Existing deficiencies in systems access and account provisioning processes needed to be addressed as a priority.
An IAM strategy was commissioned to both support and enable the implementation of the Digital Health Enterprise (DHE) Technology Strategy and Implementation Plan. This was one of the key strategies adopted by the Health Directorate to achieve the strategic objectives of Access, Efficiency and Reliability.
A particularly impressive characteristic that was displayed by the IAM Program sponsor was the calm determination to implement a solid foundation solution that put the Health Directorate in a position to progressively adopt additional automated IAM capabilities as budget becomes available. Driving through the initial resistance to process change has been rewarded with a solution that is considered to be business critical. A long list of requests for enhancements to the IAM system is a strong indication that the benefits of automated IAM processes are now widely recognised within the organisation.
We recognised that Identity Management was a critical enabler of the broader Digital Health Enterprise Technology Strategy that the Directorate had committed to. Putting together a team with strong technical who engage effectively with managers and administrative staff underpins the success that the IAM Program continues to achieve.
These insights emanate from the successful adoption of automated Identity and Access Management processes by the Health Directorate of the ACT Government. This study discusses a range of factors that needed to be addressed to achieve targeted outcomes within this large and complex organisation in which a number of core business processes and services are provided by Whole-of-Government service providers.
An Identity and Access Management (IAM) implementation in any organisation is a technically complex, high risk activity. The challenges of attempting that level of process change in a health services environment where the demands of patient health outcomes dominate are significant.
For the ACT Health Directorate, the need to achieve the required scale of organisational change within an environment where both HR / Payroll processes and ICT service delivery are provided by external Whole-of-Government service providers added a further layer of corporate risk.
Whilst understanding the difficulties, the Health Directorate recognised that the existing deficiencies in systems access and account provisioning processes needed to be addressed as a priority. An IAM strategy was commissioned to both support and enable the implementation of the Digital Health Enterprise (DHE) Technology Strategy and Implementation Plan. This was one of the key strategies adopted by the Health Directorate to achieve the strategic objectives of Access, Efficiency and Reliability.
- 17,200 Identities managed
- 12,500 AD and email accounts
- 76,800 Entitlements managed
- 3,000 new Identities on-boarded each year
- 84,000 Requests processed annually
- 15,000 ID Card details managed
The IAM system is now considered to be both mature and business critical within the day-to-day operations of the Health Directorate. The process efficiencies and the associated business value that have been achieved are well recognised and a number of additional capabilities and refinements have been identified. These opportunities will be analysed and further project funding requested.
At the same time, IAM is attracting increased attention within the whole of ACT Government and the Health Directorate provides well-informed input to those discussions. Such interagency co-operation allows the Health Directorate to clearly demonstrate the business value it has already derived and to share its learnings with others.
This approach will allow the Health Directorate to continue to drive its own IAM initiatives whilst actively supporting whole of Government plans and solutions.
What also became clear over the subsequent operation of the Health Directorate’s IAM system is the strength of focus on clinical service
delivery to patients, often at the expense of supporting administrative processes. This cultural characteristic (almost certainly applicable to all health service organisations) has influenced the design, evolution and operations of the IAM system.
Functionality has been added to the IAM system to streamline a number of processes to match the preferences of specific user functions, sometimes supporting exceptions to standard processes. The areas of request approvals and on-boarding medical and
other health professional staff have been refined.
At the same time, the IAM Service Desk plays a significant role in ensuring that the required outcomes for user on-boarding, termination and access management are achieved. Their readiness and ability to support, and sometimes supplement end users to
initiate and complete actions in the IAM system have been significant factors in the systems overall success.
Whilst ongoing training of users of the IAM system is planned, it is also recognised that directly assisting end users to achieve an immediate outcome is often the appropriate response.
Automated account provisioning was one of the key objectives of the IAM program when it was initiated. This proved to be somewhat more challenging than expected. Many of the applications within the health sector are based on relatively “old” technologies and were not designed with integration in mind. Progressive product upgrades have improved this capability to a degree. The Health Directorate worked with a number of vendors and internal system owners to upgrade target applications to versions that supported automated account provisioning capabilities.
As a result, a number of health applications are now integrated using LDAP integration to automate user account provisioning based on details that are managed in Active Directory by the IAM system. A number of additional applications are also in the process of being updated to more recent versions, with one of the key business drivers being account provisioning.
Managing the access entitlements of users was one of the core capabilities identified in the IAM Strategy and Requirements. In the Health context, it was recognised that a user’s “primary role” was the major determinant of course grained access permissions. For example, Doctors required access to a range of common applications including Patient Administration, Clinical Portal, pathology and radiology (PACS), selected share drives and a number of buildings. In order to manage “finer grained” access, additional role definition is required and the Health Directorate is progressively enhancing the Person details in the IAM system to allow more refined “role based access”.
Adopting a phased implementation approach, the initial IAM system went into production in July 2012. The focus of that release was to introduce portal-based identity processes (including new identity creation, terminations and change of details) and to automate AD and email account provisioning. The IAM system also forwarded notification emails to a number of process owners who were responsible for provisioning actions in their respective systems and services.
This implementation was a major process change that replaced traditional paper-based processes with self-service portal requests and approvals. Hundreds of staff throughout the Health Directorate needed to learn and understand the new processes and how they could achieve their outcomes using the IAM system.
The IAM team spent a lot of time and effort with the end-users to demonstrate the new solution and to deliver targeted training, including the development of supporting “cheat sheets” to outline how to complete a broad range of use cases. Those efforts were also supported by a dedicated resource on an IAM Service Desk who was available to answer support calls and to re-visit users who required additional training.
The IAM project team was also ready to make minor enhancements to refine IAM system functionality in the period immediately following go-live based on user feedback.
Phase 2 of the IAM system was developed over the following 15 months with a clear focus on:
- automating systems access requests and approvals;
- recording of subsequent time-based access “entitlements”; and
- automated provisioning actions.
At the same time, a number of repeatable use cases were analysed and IAM functionality was developed to improve their efficiency. Responding to feedback from over 12 months of operations, a number of process improvements were also introduced.
The functional and technical design of the IAM system was based on Microsoft FIM and was completed so that an external authoritative source for People could be integrated for all or select identity types in the future. In such a scenario, the request and workflow functions would continue to support appropriate use cases.
A significant challenge that needed to be addressed in the design of the IAM processes and the supporting technical architecture of the IAM system was the fact that the HR / Payroll system proved to be an unsuitable authoritative source of identity details and identity lifecycle events.
As part of the ACT Government’s shared service model, the Health Directorate’s HR and payroll processes are externally managed by the Shared Service HR team whose services and service levels are standardised for all agencies, and are focused on completing fortnightly payroll obligations. Consequently, it was not possible for the Health Directorate to make changes to those processes to effectively support the objectives of their IAM system.
Therefore the critical need to adopt an automated IAM system led the Health Directorate to select an alternative authoritative source for identities and their access-related details. It was decided to configure the Portal component of Microsoft’s FIM identity provisioning and synchronisation platform to support all identity creation, termination and maintenance functions as well as providing the request initiation, approval workflow and notification functions.
The unavailability of the traditionally preferred authoritative source for People (the corporate HR system) was overcome in a way that allowed the Health Directorate to have control over its identity and access processes which in part offset their inability to leverage existing HR processes.
The formal business case supporting the implementation of an automated IAM system presented a compelling case in terms of business impact (such as reducing staff on-boarding times from up to 10 days to a matter of hours) and the associated improvement in staff effectiveness in delivering clinical and other services. The supporting financial models demonstrated significant cost-benefit scenarios.
From MIIS to Azure, UNIFY is Microsoft’s trusted partner for quality security, identity and associated secure collaboration outcomes.