Customer Solution Case Study
/ / Children’s Hospital Streamlines IT Authentication, Eliminates Manual Processes
Overview
Country or Region:United States
Industry:Healthcare
Customer Profile
Children’s Hospital Boston is one of the most successful pediatric hospitals in the United States. Each year, it treats 18,000 inpatients and delivers emergency and outpatient care to 300,000 people.
Business Situation
Children’s worked with multiple directory services to manage access to its IT applications. As a result, it was difficult to support effective authorization across the organization.
Solution
The hospital deployed Microsoft® Active Directory® Application Mode as an integrated directory service, and Identity Integration Server 2003 to update identity information between applications.
Benefits
Compliance with regulatory legislation
Enhanced password management
75 percent reduction in manual data management tasks
New workflow capabilities that enhance operational efficiency
Enterprise-class reliability for business continuity / “Using Active Directory Application Mode and MIIS [Microsoft Identity Integration Server], we can successfully enforce … key employee authorization functions.”
Scott Ogawa, Chief Technology Officer, Children’s Hospital Boston
Children’s Hospital Boston, one of the most successful pediatric hospitals in the United States, supports its clinical and administrative activities with a range of IT applications. Access to these was traditionally managed using a Sun iPlanet directory, but isolated islands of identity information made it difficult to authenticate users effectively. To address this, Children’s deployed a platform-independent directory service based on Microsoft® Active Directory® Application Mode. Children’s also implemented Microsoft Identity Integration Server 2003 to automatically synchronize data between systems. As a result, identity information is accurate and up-to-date, helping ensure compliance with regulatory legislation. In addition, manual data management has been reduced by 75 percent, freeing administrators to focus on value-added development activities.
Situation
For the sixteenth year running, U.S. News & World Report has rated Children’s Hospital Boston (Children’s) among the top U.S. hospitals specializing in pediatric care. With 347 beds, the hospital is one of the largest pediatric medical centers in the country. It offers a comprehensive range of healthcare services for babies and children, including advanced medical treatments for fetuses through the AdvancedFetalCareCenter. Children’s admits approximately 18,000 patients each year, while emergency services and 150 outpatient programs deliver care to more than 300,000 patients annually.
The hospital’s clinical staff comprises approximately 800 active medical and dental professionals, 700 residents and fellows, and 3,300 additional full-time employees, including 800 Patient Services specialists. In total, Children’s employs 8,000 people, 800 of whom are highly trained volunteers. The organization is the primary pediatric teaching hospital of HarvardMedicalSchool, where most Children’s physicians hold faculty appointments.
Children’s is home to one of the world’s largest pediatric research facilities, where 1,200 scientists and support staff are developing new treatments for some of the most severe medical conditions. Research initiatives currently underway have attracted U.S.$120 million in funding.
The hospital uses a range of IT applications to support its clinical, patient administration, and enterprise resource planning activities. These are based on a number of vendor systems, such as Cerner, PeopleSoft and Oracle, and on custom software developed in-house. “Our clinical applications manage any function that has a direct impact on patient care, including physician orders, neurology, pharmacology, and oncology,” says Scott Ogawa, Chief Technology Officer at Children’s Hospital Boston. “At the same time, we use a range of patient administration tools to handle accounting, registration and billing, and additional administrative and financial applications for human resources, payroll, and other enterprise resource planning requirements.”
Critical clinical applications at Children’s include Cerner Millennium, which is currently being deployed to the entire clinical community. This technology manages clinical functions, such as laboratory processing, electronic patient records, pharmacy, and radiology, and must be constantly available to ensure the highest-quality patient care.
Information, user permissions, and profiles required to access 75 key applications were managed using a Sun ONE Directory Server. At the same time, access to Microsoft® desktop productivity tools was based on the Active Directory® service, requiring Children’s IT staff to manage two disparate directories. In addition, many isolated islands of redundant identity information relating to users and IT equipment existed across the organization.
“Key identity information—such as e-mail addresses, pager numbers, and passwords—was stored in individual applications,” says Ogawa. “As a result, we had no reliable way to ensure that important identity information remained accurate, and it was difficult to authenticate users effectively. To address this, we wanted to standardize identity information and authentication processes for all our vendor and bespoke applications across the hospital.”
Solution
During its search for a new, fully integrated directory service, Children’s Hospital Boston evaluated a range of directory technologies. Active Directory was the preferred candidate for the new directory service because the technology had been operating successfully in the hospital’s IT environment for two years with no downtime. In addition, Children’s had existing expertise in the use and administration of the technology, which provides a single user name and password for each employee. However, there was a concern when it came to extending the existing Active Directory service.
“We looked at implementing Active Directory authentication across the hospital, but we have a heterogeneous application environment that is mostly based on non-Microsoft technologies,” says Jim Shattuck, Architect at Children’s Hospital Boston. “As a result, it would have been complicated to standardize authentication processes across our multiple domains.”
To address this issue, Children’s decided to deploy Active Directory Application Mode (ADAM), part of Microsoft’s Lightweight Directory Access Protocol (LDAP) directory service available with the Windows Server®2003 operating system. This technology, which was deployed in 2004, is built specifically to address directory-enabled application scenarios and runs independently of heterogeneous operating systems. Additionally, a compelling advantage of ADAM was the ability to proxy LDAP authentication requests to the appropriate Active Directory domain, thereby eliminating the additional credential store introduced when adding a new directory service. By using ADAM, the hospital created a comprehensive enterprise directory service based on authoritative information held in selected applications. At the same time, Children’s rolled out Microsoft Identity Integration Server (MIIS) 2003 to synchronize identity information between diverse applications running on UNIX, Oracle, and third-party repositories.
With this solution, Children’s has increased the integrity of its metadata and reduced manual tasks associated with updating employee demographic and infrastructure information in disparate systems. “Previously, new Children’s employees filled out paper forms and sent e-mailto gain access to key applications, such as patient records,” says Ogawa. “Now, new employees can be added to a single directory and quickly provisioned with most of the applications that they need to work effectively.”
In addition, Children’s has created a range of new automated workflow processes across the organization. These include:
• Timely communication. Children’s uses bulk and targeted e-mail to update employees with financial and employment information. E-mail addresses were previously stored in PeopleSoft systems that were updated weekly by an administrator using spreadsheets of new employees and employee name changes. This process was slow, monotonous, and sometimes inaccurate. Using MIIS 2003, Children’s integrated its PeopleSoft financial and human resources applications. Information in these Oracle systems now directly updates with authoritative e-mail address data from Microsoft Exchange Server every 15 minutes. As a result, e-mail data in the PeopleSoft systems is current and accurate, and all employees receive important financial and employment communications in a timely manner.
• Authorization for nursing applications. Children’s works with multiple applications used exclusively by registered nurses. Previously, administrators had to manually grant access to these applications. As a result, the process was slow and potentially inaccurate, thereby jeopardizing compliance with regulatory legislation. Now, an access table of nurse identity information updates automatically every 15 minutes by leveraging authoritative job function data stored in PeopleSoft and using MIIS rules extensions. Only authorized nurses access restricted applications, and administrators no longer update nurse information manually.
• Accurate and up-to-date employee contact information. Employee phone and pager numbers were previously available on a Web site, in a phone directory, or from an operator. Key communication programssuch as the Microsoft Office Outlook® 2003 messaging and collaboration client were updated with this information manually or not at all, because of high administrative costs. To address this issue, different communication applications can access identity information from ADAM. In turn, ADAM data is kept up-to-date by using MIIS. Now contact information can be updated automatically once a day in multiple applications from the central directory service. Employees can view their colleagues’ contact information onsite in Outlook 2003 and from outside the hospital using Outlook Web Access. Blackberry PDA phone users who synchronize with Outlook can now telephone colleagues without manually updating information themselves.
Benefits
Since implementing Active Directory Application Mode and Identity Integration Server, Children’s has automated the flow of 25 user, printer, and computer attributes to more than 20 applications, databases, and directories. In addition, the technology has been used to establish authoritative sources for all identity-related data throughout the hospital, consequently, significantly enhancing the integrity and accuracy of key information and contributing to compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). As a result of the deployment, system administrators are free from the burden of monotonous, error-prone data entry and are focusing on value-added development initiatives for their respective user communities.
Increased Security Supports Compliance with HIPAA Legislation
Healthcare service providers are subject to rigorous HIPAA legislation related to personal health information security and patient privacy. The new infrastructure has given Children’s accurate and controlled access toapplications based on sophisticated employee authentication and authorization rules. “Utilizing ADAM, we can successfully enforce password policies and password expiration dates by using the built-in user-proxy feature and existing strong Active Directory policies, while leveraging MIIS to drive complex employee authorization functions,” says Ogawa. “Accounts for employees who leave the hospital can be centrally disabled quickly and comprehensively from our systems, ensuring that only current employee’s access restricted data.”
Auditors in the healthcare industry typically use comparative hospital data to assess HIPAA compliance. They then make general recommendations on how organizations can improve their operations. “Auditors talk about process automation and standardization for increasing security and ensuring compliance, but make few concrete suggestions,” Ogawa says. “We can show them real-world tools that demonstrate our compliance and specific examples of how technology is ensuring security, patient privacy, and operational efficiency.
“MIIS, for example, is used to drive the ‘lights-out’ provisioning of access to the Children’s primary clinical application, taking into account external information such as the successful completion of application competency tests and physician status. The constant availability of MIIS means that caregivers no longer have to wait for business hours to access clinical systems, helping them work more productively.”
Enhanced Password Management Streamlines Operations
By migrating all users from the Sun ONE Directory Server to ADAM, and deploying newLDAP–compatible applications to the Enterprise Directory, Children’s is swiftly approaching the point where it will no longer need to manage multiple passwords for each employee. In combination with an account management application, MIIS seamlessly manages provisioning and de-provisioning of applications to users in the ADAM directory.
“Users can now log on to 90 percent of hospital applications with their familiar Windows® user name and password,” says Shattuck. “This reduces administration associated with password resets and increases convenience for users. It also helps increase security and reduces incidents of lost or forgotten passwords.”
Efficient Account Administration Reduces Manual Data Management by 75 Percent
MIIS now conducts many of the mundane data management tasks previously undertaken by administrators. This technology frees technical employees to focus on tasks that directly benefit their user communities. “We have reduced the time previously required to manage users in the directory by 75 percent and redeployed administrative staff to more value-added activities,” Ogawa says. “As a result, we have avoided the need to hire additional personnel while our application landscape continues to grow in size and complexity.
“For example, we have not needed to increase employee numbers in our network operating system group,” he says. “This is incredible when you look at the number of new applications we have rolled out and the additional functionality available to end users. Making these improvements would have been impossible without hiring extra employees, but we achieved it by redeploying people from mundane administrative tasks to more abstract, value-added activities, such as development.”
New Workflow Capabilities Deliver Improved Efficiency
Traditionally, the storage of identity information in multiple repositories made it difficult to support complex workflow between applications. Children’s has addressed this issue through the creation of authoritative data sources using MIIS.
“Previously, it was difficult to orchestrate complex processes, such as communicating critical laboratory results,” Ogawa says, “because this requires access to clinicians’ email addresses, departments, pager numbers, and privileges, which are stored in different systems. Now, we have access to all this information in a fully integrated directory. If test results are critical, we can inform doctors much more quickly and effectively, and enhance the quality of patient care as a result.”
Reliable Directory Service Enhances Business Continuity
Children’s now has reliable access to information sources through its use of ADAM, which is based on reliable Active Directory technology. “We worked with Active Directory in our infrastructure for two years with no downtime,” says Ogawa. “In its first year in production at Children’s, ADAM has also been 100 percent reliable. More than 75 applications now rely on the technology for authentication and user information such as names, employee IDs, e-mail addresses, and application roles. In addition, server maintenance, such as operating system updates, no longer interrupts operations because ADAM servers use load-balancing technology and run in parallel across two data centers.
“In the improbable event of accidental object deletion or catastrophic directory corruption, we can recover data within two minutes by simply throwing a switch,” says Ogawa. “This is possible because ADAM supports a “lag site” design. Between implementing “lag sites” and network load balancing, the Children’s directory infrastructure has one of the more aggressive SLAs [service-level agreements] in the industry.”
Flexibility to Support Future Application Requirements Protects IT Investment
ADAM is a highly flexible directory solution that can help Children’s meet current and future authentication requirements. Shattuck says, “Schema and structural changes to the ADAM production environment can be made quickly and safely. This year, we have made 140 object class and attribute additions to the ADAM production environment with no disruption to normal services.”
Children’s recently completed a successful project with Cerner, a major medical application vendor, to integrate its application’s authentication and authorization layer with ADAM. “At Children’s, we roll out new applications all the time,” says Shattuck. “ADAM provides the flexibility that we need to rapidly adapt to change while ensuring network security and patient privacy, both now and in the future.”
Microsoft Windows Server System
Microsoft Windows Server System™ is a line of integrated and manageable server software designed to reduce the complexity and cost of IT. Windows Server System enables you to spend less time and budget on managing your systems so that you can focus your resources on other priorities for you and your business.
For more information about Windows Server System, go to: