1

Identity Management: Challenges and Opportunities

Session #213, February 22, 2017

Brian Decker, MBA, CISSP, PMP

Muna Khan, MBA, MPH, CSSBB, CPHIMS

2

Speaker IntroductionBrian Decker, MBA, CISSP, PMP

Senior Manager, Identity and Access Management

Office of Information Security

Mayo Clinic

Muna Khan, MBA, MPH, CSSBB, CPHIMS

Sr. Principal Health System Engineer

Management Engineering and Internal Consulting

Mayo Clinic

3

Conflict of Interest

Brian Decker, MBA, CISSP, PMP

Muna Khan, MBA, MPH, CSSBB, CPHIMS

Has no real or apparent conflicts of interest to report.

4

Agenda• Learning Objectives

• Key Takeaways

• Definitions

• STEPS

• Problem Statement

• Identity Management Program

• Organizational Change Management/Communications

5

Learning Objectives• Explain the importance of identity management as a central tenant of

an organization's security strategy

• Discuss the opportunities and challenges in creating an identity management program

• Describe the process of establishing an identity management program with effective governance

• Demonstrate the challenges encountered for implementing an identity management system

• Identify organizational change management and communications challenges with new identity management operational infrastructure

6

Realizing the Value of Health ITThrough Identity Management• Satisfaction

• Providing the right access to the right users at the right time allows users to be functional and effective in their work (as quickly as possible)

• Providing managers with the appropriate tools to manage access

• Savings

• The wrong user or a compromised credential getting access to critical data (patient/financial) poses a significant risk to organizations

7

Key Takeaways• Identity and access management is central to reducing

organizational risk, both internal and external.

• Long-term success comes from identity and access management being a business initiative, not a technology project.

• Understanding identity relationships is an important first step in planning an effective program

• Governance must align with business initiatives and identified risks.

• Work hard to know how the organization works to create a long-term sustainable program (think: lifestyle change)

8

Identity Management System

• An Identity Management System is any system that creates, issues, uses, and terminates electronic identities. In other words, an Identity Management System provides lifecycle management for the digital credential sets that represent electronic identities.

- NIST• http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-

04/ispab_apopowycz_april2009.pdf

9

Identity and Access Management• An identity and access management (IAM) system is a framework for

business processes that facilitates the management of electronic identities.

- TechTarget• http://searchsecurity.techtarget.com/definition/identity-access-

management-IAM-system

• Definition simplified:

Ensuring the right “subjects” have the right access to the right “objects” at the right time and nothing else.

10

Computer Viruses Are "Rampant" on

Medical Devices in Hospitals

FDA Safety Communication: Cybersecurity

Vulnerabilities of Hospira Symbiq Infusion System

Cyberattack at Appalachian Regional

Healthcare keeping EHR down after six

daysFBI Investigating: Hollywood hospital pays $17,000

in bitcoin to hackers

https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-

its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html?utm_term=.62e32cd980f9

http://www.healthcareitnews.com/news/cyberattack-

appalachian-regional-healthcare-keeping-ehr-down-

after-six-days

https://www.technologyreview.com/s/429616/computer-viruses-are-rampant-on-medical-

devices-in-hospitals/

http://www.latimes.com/business/technology/la-me-ln-hollywood-

hospital-bitcoin-20160217-story.html

More Than 11 Million Healthcare Records

Exposed in June 2016

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm

http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/

Healthcare is being targeted

11

Today’s Hostile Environment• Threat actors have multiple levels of skills

• Insiders (Current & Ex)

• Script Kiddies

• Hacktivists

• Organized Crime

• Nation State

• Active adversary must be assumed

• Unlimited time and resources

• Skill level to cause harm is going down

• Tools to compromise and harm systems are readily available and cheap (free)

• Harm or disruption could be deliberate or collateral

• We are way past relying upon firewalls

12

Attack Motivations• Revenge

• Personal Gains

• Bragging Rights / Status

• Expression of Political or Social Views

• Intellectual Property Theft

• $$$$$ (ransomware, theft, etc.)

• Identity Theft – Financial / Medical

13

Threats to Identity and Access

• Nation State

• Organized Crime

• Hacktivists

• Individuals

• Insiders

• Snoopers

• Phishing (to get credentials)

• Lateral movement (using credentials to move around and find data)

• Malware (use credentials to get foothold)

• Ransomware (use credentials to access and then encrypt data)

• Viewing sensitive data (use access inappropriately)

• Drug diversion (inappropriate access)

• Etc.

IAM

14

Simplified Problem Statements

• Who actually are our users?

• Are they appropriate users?

• Who has access to what and why?

• Who is accountable for user’s access?

???

15

Imagine these scenarios…

16

Real World Scenarios

• Identities have different relationships to Mayo Clinic depending upon their immediate needs. The different relationships require appropriate and specific levels of security.

• Example 1:

1. Physician – outpatient clinic in the AM & PM

2. Physician – surgery late AM

3. Physician – administrative leader at noon

4. Physician – researcher late afternoon

5. Physician – professor in the evening

• Example 2:

1. RN – Hospital nursing primary job function (with floating)

2. RN – Nurse Anesthetist in School of Health Sciences

17

Identity & Access as a Central Tenet of Information Security• Business enabler – the right access to the right information

• Can’t manage what you don’t know or can’t see – what identities actually have access to

• Enables visibility and transparency

• Drives accountability

• Requires organizational behavior change

18

Identity Management ProgramMayo Clinic began creating our Identity Management Platform to support all population types across all sectors (B2E, B2B, B2C)

Primary objectives:

1. Security

2. Experience

3. Scalability and Sustainability

Core elements:

1. Identity and Account Management

2. Authorization and Access Management

3. Authentication Centralized

4. Accountability - Access Certification / Validation

19

Common Challenges

Identity and Population Management Knowledge and appropriate management of user populations

Appropriate Roles

Accountability / Audit Holding Managers, role owners, data owners accountable for access and access

decisions

Account and Credential Management Privileged accounts (IT and other users)

Appropriate authentication

Access Management Appropriateness Authorization

Identity Lifecycle (joiner, movers and leavers)

Lack of access visibility into platforms and applications

20

Individual

ExternalPartners

Employee Friends

Customer

Employee Friends

ExternalPartners Customer

ResearchPartners

Etc.

Collaborators

Allied Health Contacts

Information Seekers

Web

site

Vis

ito

rs

Pa

tients

Identity

Relationships

21

Identity and Population Management

Diverse Challenges: Populations

What people do

Where people do it

Multiple personas

Multiple types of accounts

Multiple managers

Thousands of applications

22

Employee Populations

Allied Health

Allied Health 2

Consultant

Research

Associate

Clinical

Resident

Hospital

Resident

Spec. Project

Resident

Graduate

Students

Health

Sciences

Medical School

Union

Visiting

Scientist

v

> 3K

1K-3K

< 1K

Legend

Job Class Unique Job Families & Size

23

Non-Employee Populations

Identity Hub

Visiting Clergy

External Access to

Medical Record

Emeritus Staff

Volunteers

Non-

Employees –

All Sites Convent Residents

Site Specific

Nursing Homes

Site Specific

Nursing Students

Visiting

Scientists &

Appointments

IT

Contractors

Some Interns

Vendors

Public Committee

Member

Contract

Physicians

Health Club

***100+ non-employee populations

24

1900Drs. Will& Charlie

1

2

3

4

56

7

8

9

10

11

12 13

1925

12

3

4

5

6

7

8

9

10

11

12

1314

151617181920

2122

23

24

25

26

27

28

29

30

31

32

33

3435

3637 38 39 40

4142

2015

Neurology

Dental Specialties

Dermatology

Emergency Med

Family Med

Medical Genetics

Internal Medicine

Oncology

Physical Med

Psychiatry & Psychology

Radiation Oncology

Radiology

Anesthesiology

Neurosurgery

Obstetrics & Gynecology

Ophthalmology – Head & Neck Surgery

Orthopedics

ENT

Surgery

Urology

Anatomy

Biochemistry & Molecular Biology

Comparative Med

Health Sciences Research

Immunology

Lab Med & Pathology

Molecular Med

Molecular Pharm

Physical & Biomedical Engineering

Nursing

Development

Education Admin

Finance

Environmental Services

Planning Services

Public Affairs

Legal

Research Admin

Mayo Health System Admin

Human Resources

Finance

Facilities & Support ServicesMayo Clinic

Departments

25

Growth of Subspecialties

at Mayo Clinic

1900Drs. Will& Charlie

1

2

4

56

7

8

9

10

11

12 13

1925

12

3

4

5

6

IM

8

9

10

11

12

1314

151617181920

2122

23

24

25

26

27

28

29

30

31

32

33

3435

3637 38 39 40

4142

2010

Clinical

1

2

3

4

5

6

CV

8

9

10

11

12

13

Internal MedicineDivisions

12

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

2425

26CardiovascularSubspecialties

Cardiomyopathy

+ 13 Specialty Labs

Coronary Physiology & Imaging

Cardiovascular Health

Chest Pain & Coronary Physiology

Congenital Heart Clinic

Electrophysiology

Counterpulsation

Heart Failure

Heart Rhythm Center

Implantable Device Clinic

Pericardial Disease Clinic

Pediatric Cardiology

Pulmonary Hypertension

Thrombophilia Center

Transplant

Cardiovascular Radiology

Ulcer & Wound Care Clinic

Valvular Heart Clinic

Vascular Medicine

Women’s Heart Clinic

Cardiovascular Molecular Biology

Cardiovascular Epidemiology

Marfan Clinic

Nuclear Cardiology

Cardiovascular Surgery

26

Identity, Persona & Roles

Role

Persona

IdentityTraditionally, IAM systems naturally

model identities and roles, but not

persona, a 2-tier model.

How do we map 3-tiers to 2-tiers?

Additionally, how do we bound approvals, certifications and

reporting to the appropriate tier?

27

Role Based Access Control ModelIAM tool manages business

and functional roles

IAM tool is aware of

application roles (as

entitlements) via

business logic and

performs user

assignment through

provisioning

28

EP-

Template

123

EP-Sub-

Temp 123

App role

ABC

App role

XYZ

Enterprise Role Framework

28

OrganizationalAllied Health

OrganizationalConsultant

Cardiology

-Nurse

Cardiology-Surgeon

BirthrightRST-AH

BirthrightRST-CN

System

-Epic

System

-etc.

System

-AD

System

-WTK

System

-EDPAR

System

-Epic

System

-etc.

EP-

Template

987

EP-Sub-

Temp 678

App role

MNO

App role

JKL

Group

XYZ

AH

Employee

CN

Employee

Group

DEF

ETC. ETC.

Organizational

Level Role

Business

Level Role

Business

Application

RoleEn

terp

rise R

ole

sA

pp

lica

tio

n S

pe

cific

Entitlements

Permissions

Pro

vis

ion

ing R

ole

System

-AD

29

3-Tier Access Control Model

1Birthright Roles

& Attributes

2Business Roles

3On-Demand

“Shopping Cart”

Gaining Electronic Access

30

The Role of Identity and Access Governance

• Understand and prioritize IAM related risks and business drivers

• Own identity-related policies

• Ensure risks and drivers are staged and addressed

• Drive the platform and IAM security services into the business and technical environment

• Stakeholder management and communication

31

How do we make change happen?

• Organizational Change Management

– Stakeholder Analysis

– ADKAR

• Communications, Communications, Communications

• Sr. Leadership support, engagement and visibility

32

Organizational Change Management

• Establishing new norms

– Creating a culture of accountability and audit

• Functional role owners

– Behavioral changes

• Supervisors/managers

• Users

• Applications teams (IT/Security Administrators)

33

New Roles & Responsibilities• Information Technology & Information Security

– Provide the necessary tools and policies to maximize security within the organization

– Compliance with new application access protocols

– Participating in roles and application access rights definition

• Business Leaders

– Take full ownership in definition and refining functional roles within organization

– Hold managers/supervisors accountable for access provisions

• Institutional Leaders

– Support an environment for IAM to take hold as a central tenet of security

34

Realizing the Value of Health ITThrough Identity Management• Satisfaction

• Providing the right access to the right users at the right time allows users to be functional and effective in their work (as quickly as possible)

• Providing managers with the appropriate tools to manage access

• Savings

• The wrong user getting access to critical data (patient/financial) poses a significant risk to organizations

35

Questions

Thank you!(Please complete online evaluations)

Decker.brian@mayo.edu

Khan.Munawwar@mayo.edu