Tag Archives: Identity Assurance

  • 0

eMail Highlights a Data Protection Conundrum

Tags : 

eMail poses some interesting challenges from the information governance perspective, challenges that have been carried forth since the birth of personal computing and early misjudgements made in establishing this new computing concept.


Personal, or moreover the personalisation of user access and assignment of rights in a corporate setting being the issue, that has become an challenge for organisations trying to wrestle back ownership of corporate data, through the introduction of identity and access management solutions, and most importantly role based access control models (RBAC).

It is a fact that a great many users perceive the allocation of a user logon ID (usually some representation of their name) and the subsequent allocation of email, as something that is personal to them, and not just the means and tools provided by the corporation to help them perform their duties.

This is not helped in some respect by the right to privacy in the corporate setting automatically assigned by law, when in truth (ignoring personal use for the moment) the first claim on the corporate data contained within an email is surely with the employing organisation?

Data Protection Conundrum

eMailThis conundrum is perhaps best illustrated by the NHS own provision of a national (cloud type) email offering (NHSmail), founded on the principle of the NHS staff being allocated and email address for life! A concept that creates some potentially major information governance challenges and issues.

e.g. nurse A, works for a trust in the GNU clinic, and routinely handles sensitive and private information, not all granted necessarily in a patient identifiable form via email, but for the sake of argument assume that she has a function that warrants the use of email in this way.

Nurse A leaves the trust, and takes up post in another trust, in a difference less sensitive business function, she according to the policy for NHSmail takes her mail account with her. Unless the first trust has a very robust starters and leavers admin and management process (a great many do not), any data (unless archived off by the user), goes with her to her new post, that’s information governance issue one.

The second information governance issue concerns the loss of continuity, that arises is the fact that her replacement (and this is largely true of any mail system) will most likely never get sight of their predecessors communications.eMail Open

Many staff, because they use email for personal purposes as well as business purposes, will typically clean their mailbox down, this being more about protecting their personal privacy, as opposed to protecting those individuals information they may have been privy too.

Even is a user bothers to sort and sift in deletion, to subsequently leave behind relevant info for the person following into the role, the second information governance issue of disconnection still occurs, because likely as not the mailbox never gets reassigned, instead the new user gets a new mailbox.

Of course email is just one example of a number of personalisation issues that came into existence, personal file shares, user based permissions, are other significant information governance concerns affected by the starters and leavers process.

Identity Assurance

Until identity and access management, and importantly the evolution toward RBAC takes a hold, organisations will continue to experience these issues and more that are less about breaches of privacy, and more about the perhaps less tangible aspect of discontinuity, that results in inefficient and costly working practices, of learn it all again, every time a staff role change occurs.

eMail ForwardThe commercial corporate world is moving fast with the adoption of identity assurance and RBAC solutions, because they recognise the cost and downside of not doing so, and in health of course the sterling work of the CfH Identity Management Team and NHS Spine implementation of RBAC to national apps provides a model for health, time now for this to be adopted at the local level.

  • 0

NHS Identity Management – The importance of being!

Tags : 

NHS investment on Identity Management (IdM) technologies in recent years has not been as significant as one would expect, especially given that this very much underpins organisation Information Governance capability.

Paul White asks is this the time Identity Management in health comes of age!

Not Something for Everyone?

After the course of 2 years, and visits to over 200 trusts to promote the merits of identity and access management solutions, I had to take a step back and reflect on why it was proving so difficult to secure commitment, at least to progress exploration of requirements beyond a mild level of interest in what identity management technology had to offer.

It’s was not like I was the only one trying to encourage trusts to consider the merits of IdM solutions, in 2005 Connecting for Health invested nearly £20m in a Novell Enterprise Wide Agreement that incorporated Novell’s Identity Vault product licences.

Despite the Novell EWA underwriting a proportion of the solution costs, wide-scale adoption of the Identity Vault solution did not occur. Although in this case it appeared to be a reluctance to readopt Novell technology, given the majority of trusts had some years back migrated to standardise on Microsoft technology. Rather than any lack of appreciation of the merits of IdM.

Although I had greater success in securing trust adoption of an alternative Microsoft technology based solution, even managing to establish market leading status in health, despite not having the same central funding support that Novell benefited from. Achieving mainstream adoption across health of any IdM technology platform has proved too great a challenge for any single provider.

The reality was, that despite the business requirement and emphasis provided through the Information Governance toolkit for Identity Management, and ICT appreciation of what IdM could achieve, qualifying this into a business case to secure funds and commitment proved to be too a challenging piece of work in its own right.

Business Requirements Re-evaluated

Identity – the name or essential characteristics that identify somebody or something, in the case of information governance for example a role or function a person performs for the business forms an essential characteristic of a member of staff.

Technologies that the NHS largely already has in place, e.g. networking and data management systems have an evolved capability to store a great level of detail about the professional characteristics of staff. For the best example of this open your Microsoft Outlook message client and take a look at the address book entry or outlook contact form.

DirectoryDetails in addition to Forename, Surname email address, can include, employee ID’s, department, job title, place of work, contact details, line manager to name just a few of the more critical information governance elements.

Yet when you examine almost any directory service within an organisation you will be lucky to find anything more than the just a user name and email address, take a look at the NHSmail address book, 90% of the entries contain only a very basic set of details.

This may be for legacy reasons, older technologies that have since been migrated or upgraded never had the capacity to store more than basic details, and subsequent upgrade projects never took to opportunity to expand the level of information stored beyond what came from the legacy system.

One has to ask why, given the importance placed on the need for improved information governance, was the opportunity to increase the level of staff identity information stored in the system not a key deliverable of any technology upgrade or refresh projects?

Should identity information be added? Simply yes, it is an imperative element of information governance, without it, organisations and users cannot validate access rights if they cannot easily identify individuals, their roles, their relationships to departments and others within the organisation hierarchy and structure.

Case for Identity Management, a no Brainer!

With Just a focus on users such as Information Asset Owners and Heads of Departmental, people who are much closer to the change management requirement that needs to be implemented, such as staff changing roles, promotions, leavers and new starters.

This overworked staffs are engaged in what is quite often a convoluted paper based administration process, for which many of my of the organisations I have met with, readily admitted to be untimely, error prone and consequently very unreliable approach.

Many went further in acknowledging that their network, back office and clinical systems contained a disjointed and wide variation of information on end users, a consequence of which results in compliance audits either almost impossible, or at least extremely costly to achieve.

Yet modern network technologies provide mechanisms for greatly simplifying the assignment of user access controls and permissions, reliably and automatically. Through features such as group or role based policies which utilise information such as location of work, staff job functions or roles to determine and implement permissions and access controls accordingly and automatically.

CogsThe benefits of utilising these technology features are numerous and extend well beyond just those of good information governance practice, for example, automation of user account creation and administration will free up valuable technical and systems administration resource. That instead can be put to more productive and useful work, such as developing systems rather than just running them.

Information governance risk and likelihood of issues occurring through inappropriate access or misadventure are also greatly reduced, with the provision of the added benefit of being able to demonstrate that a robust and reliable approach taken on access control.

However, one of the initial root causes of the current state of affairs, is the fact that the native “out-of-the-box” systems administration tools provided are just not user friendly, nor easily implemented in a way that only provides access to functions and features that are relevant, they tend administratively to take and all or nothing approach when in comes to granting of administrative rights.

Resolving the Challenge

All is not lost, specialist identity and access assurance solution providers are in abundant supply, a great many with mature, proven and highly flexible set of solutions that resolve this NHS information governance dilemma.

From providing a business and user friendly administration interfaces, complimented with reliable and timely workflow services, information asset owners and heads of department can be properly engaged in the process of user account administration and access rights authorisation and revocation.

A huge tick-in-the-box for NHS Information Governance Toolkit (IGT) requirement:

  • eGovernment305 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems, and a significant contribution towards helping organisations better achieve the IGT audit requirement:
  • 206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information.

The fact is, with a well-qualified set of user identity metrics readily accessible to all staff, then a significant number of IGT level 2 requirements become consequentially much easier, and subsequently more cost effectively achieved.

Furthermore, the current cost of administration and management of the various systems can be greatly reduced, as a result of Identity Assurance technology’s comprehensive interface capabilities that automate integration of multiple identity data sources, provisioning of user accounts and access rights  management across all systems (network, business and clinical).

Providing organisations with the ability to demonstrate delivery of Quality, Innovation, Productivity and Prevention (QIPP) cost savings and efficiency gains, especially with regard to back office administration and management functions.

Everybody benefits

Having a solid identity management foundation is a information governance pre-requisite, it is possible to establish manual process and procedures to address this requirement, but not cost effectively nor efficiently, human frailties unfortunately prevail.

With modern Identity Assurance Solutions the human frailties are removed, to ensure a reliably, robust, timely and assured process for identity and access management assurance is established, delivering and consistent approach with staff identities on all systems to make assurance of rights and access activities easy to achieve.

Citizen CentricThe organisation also ends up with a better informed user community, with colleague information readily accessible through user friendly technologies such as the outlook address book, greatly enhancing opportunity for staff collaboration through increased understanding of colleague roles and functions, and most importantly, the opportunity for users to validate the appropriateness of information sharing.

Better yet, being able to demonstrate the reliable maintenance of identities and access rights for the entire organisation will secure the support of regulators, and most importantly the patients and public. A must if investment in electronic patient records and electronic health systems is to secure patient engagement and participation.

  • 0

Courion Selects eCulture Solutions as Key Solution Partner

Tags : 

NHS specialist will focus on providing Courion’s solutions to manage access governance across UK

London, UK 6th June 2011 — Courion Corporation, the leading provider of access risk management solutions that help organizations cost effectively deal with compliance and security risk, has selected eCulture Solutions as a Solution Partner in the UK to offer healthcare trusts the ability to improve their risk management strategies with automated identity and access governance (IAG) solutions.

eCulture Solutions specialises in providing IAG solutions to healthcare organisations and is an expert in serving NHS foundations in particular. The organisation is well-versed in the details of the Information Governance Toolkit — the NHS standard from Connecting for Health — which describes the required safeguards for, and appropriate use of, patient and personal information. By partnering with Courion to offer best-in-class user access management and compliance solutions, eCulture Solutions can help Trusts to define, assess, enforce and verify their access policies so that all user access is appropriate and compliant with policies.

“We’ve found that Courion’s Access Assurance Suite™ addresses the guidelines set out by the NHS Information Governance Toolkit to safeguard personal health information more comprehensively than any other provider,” said Paul White, managing director of eCulture Solutions. “Courion brings a wealth of expertise and understanding to the table. The company has been identified by Gartner as a Leader in this space for the past few years and has a very clear IAG focus. It is very refreshing for our customers to see a suite that is truly fit for this purpose.”

“As well as monitoring users for accidental or malicious use of data, Courion’s User Activity Manager integrates identity with reports and alerts, merging a unique identity profile to user activity information, so that managers are able to identify users who are not making full use of the systems at their disposal.” added White.

“Confidential data, and access to it, is of huge importance for all UK government departments,” said Marc Lee, EMEA sales director at Courion. “With eCulture Solutions, we have a partner that understands what NHS managers specifically need, and what the Information Governance Toolkit requires, at a very detailed level.”

Courion’s unique approach to identity, access and compliance management ensures that only the right people have the right access to the right resources and are doing the right things. Access Assurance unifies Access Governance, Access Compliance and Access Provisioning in the most complex, heterogeneous environments. This comprehensive approach increases operational efficiency and transparency, strengthens security, and improves compliance, while delivering the industry’s fastest time to value and lowest total cost of ownership.

About Courion

Courion’s award-winning Access Assurance Suite solutions are used by more than 450 organizations and over 12 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at www.courion.com, our blog at blog.courion.com, or on Twitter at twitter.com/Courion.



Have a digital project idea you would like help with, then check out our services available from eCulture Solutions