Identity and access management in the healthcare sector
Secure and always ready for audits
As a healthcare provider, data security and being able to be audited at all times is essential. Read how Star-shl, a leading Dutch medical services provider, facilitated access and identity management. Frequent password changes are no longer pesky, repetitive tasks. The IT team is happy that they managed the integration of systems like Active Directory, Exchange on-premises, Windows servers, Windows servers, Citrix Virtual Desktop, Atlassian Jira and other industry specific legacy software. After all, queries proved to be very helpful providing just the right amount of information. Nothing more, nothing less. And at the end of the day, the auditors are content!
"People either don't think about automation – or they are reluctant to use scripts and a command line but rather use a GUI."
|Senior IT Specialist
- Connected systems: Help desk employees use Atlassian Jira to trigger actions in ScriptRunner.
- Security: Actions can be executed without needing full administrative access.
- Compliant and Auditable: Changes to the system are traceable.
- Queries: Powerful to provide exactly what a is allowed to.
Star-shl, a leading Dutch medical services provider, employs 1,300 people in different locations. Star-shl employees support and advise professionals such as general practitioners, midwives, and hospitals and healthcare institutions in the South-West area of the Netherlands. The company specializes in laboratory testing of blood, urine, and stool samples as well as imaging and function tests such as X-rays or ultrasounds. Star-shl uses digital technology to facilitate data flow and a logistics network between diagnostics centers, laboratories, and research facilities throughout their work area. As the company is working with sensitive patient data, they are under close scrutiny and frequently audited.
Ambition to build a portal
IT specialists at Star-shl had been automating queries and other tasks within Active Directory with PowerShell for some time. Identity and access management was time-consuming, including a lot of manual tasks and Excel sheets. They wanted to further pursue automation with PowerShell. However, they saw the need for a more user-friendly option than using the PowerShell command line. Yet having their own GUI build from scratch proved to be excessively time-consuming and did not lead to the desired result.
Getting started within a week
As a custom build portal did not bring the expected results in the set timeframe, Star-shl decided there was nothing to lose trying an off-the-shelf solution. But would ScriptRunner be up and running as fast as promised? Would it meet the industry-specific security requirements? Could the software faciliate identity and access management, and ease handling information of employees, their contracts, their different levels of access, and the like?
Challenge & Solution
Active Directory – initial use cases
The core of Star-shl's identity and access management is the authorization profile. Any change to existing users or creation of a new account meant that HR had to email or call a helpdesk employee to provide user information, Excel sheets had to be cross checked, accounts had to be mapped and created manually. Overall, there was a lot of potential for automation to save time and improve data quality and consistency. The initial use cases for ScriptRunner were all related to Active Directory. Actions were built to automate checking the system for existing IDs, to create accounts, or to provide membership in a security group. Processes like onboarding new colleagues, archiving inactive mailboxes, managing access rights during employment, or disabling accounts during offboarding were all simplified. Once an action is set up, it can be triggered manually, automatically (on a schedule), or by another system – at Star-shl, that system is Jira Service Desk, Atlassian’s help desk software.
Mastering frequent password changes
Due to increased security requirements, Star-shl employees must change their passwords at a certain frequency. The IT specialists have developed actions within ScriptRunner which make password changes possible without granting access to Active Directory. One option is a web portal that allows employees to reset their password, which is secured by confirmation via the employee's mobile phone. The other option involves a help desk colleague. The help desk employees have been working with Atlassian Jira for quite some time. Now, Jira is connected via a REST API and can trigger actions in ScriptRunner. When a particular checkbox is marked, Jira triggers the "Change password" action, and the specific change to Active Directory is executed without requiring administrative rights on the system. Limiting the number of people with administrative rights in Active Directory is important as this increases data security and helps to minimize potential security issues. When dealing with data – especially in healthcare – data protection is key. With ScriptRunner, a help desk or end user may trigger actions without having access to systems, and the credentials required to perform the actions are stored securely.
Meeting NEN 7510 standard requirements
The healthcare sector is closely monitored. NEN, the Royal Netherlands Standardization Institute, specifies the requirements for information security in the NEN 7510 standard (comparable to ISO 27001), and annual audits are mandatory. After using ScriptRunner for some time, the IT specialists realized that the software enables Star-shl to always be compliant and auditable. Axel Haringa, Senior IT Specialist, proudly points out: "Changes to the system are traceable. The auditors are really satisfied with our system." Granting access to actions instead of complete systems has made his life easier. Security issues caused by insufficient documentation, lack of knowledge, or the little mishaps when working with complex systems are now a thing of the past.
Automating the identity and access management was a success
Axel Haringa speaks openly: "It took time, and it was quite a process to automate our identity and access management. But we now securely manage 1,300 employees – from onboarding to offboarding and anything in between." The entire lifecycle of employees was analyzed, and actions were added step by step. The beauty of it: Whenever someone sees potential for automation, new scripts can be added; the software is flexible and does not dictate specific processes. Furthermore, it was important for Star-shl to keep all data on premises. They have full control over their ScriptRunner server just as they run, for example, Active Directory or Exchange on their own servers. When an action is triggered in ScriptRunner, a separate PowerShell process is started. The script, all parameters, and other required information are passed to this process. In Local Mode, the complete script processing is done locally.
"The use of queries is a strong argument for ScriptRunner! You can give people or whole departments exactly the right choices, nothing more, nothing less."
| Axel Haringa
| Senior IT Specialist
Using the power of Queries
Queries have proven to be especially helpful. Through queries, data can be retrieved from different databases. This way, for example, the actions a person is allowed to perform can be limited or the group a Star-shl employee may be added to can be defined. Any action can consist of different queries and targets. The output of a query determines, for example, which choices a user will be given or which part of the infrastructure will be visible and accessible when triggering a certain action. A query script can be used to create a dynamic, interactive selection of parameter values. Queries do not seem to be very elaborate, but they are not to be underestimated according to Axel Haringa. The actions created by Star-shl use queries to limit the choices for users from different departments or help desk colleagues. Their actions can solve tasks such as distributing software licenses – think of assigning or revoking GoToMeeting licenses. Another example is restarting a particular service without accidentally shutting down a service that was running perfectly fine.
Integrating complex systems seamlessly
Active Directory, Exchange on-premises, Windows servers, Citrix Virtual Desktop, Atlassian Jira, other database systems, industry specific legacy software – Star-shl has several systems in use, and seamless integration is required. The IT specialists especially appreciate that PowerShell scripts are so versatile. All target systems that offer PowerShell modules can be served by ScriptRunner. Through connectors, other third-party systems can be linked to ScriptRunner which functionally enhances the platform.
VMware – potential for automation
Reflecting on the question when he had his biggest aha moment, Axel Haringa can think of several things that run smoothly now but were nerve-wracking or very time-consuming before. Installing and configuring Microsoft SQL servers used to take several hours, stretching over two or three days. Now, the entire process takes only 1.5 hours. His goal is to optimize the process further and eventually have a fully configured SQL Server machine up and running with an effort of under 10 minutes. The Star-shl IT specialists already create and link permission groups from Active Directory to computer objects in VMware. But there is more to come: "I am also working on a script to manage disk creation and initialization, CD mounting, and reboots through VMware," Axel Haringa mentions.
Axel Haringa's motto at work is: "Why should I keep doing something manually that I have to do more than once?" Fully automating identity and access management from onboarding to offboarding and all the changes in between has certainly been an effort. Still, it has significantly reduced the time these processes need now. Yet automating is not just about saving time. Moreover, recurring tasks are now executed in the same way, and with the same quality of results. Changes to the system are transparent, which makes auditors happy. The risks of accidentally accessing or compromising data or unintentionally shutting down a specific service have been reduced. Actions can be delegated without granting administrative rights. By securing the IT infrastructure, administrators are ultimately less stressed and have more time for automation and meaningful, satisfying tasks.