Sergey Nivens - Fotolia
Rotterdam-based Pameijer foundation, which supports people with psychological problems or intellectual disabilities, is using an identity and access management system (IAM) to ensure that employees only have access to the data of their current clients.
The system is linked to the organisation’s planning system to provide quick and appropriate access rights.
Given the sensitive data Pameijer deals with, the system is more efficient and safer than previous manual methods, said project manager Marien Geense at Pameijer.
In the past, access rights were manually attached to people. “That was time-consuming, inefficient and error-prone,” said Geense, strategic ICT consultant at Pameijer.
“It's common in almost every organisation that new employees don’t have the proper access rights on their first day at work,” said Geense. “In our job that means that every hour that a care giver spends obtaining the proper rights, a client gets less care. This leads to frustration among employees.” Pameijer employs about 2,500 peoples serving some 5,000 clients.
Staff at Pameijer had long held the view that access rights could be arranged more efficiently, so began to develop a tool for the organisation. “But that was a complex job,” said Geense. “In addition, there were changes in legislation and regulations which made the privacy aspect of our clients' data became more important.”
“We also wanted to remove the management of the access rights from ICT to the employees and their managers.”
Automate as much as possible
The foundation began with organising information. Definitions of all concepts and notions were created, to make sure everyone was talking about the same thing. The processes were then examined and it was decided what steps in the processes could be automated.
“We wanted to remove as many manual actions as possible, to reduce the likelihood of errors,” said Geense. It was at this point Pameijer went looking for a supplier to provide a graphical tool that employees could manage for themselves.
Read more about IAM
- Companies should consider their identity and access management (IAM) systems as a likely point of attack, according to SailPoint.
- While it is not a fit for every scenario, cloud administrators can save time by establishing access groups for users using AWS Identity and Access Management.
- Identity and access management of employees is so complex that many companies have faltered when it comes to securing programs for trusted partners.
“We wanted our people to obtain the necessary rights by simply clicking, without the need for extensive database knowledge. Another requirement was that we wanted to associate applications based on role-based access control (RBAC). And of course it had to be a stable supplier with expertise and knowledge of the healthcare market.”
Pameijer selected Baarn-based software developer Tools4ever. “We had already done a lot of work, looking at the information in our systems for the source systems and the necessary information for accessing. We could tell the supplier very clearly what we had in mind with the architecture and design of the system.”
The implementation of the IAM system was conducted in phases, said Geense. A new employee is created in the personnel system and filled with all necessary information, such as the facility or location where they are employed. This ensures that a user with the correct values will be created in the Active Directory. The workflow must then be configured so that the manager receives a mail with all the details of the new employee. “At the time the new employee starts, he or she has the right password and the system knows what rights he or she has.”
Previously, the access rights were entered manually by an administrator without considering the lifecycle of an account. “That made the process more time-consuming and error-prone. Now changes – such as the location where staff work or which manager they fall under – are automatically processed so that, immediately after the change is made, the new rights are available.”
When an employee leaves the foundation, the user's account is automatically disabled in the Active Directory and after a time it is automatically removed, including all the user's data associated with the account. “That saves unnecessary costs for storage and inactive accounts,” said Geense.
Linking with the work schedule
The most innovative part of the implementation is the connection to the work schedule. The system is linked to the schedule and refreshed every 30 minutes, allowing Pameijer to assign the appropriate rights fast. “The care sector makes extensive use of flexible workers, they work throughout our whole organisation,” said Geense. “These people often need quick rights to electronic client files. Previously the IT administrator would be asked, even late at night, to assign the rights. That took a lot of time. By linking with our schedule, the people who are scheduled also instantly receive the correct permissions.”
“Where working schedules at many other institutions are static and often subsequently have to be adjusted manually, we have a dynamic schedule that is always up to date. That means that people should be very precise in scheduling, otherwise they do not have the appropriate rights.”
Communication to employees
The communication to employees about the new system was important to Pameijer. Because the value is visible, this was easy, said Geense. "But people do not like change, so there was grumbling among employees for about a week or two. There are also people who do not like that they suddenly have to give up certain rights they acquired earlier,” said Geense.
“But because we could explain what the new system did for them and our clients, virtually all employees became enthusiastic.”
He said the self-management of personal data for employees proved attractive. Because less time needs to be spent on obtaining access rights, there is more time for the clients.
He added that it is reassuring for clients to know that their data at Pameijer is in safe hands. “Only the people who take care of them, have access to their data at that time.”
Efficient, effective and safe
The major challenges of this project were mainly in restoring order to the source data, said Geense. “If the source data is not correct, then everything goes wrong.”
He said the organisation took the opportunity to take a critical look at how it is organised. “For example we wondered whether it is really necessary that managers can’t see the reports of other locations and managers.”
The company then decided to open those reports up and has added more transparency into the organisation as a result. Pameijer invested significant time at the beginning of the project time for sorting out the right information and source systems, but can now work more on being more efficient, effective and safer. “In the interests of our clients, we continue to work on improving.”