Top
Welcome

Thank you for taking time to visit my blog. My name is Drew Olson and I hope to use this space to share ideas and generate conversation regarding identity and access management

This form does not yet contain any fields.
    Recent Postings
    Monday
    May162011

    Data Breach #2: Massachusetts Healthcare System 

    DateMonday, May 16, 2011 at 9:00PM

    This article recently published in the Worcester Telegram & Gazette highlights the dangers of shared user accounts, open kiosks and weak authentication protocols.


    Computer access breach exposed UMass Memorial pay stub data

    By Lee Hammel TELEGRAM & GAZETTE STAFF

    WORCESTER —  Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months. 

    The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.

    The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization's HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.

    The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.

    Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.

    UMass Memorial has no reason to believe that any of the personal information on HRConnect has been misused, according to Mr. Brogna. Nevertheless, UMass Memorial is notifying all potentially affected employees of the incident.

    The organization is offering potentially affected employees reimbursement of the costs to institute a security freeze with the three national credit reporting agencies, Mr. Brogna said, and is also offering one year of free credit monitoring through TransUnion Interactive.

    “UMass Memorial deeply regrets this incident,” Mr. Brogna said, and “is continually evaluating and modifying its practices to enhance the security and privacy of all confidential and sensitive information entrusted to it.” 

    http://www.telegram.com/article/20110412/NEWS/110419891/1116

     

    As of late, Tools4ever has been implementing more solutions on the healthcare market and I wanted to take a look at our clients and ascertain if there are common issues that this market sector needs to address.  Not surprisingly, the issue above was a common themes with a number of these accounts.

    Shared User Accounts

    One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts.  Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account.  The issue becomes security and privacy.  It is impossible to restrict access or determine who is doing what and when.

    Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals.  Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.

     

    For more information, please visit: http://www.tools4ever.com/products/user-management-resource-administrator/

    AuthorDrew Olson | Comment3 Comments | Reference2 References |
    tagged , , , , in
    Monday
    May022011

    Why you Should Use Employee Numbers in Active Directory 

    DateMonday, May 2, 2011 at 10:51AM

    Organizations that are in the process of cleaning up their Active Directory or linking other systems such as face libraries, print badges etc., are often confronted with the problem that the employee ID number is not listed consistently in the Active Directory. In many cases this is a show-stopper; it prevents them from recognizing Active Directory as the central account database. This will result in problems once they start linking all the identities across the organization.

    The situation:

    You have an HRM system with 1,000 employee names, which may include double records for service contracts, functions, departments and managers. You also have an Active Directory containing 2,300 accounts, in which over the years various different IT agents have manually created user accounts based on their personal interpretation of naming standards. There is a need to clean up the Active Directory or to use it as the central account database.

    The challenge:

    First step, you could determine which of the 2,300 accounts have been assigned to employees who are no longer in service. This means that you must link employees in the HRM system to accounts in the Active Directory. If the employee ID or citizen service number is not listed in the Active Directory, you will not need a unique key to set up this link. Manually entering employee IDs or the citizen service numbers for all Active Directory accounts is a time-consuming task.

    The solution:

    Tools4ever’s UMRA solution and consultancy services will allow you to align the HRM system and Active Directory in the space of a single day. The employee ID numbers are added to the Active Directory in the shape of attributes that are invisible to end users. We provide support for any combination of naming convention (100+) ever used to create accounts, including any subsequent requests for partner names or naming conventions, and to align these with the HRM system. Experience shows that we are always able to achieve an alignment level of 85-90%, which leaves only a small list of accounts that will have to be processed manually.

    Would you like more information? Visit our website: User Provisioning from the HRM system.

    AuthorDrew Olson | Comment1 Comment |
    tagged , , in
    Thursday
    Apr282011

    Tell me about this user: Reporting, Auditing, and Compliance

    DateThursday, April 28, 2011 at 5:19PM

    I haven't posted in a few weeks but after a few recent meetings, I felt it would be a good idea to start a discussion on user auditing.  Most organizations have some form of user directory or white pages where one can find another user's department, contact information and perhaps some other basic information. However, the clients I met with were struggling to display more detailed information regarding an individual's group memberships, access permissions, and folder permissions.

    This type of information may be more detailed than most user's would need to regularly see, but it can be very important for auditing, compliancy and risk management standards.  How easy is it for you to locate someone's folder permissions or even more, to see how this might have changed over time? Understanding this information will give you much better control over your IT security policy, but will also give you an upper hand when it comes to meeting regulations covered under SOX, HIPAA, etc.

    With these changes and especially in this era of increased network attack and data breaches, it is crucial for an organization to report and follow on:

    • a list of requests and changes in the total time period x.
    • an overview of the group membership (and per user).
    • an overview of NTFS permissions (and per user).
    • an overview of the accounts that have not logged more than 30 days.
    • an overview of the disabled or blocked accounts.
    • the number of requests for a particular function or for a particular department.
    • the number of outstanding requests. 
    • the average handling period

    A solution such as Tools4ever's User Management Resource Administrator (UMRA) can easily assist you in these areas. UMRA automatically records management operations and changes to accounts and permissions. This detailed data is then readily available for later audit and reporting purposes. This type of solution can also provide you export functionality; reports that can be generated in a variety of different formats. This means that companies, at any moment, have insight into the processes involved and whether that they comply with security policies and regulations governing and law.

     

    For more information, please visit: http://www.tools4ever.com/solutions/audit-compliance/

    AuthorDrew Olson | Comment4 Comments |
    tagged , , , , in ,
    Page 1 2 3 4 5 ... 7 Next 3 Entries »