Automating Healthcare
Solving business problems with savvy automation

System Access — Who Has What?

Business problem
The biggest security risk for every business — by far — is its own workers. Although few wish to cause deliberate harm, many seek the most expedient way to get work done, heedless of any security problems this causes. To manage this risk, every business needs to know — at the very least — who has access to which systems and whether they are using their access.

Connecting everything
If your organization is large enough and wealthy enough to afford a user provisioning system with single-sign-on for all systems, read no further. But I work for a health care organization, and even the few health care organizations which can afford a user provisioning system will have some specialized systems that are not worth the effort to integrate.

We found it surprisingly difficult to obtain good data about user accounts, starting with the most basic account for the corporate network. A network engineer was able to create an automated process to extract a list of all active Windows domain accounts from the primary domain controller, together with the most recent login for the account. These two text files were created daily and then imported to a database by another automated process. When the organization later moved to Active Directory, it was easier to extract this data.

Even with current domain account data, we still needed a way to connect the domain accounts to our database of workers. Initially, we created a table of all workers, containing e-mail address, domain account, employee ID number, name, active status, etc. Later, when we built a more sophisticated user access application, all these bits of data became attributes of the worker, connected by the ITID and tracked in the user access database.

Next we began to work our way through the list of systems used in the organization, mining them for user account data. Most systems have a database containing the user accounts and some auditing data for those accounts. From those we pull the list of user accounts, and where available, the date/time of last login. In many cases, we also send automated requests for new system accounts to the system administrator for fulfillment. The graphic below shows the full set of connections between the intranet and other systems (click the image for a full-size PDF version).

For the first time, the organization had complete and accurate data about all user accounts and usage. The initial effort was painful and time-consuming, but we worked through thousands of domain accounts, either connecting the account to a current worker or canceling the account. During this initial cleanup, over 2,000 network accounts for former workers were removed.

Now, with accurate data about user accounts and usage, we could implement security policies for account management (more about that in System access — Use it or lose it).

Posted 17 March 2008


Custom Applications
ADT Event Alerts
Clinical Operations

Integrated Clerkship

On-call Schedules
People Profiles
Chronic Disease

Security Badge Requests
Charge Capture
Mental Health Treatment
      Plan Tracking

Earned Time Calculator

Supervisory Tree
E-mail Distribution Lists
User Access Requests
HR Requests
Employee Health &

Interpreter Dispatching
Generic Patient Registry
Conference Room

Tuition Reimbursement
Equipment Rental
Code Cart Tracking
Nursing Audits

Show me the data
Growing a Data

Building a Data Portal
Reporting on Full Auto

Intranet Design
Driving With Databases
Speeding with Static

Transparent Security
      and Permissions

Redesigning the

Who works here?
Organizational buckets
System access: Who
      has what?

System access: Use
      it or lose it

Integrating Security

Integrating Provider

Creating A Supervisory

Data Quality Dashboard


RSS Feed