Microsoft Infrastructure Optimization
Customer Solution Case Study
/ Healthcare Staffing Firm Automates User Provisioning to Boost Efficiency, Compliance
Overview
Country or Region:United States
Industry:Healthcare
Customer Profile
Maxim Healthcare maintains a network of approximately 85,000 healthcare professionals that are dedicated to meeting diverse client needs in a variety of care settings—from hospitals to private homes.
Business Situation
To build its competitive edge and enhance its responsiveness to changing industry regulations, the company needed a way to boost the efficiency of IT operations and tighten network security.
Solution
The company teamed with Microsoft Gold Partner Logic Trends to develop an identity and access management strategy and deploy Microsoft Forefront Identity Manager 2010.
Benefits
  • Improved identity data control
  • More accurate user management
  • Increased developer efficiency
  • Tighter industry compliance
/ “With Forefront Identity Manager, we have a familiar set of tools for more tightly controlling the flow of identity data across all of our systems."
Martin Hardy, IT Services Manager, Maxim Healthcare
Columbia, Maryland–based Maxim Healthcare needed a way to better manage employee identity information across a number of different business systems. Without the ability to link these systems, the company had to rely on manual processes for provisioning user accounts. These processes were time intensive and exposed potential security gaps. To accommodate rapid growth, the company also needed a more accurate and efficient way to incorporate identity data into its application development lifecycle. In March 2010, Maxim Healthcare engaged with Microsoft Gold Partner Logic Trends for help in devising an identity and access management strategy and implementing Microsoft Forefront Identity Manager 2010. Now, the company has automated the creation of user accounts and security groups to save time and simplified the management of access control policies for improved compliance.

Situation

Maxim Healthcare was founded in 1988 in response to a nationwide nursing shortage in the United States. Over the past two decades, the company has evolved into one of the fastest growing healthcare staffing firms in the country. It employs approximately 3,700 full-time nonmedical staff and maintains a network of approximately 85,000 care providers. At any point during the year, the company has up to 28,000 fully trained nurses and other medical professionals working in a variety of care settings. Through its Home Care offering, the company provides healthcare professionals who assist patients in their own home. Its staffing service is designed to meet the personnel needs of hospitals, clinics, insurance providers, and related entities.

Challenge of Managing a Large External Workforce

Historically, Maxim Healthcare has been able to leverage the size of its workforce to maintain its edge in the highly competitive healthcare staffing market. The company has 480 offices nationwide and personnel at each location are able to support local clients in a highly responsive way.

However, the corollary to this advantage is the challenge of providing training for such a large, geographically dispersed pool of workers. Because the company lacked the IT infrastructure to provide medical staff with remote access to network files and applications, staff needed to travel to local offices to attend trainings and take certification exams in person. Human Resources employees then printed and filed away hard copies of training certificates in each employee’s personnel file. “It was quite a burden on the individual offices,” says Martin Hardy, IT Services Manager at Maxim Healthcare. “Managers needed to coordinate visits on days when there would be workstations available and allocate space for all of the paper records.”

The company must comply with stringent government and industry regulations concerning certification of its direct-service staff, which means—in part—rigorously documenting training. But reliance on paper records and manual processes for tracking the status of these workers made auditing and reporting extremely labor intensive.

Need to Synchronize Identity Databases and Tighten Network Security

The company was also looking for a way to tighten access to resources within its corporate firewall. In particular, it sought to limit or control access to applications used in processing sensitive patient information. In alignment with corporate governance risk requirements, the company needed to establish and demonstrate proper IT controls, including demonstrating the strength and complexity of user passwords.

Maxim Healthcare tracked employee information in several different systems, including its human resources (HR) management system, its accounting and payroll systems, and its Active Directory service. However, none of these systems was synchronized. IT staff needed to hand-key employee data into the Active Directory database to set up new user accounts. “We cloned existing accounts to save time, but this sometimes led to errors,” says Hardy. “It meant that some users would get inadvertently locked out of applications while others were given access rights that didn’t align with their role in the company. Without a way to automate account provisioning and group management, we faced a potential compliance risk.”

As a matter of practice, the company did not associate a unique identification number with each individual employee, which made preserving the integrity of identity data even more difficult. Business and IT systems contained duplicate identity data in some instances; in other cases, employee profile information was inconsistent—and even inaccurate—across the different databases. “We didn’t have a true, authoritative identity source, which made implementing and enforcing role-based access policies practically impossible,” says Hardy. In alignment with corporate governance risk requirements, Maxim Healthcare needed to establish and demonstrate proper IT controls.

Goal of Streamlining Access Request and Development Processes

In turn, the lack of a current, centralized repository for managing identity data undermined the rigor and efficiency of both the company’s access request and application development processes. To build the access control component of a new application, developers typically extracted user data from the company’s accounting system. “Occasionally, a job function or some other relevant detail for a given person was listed inaccurately in the accounting system,” says Hardy. “After we’d built, tested, and pushed out the application, we’d hear back from users who couldn’t log on because of a permissions error.” Also, the company used an internally developed application to handle employee requests for access to security groups and distributions lists. Although the tool automatically processed and queued user requests, IT staff needed to manually fulfill these requests, which led to delays.

Executives emphasized the need to more efficiently manage the processes of training and certification of contract employees, to simplify compliance reporting, and to strengthen network security. “To realize gains in these areas, we needed to shift our whole approach to identity and access management,” says Hardy. “We needed a comprehensive solution that we could implement quickly and adapt over time using existing skill sets.”

Solution

After evaluating several options, executives selected Microsoft Forefront Identity Manager 2010. In March 2010, Maxim Healthcare reached out to Microsoft Partner Logic Trends, an Atlanta, Georgia–based IT consulting and services firm that specializes in implementing and extending identity and access management solutions.

Consolidated Identity Data

Hardy and his team worked closely with Logic Trends to define an identity and access management strategy, which included a multiphase deployment plan. As a first step, the joint team opted to designate the company’s HR system, which links tightly with its payroll system, as the authoritative source for identity data. This helped to remove orphan accounts in systems that receive data from the HR system and reduced the number of unnecessary groups in the Active Directory database. Next, they began the process of associating a unique identification number with each employee record in the payroll system database. “By removing redundant identities, we can ensure much higher application success rates and eliminate a lot of the manual data cleansing we needed to do before,” says Hardy.

Automated User Account Setup

In November 2010, Logic Trends helped Maxim Healthcare deploy Forefront Identity Manager and connect the solution to the company’s HR and payroll system databases, as well as its Active Directory environment. Now, through a daily synchronization operation executed in the solution, identity information is automatically imported from the HR system into Forefront Identity Manager and then merged with data in Active Directory.

By configuring synchronization rules through the solution’s Administrator Portal—taking advantage of the solution’s codeless provisioning capabilities—the Maxim Healthcare team is able to fully automate the creation of new user accounts for internal employees. The completion of a new employee record in the HR and payroll systems—one that is distinguished by an absolute numerical reference—triggers the creation of a unique user account in Active Directory. This activity also automatically creates an email account in the Microsoft Exchange Server database. Within the first few weeks following the deployment, Maxim Healthcare used Forefront Identity Manager to automatically create nearly 800 users and groups.

To ensure additional auditing and control, the company chose to use the workflow tools in the Administrator Portal to enable email notifications for application custodians and staff managers based on specified user management events. “Automating the creation of user accounts definitely saves us time, but more importantly, it improves accuracy; we know we can provide applications with well-managed, clean identity data,” says Hardy.

Standardized the Creation of Security Groups

The company uses the rich demographic data available in its payroll system to standardize the creation of high-level security groups. Group lists are now managed automatically in Forefront Identity Manager, based on such predetermined conditions as an employee’s job title or departmental affiliation. Whenever an event occurs that affects one of these conditions—when an employee gets promoted, for example—this change is applied across all relevant security groups. By automating this function in the solution, the company has eliminated the need for IT help-desk staff to spend time validating and fulfilling individual group membership requests. Demonstrating the pervasiveness of its identity and access management solution, and the solution’s growing importance to the business, Maxim Healthcare has used Forefront Identity Manager to complete 32,150 user and group attribute updates. This includes moving nearly 2,000 users and groups to the correct organizational unit.

And, the company is in the process of linking the solution with the Logic Trends Self-Service Password Management tool. It will use this self-service tool to help bring down help-desk costs and address regulatory requirements related to password strength. Programmers can then rely on the strong user-generated credentials in Active Directory to save development time and improve application security.

Simplified Policy Authoring and Enforcement

With Forefront Identity Manager, the Maxim Healthcare team enjoys the ability to centrally administer and manage policies governing access rights for users and groups. Through a portal interface based on Microsoft SharePoint Server, administrators can quickly define access policies using menu-driven controls and natural language descriptors, thereby reducing the need to create additional code. From within the portal, they can also modify existing workflows and design new workflows to guide how these rules are implemented and managed across the organization.

Plan to Build on Early Successes

Maxim Healthcare is planning to build on the momentum gained from developing an identity and access management strategy based on Microsoft technologies. Now, the company can apply this strategy, along with its deeper understanding of the solution components to meet additional security, automation, and user-experience requirements as they emerge.

Through continuous improvements to its internal- and external-facing Active Directory architecture and data model, Maxim Healthcare is well positioned to provide security beyond its corporate network. The company currently uses several cloud-based applications to provide a range of corporate services, and it plans to embrace an online services–based model to support external workers. Maxim Healthcare is working closely with Logic Trends to develop a strategy and solution to align with increasing adoption of cloud-based applications. The company will build on previous work to properly configure and manage its Active Directory environment, automate group policy enforcement, and federate authentication and security policies across various systems.

By using Forefront Identity Manager, together with Active Directory Federation Services 2.0, the company will be able to manage the access rights of external employees and groups with the same level of control that it applies to internal employees. “We developed a web portal that will let our healthcare providers log on from anywhere and take the training courses they need,” says Hardy. “And we’ll be able to more quickly and accurately track their certification status.”

Benefits

By deploying Microsoft Forefront Identity Manager 2010, Maxim Healthcare has increased the efficiency of IT administrator and development tasks and strengthened network security. With a standardized identity and access management framework in place, the company can pursue an aggressive growth strategy while ensuring compliance with stringent regulatory requirements.

Improved Control of Identity Data

Instead of attempting to manage redundant and sometimes inaccurate identity profiles across numerous systems and hundreds of business applications, Hardy and his team can now track this information in a single place. “With Forefront Identity Manager, we have a familiar set of tools for more tightly controlling the flow of identity data across all of our systems,” says Hardy.

Faster, More Accurate User Account Creation

Because this process is now handled through Forefront Identity Manager, IT administrators no longer need to manually generate new user accounts. This improvement saves the IT team a total of 22 hours a week. The automatic synchronization of identity data between the company’s payroll system and Active Directory also minimizes the need for IT staff to spend time continuously reconciling employee profile data between these systems.

Increased Efficiency, Quality Control of Development Process

The development team at Maxim Healthcare can now rely on a current, authoritative source for user information as they build new applications. The company anticipates that this will help accelerate the development lifecycle and reduce errors that prevent authorized users from logging on to the applications they need to do their jobs. “Our developers appreciate the ability to turn to one, reliable data source for identity information,” says Hardy. “It not only simplifies the development process, but it also leads to tighter access control and ultimately contributes to a better user experience.”

Enhanced Compliance with Healthcare Industry Regulations

With access to such capabilities as policy-driven, role-based access to network resources—together with powerful system auditing and reporting tools for documenting staff training—Maxim Healthcare is equipped to meet an expansive array of industry regulations. “Because we have strengthened our IT governance structures in so many different ways by using Forefront Identity Manager, we can be more responsive in meeting changing compliance rules. This agility gives us a big competitive edge,” says Hardy.


Microsoft Infrastructure Optimization

With infrastructure optimization, you can build a secure, well-managed, and dynamic core IT infrastructure that can reduce overall IT costs, make better use of resources, and become a strategic asset for the business. The Infrastructure Optimization model—with basic, standardized, rationalized, and dynamic levels—was developed by Microsoft using industry best practices and Microsoft’s own experiences with enterprise customers. The Infrastructure Optimization model provides a maturity framework that is flexible and easily used as a benchmark for technical capability and business value.

For more information about Microsoft infrastructure optimization, go to: