patient data management for cardiology physicians. Auditors
seek more granular insight into access and IT controls.
PHS seeks to address several business & IT
requirements with IAM. Conducts internal discovery,
and interfaces with IT analyst. Initial focus was
technical in nature, with an appetite for eProvisioning.
PHS’ users clamor for improved experience and
self-service. IT and Security collaborate to
build upon the IAM platform to enable these
end-user services.
ARRA & HITECH Act provide PHS with a renewed vision on simplification, both infrastructure and
clinical IT.
Multiple PHS groups collaborate to understand and define key IT, audit,
security, clinical and business goals, and the
role of IAM. Logic Trends works as advisor to
establish program that aligns with key initiatives.
PHS looks to further leverage the eProvisioning
platform and introduces Patient Context
Management to support data integration of several key clinical applications.
13SailPoint Technologies Confidential & Proprietary Do Not Distribute
IAM Revelation & Goals
2008 20112009 2010
Influential and vocal Cardiology Group seeks to invest heavily in IT to improve patient care. Heart Glass (single pane) initiative begins to address patient data management for cardiology physicians. Internal and external audit seek more granular insight to access and IT Controls.
Presbyterian Healthcare seeks to address several business & IT requirements with IAM…conducts internal discovery, purchases and implements a solution. Initial focus was technical in nature, with an appetite for eProvisioning.
PHS’s user community clamors for improved experience and self-service. IT and Security collaborate to build upon the IAM platform to enable these end-user services.
ARRA & Health Information Technology for Economic and Clinical Health (HITECH) Act provides PHS with a renewed vision on simplification, both infrastructure and clinical IT.
PHS looks to further leverage the eProvisioning platform and introduce Context Management, supporting the data integration of several key clinical applications.
IAM is a business challenge first and a technology issue, second. What does the business need?
Multiple PHS groups collaborate to understand and define key IT, Audit, Security, Clinical and Business goals, and the role of IAM. Logic Trends works as advisor to establish program that aligns with key initiatives.
Multiple PHS groups collaborate to understand and define key IT, Audit, Security, Clinical and Business goals, and the role of IAM. Logic Trends works as advisor to establish program that aligns with key initiatives.
Enable simplified access reporting and demonstration of IT controls to best support the many needs of Audit
Expose user-friendly entitlements to business users so access decisions can be made efficiently and effectively
Automate application access based on authoritative user events, to create agility and speed when dealing with patient-care
Improve and simplify the user experience thereby empowering users with the tools to do their job
Mature the IT, Identity and Application infrastructure to enable more rapid adoption of solutions
14SailPoint Technologies Confidential & Proprietary Do Not Distribute
IAM Program Development
With a clear understanding of the business needs, PHS set out to align the proper activities
Leveraging the Logic Trends IAM5 methodology, PHS embraced:
Phased approach with prioritization of initiatives
Data & process focus first Maturity model to enable future
functionality Business case and frequent solution
release schedule
15SailPoint Technologies Confidential & Proprietary Do Not Distribute
Role Development
“smart” eProvisioning of new users based upon roles
Full user lifecycle with approval and controls
Zero-day user and application enablement
Enterprise risk management Strengthen IT controls Compliance reporting alignment
IAM Program Execution
Phase 1
Phase 2
Phase 3
Top Down (business) and Bottom-Up (app / entitlement) analysis
Business and technical role development (model)
Policy alignment with role and business functions
Business-aligned definition of “Who Has (and needs) Access to What”
Flexible yet accountable model for identity and access management
Least privilege without role explosion
Applications
Managers
FUNCTIONALITY BUSINESS VALUE
Enterprise identity data collection, reconciliation & cleansing
Defining “Who Has Access to What” Policy awareness and definition User access certification
Identity, access & entitlement maturity Enhanced IT controls Audit alignment IAM platform enabler End user empowerment & efficiency
16SailPoint Technologies Confidential & Proprietary Do Not Distribute
Lessons Learned
IAM is always evolving and the business will remain dynamic… remain agile and annually assess priorities, technology and alignment
Focus on your data & entitlements first (who has access to what). Everything else in your IAM program builds upon that.
Quick Wins are critical for maintaining momentum and organizational support for Identity and Access Management initiatives.
Develop an IAM strategy, and seek support and contributions from key business and clinical stakeholders.
Experienced partners can help navigate the process to ensure objectives are met.
17SailPoint Technologies Confidential & Proprietary Do Not Distribute
A WORD FROM OUR SPONSORSSection 3
18SailPoint Technologies Confidential & Proprietary Do Not Distribute
Logic TrendsA leading professional services firm focused on Identity & Access Management and Governance
Corporate Profile Founded in 2002 Inc. 500 Fastest Growing US private
company honoree for five years Logic Trends services its National
client base through operations in Atlanta (HQ), Dallas, Chicago, New York, and Baltimore
Services Profile 300+ Engagements Completed Repeatable IAM5 Services Framework Full IAM Lifecycle Service Delivery including:
Strategic Advisory Program/Project Management Full IAM SDLC Support Cloud-Based IAM offering 24X7 Support Center
Resource Snapshot Senior Delivery Team, 12+ years of IAM delivery 70 employees nationally Regionally focused
with national coverage
Sample Healthcare Clients
19SailPoint Technologies Confidential & Proprietary Do Not Distribute
IAM5 – Approach & Methodology
Identity and Access Management often represents the first truly enterprise solution an organization will deploy. Consequently, IAM is an organizational, process, and corporate culture challenge first and a technology challenge second. Our broad experience with
Enterprise IAM has led to the following methodology development:
The IAM5 Methodology is positioned to deliver incremental wins and outputs for the business and technical audiences
20SailPoint Technologies Confidential & Proprietary Do Not Distribute
IAM for Healthcare
Perfect storm of… Compliance needs Provider consolidation Patient access IT adoption End user experience
improvements
Requires a partner with healthcare, business, IT and security knowledge capital
21SailPoint Technologies Confidential & Proprietary Do Not Distribute
Introducing SailPoint Leading identity and access governance (IAG)
solution provider Founded in 2005 Headquartered in Austin, Texas Over 140 employees around the world
Our global customer base Over 75 companies in 14 countries Our specialty: security & privacy regulatory
challenges in healthcare, financial services and insurance
We help our customers to Reduce risk of non-compliance Proactively manage security and identity risk Lower administration and compliance costs Enhance employee productivity Pave the way for future initiatives
22SailPoint Technologies Confidential & Proprietary Do Not Distribute
SailPoint IdentityIQ SuiteA unified solution for automating compliance and user lifecycle processes – built on a common roles, policy, and risk model
Compliance Management
Lifecycle Management
Automates regular review of user access
Proactively detects and notifies managers of policy violations
Detects and mitigates identity & access risks
Provides analytics & reporting for proof of compliance
Provisions new users Automates routine
user administration tasks Job changes Location changes Forgotten or expired
passwords De-provisions
terminated users
23SailPoint Technologies Confidential & Proprietary Do Not Distribute
Determine Current State
Who has access to what?Is that access appropriate?
Automate User Lifecycle Processes
Access RequestEvent Lifecycle MgmtWorkflow/Connectors
Model Desired StateMine, model & define roles
Define access policiesConfigure risk model
SailPoint’s Unique Governance-Based Approach
Aggregate and correlate data Data cleanup Access reviews Remediation & critical
corrective actions
Mine, model & create roles Define role assignment rules Define business policies (SoD
and other) Define risk model components
Configure access request Define lifecycle events
(joiner, mover, leaver) Establish approval
workflows and policies Define change management
processes Deploy connectors
where needed
24SailPoint Technologies Confidential & Proprietary Do Not Distribute
SailPoint: Fast Results, Fast ROI
Immediate value to the business Identify potential risks and vulnerabilities Remediate problems to reduce risk Automate strong controls and reliable, repeatable oversight Provide proof of compliance on demand Ensure compliance with these safeguards by all staff
Measurable results in weeks Reduced compliance costs and staffing requirements Revocations of inappropriate access (avg. 20-30%) Detection and remediation of policy violations Elimination of high-risk accounts