Integrated Identity Management

1
Integrated Identity Management
Briefing February 2009
2
(No Transcript)
3
Work Streams

• HR / RA Process Integration
• Position Based Access Control (PBAC)
• User Identity Manager (UIM)
• ESR / UIM Interface

4
(No Transcript)
5
HR / RA Process Integration

• An essential step for effective Information
  Governance and productivity regardless of
  technical solutions
• About 120 organisations have already piloted this
  work as part of the LSWC
• HR / RA process integration toolkit already
  exists
• Continued efforts to ensure organisations
  complete this work are underway, led by NHS CFH

6
HR / RA Integration Key Benefits

• Improving patient safety and Information
  Governance
• Better for NHS CRS Users streamlines process
• Better for patients more accurate and timely
  access to clinical systems
• More robust governance all in one place
• Improved data security
• Savings in time and money

7
(No Transcript)
8
PBAC What is it?

• The ability to link Access Control to a position
  or post rather than an individual
• Makes the management of Role Based Access Control
  (RBAC) simpler
• Facilitates the link with ESR, but also required
  for UIM
• Will facilitate the ability of appropriate
  individuals to manage transfers within UIM

9
PBAC Key Benefits

• Executive approval of access attributes only
  required once (with ongoing maintenance)
• Positions are approved once and used many times
• Appropriate individuals can assign people to
  positions directly without additional sponsorship
  (because the position access attributes have
  already been approved and granted)
• ESR Users only use ESR to manage a position change

10
(No Transcript)
11
UIM Solution

• Will replace current front end to registration
  software
• Requires no data to be migrated
• Request Management to replace paper based
  processes
• Controls process flow for management of requests
  / approvals (via work-lists) between RA Managers
  / Agents, RA Sponsors and Completer of Forms
• Position Management
• Will allow definition of access control positions
• Will allow employee SUD entries to be linked to
  access control positions
• Smartcard Terms and Conditions Management
• Interface / integration to ESR

12
UIM New Starter Example
User Identity Management
SUD
Duplicate Check
CMS
Prove ID Record
Completer of forms
Sponsor
Register Request
RA Agent
Create Request
Validate
Issue Smartcard
Duplicate Check?
Reports Audit
Assign to Worklist
Approve
Request completed
Smartcard Issued
New User
13
UIM Key Benefits

• Increase in speed and ease of managing access,
  e.g. use of Positions
• Improve quality, avoid transcription errors and
  improve selection of access attributes
• Removal of paper
• Removal of duplication

14
(No Transcript)
15
ESR Interface (RPP)

• Phase 1 Smartcard Enable Access to ESR
• Phase 2 ESR / UIM Interface

16
Smartcard Enable ESR Solution

• Why do it?
• Secures staff data to the same level as patient
  data
• ESR requires e-GIF level 3 security in order to
  effect changes on CRS
• Replaces traditional login to ESR with NHS Care
  Records Service (NHS CRS) Smartcard
• First login via NHS CRS Smartcard disables
  traditional login
• Existing access control (ESR URPs) remains
• All ESR users will need NHS CRS entry (on Spine
  User DirectorySUD) to generate UUIDs /
  Smartcards
• NHS CRS UUIDs will be added to employee records
  in ESR via a data load during implementation
• Pre-requisite for the ESR interface to NHS CRS

17
ESR / UIM Interface Solution

• Interface will
• Provide enhanced recording of identity checks for
  employees in ESR to e-GIF level 3
• Link all NHS employees with an ESR record (i.e.
  excluding GPs, Pharmacists, Students, agency
  staff etc) to SUD entries via the UUID
• Link ESR positions to access control positions in
  UIM
• Will enable automatic inheritance of CRS access
  control rights assuming ESR employee record is
• Assigned to an ESR position which is in turn
  linked to a UIM access control position
• Linked to a matching SUD employee record via the
  UUID

18
New Starter Example
ESR searches SUD for a matching record, list of
possible matches returned
HR user selects relevant record using Register
Person option in ESR
UUID captured from SUD and stored against
person record on ESR
Relevant UIM worklist updated to transfer
position back to UIM to give access rights
19
Interface Key Benefits

• Removal of duplicate of data entry in HR and RA
• Facilitates streamlined process flow between HR
  and RA and removes paper chain by tie up to UIM
  Worklists
• HR record controls access to clinical systems via
  the interface by means of tie up of Position and
  UUID
• Access can be granted in near real time ensuring
  no delay in using systems for starters / changes
  to position
• Access can be revoked in real time by making
  person a leaver in ESR ensuring ex-employees /
  position changes do not have inappropriate access
  rights
• Final step of integrating HR and RA functions

20
Implementation of Work Streams
21
(No Transcript)
22
HR / RA Integration

• Can be started now using toolkit
• Gain Exec/Board level support
• Robust Sponsorship
• Rethink both HR and RA processes in line with
  toolkit
• Project group key stakeholders

23
HR / RA Integration Support

• HR/RA Process Integration Toolkit
  http//nww.connectingforhealth.nhs.uk/implementati
  on/registrationauthorities/governance/ra-guidance/
  hrra-business.pdf
• Working in Partnership with SHA RA and ESR Leads
• SHA Partnership to work with Lynda Scott 0778
  965 3308 Lynda.Scott_at_NHSemployers.org

24
(No Transcript)
25
PBAC Implementation

• Guidance available on NHS CFH web site
• Additional guidance contained in forthcoming PBAC
  Toolkit (March 2009)
• Organisations will need to define approve NHS
  CRS Access Control Positions
• Expectation is for a small number of generic
  positions in most cases
• Staff will be allocated to positions based on the
  job that they do and therefore
• inherit access rights defined by the position

26
Positions Mapping

• Mapping of PBAC positions to ESR positions
• Expectation is for a many (on ESR) to one (on
  UIM) relationship
• Use ESR Positions Analysis Report spreadsheet
  output
• HR and RA to review all ESR positions in the
  report and define a mapping to a PBAC position
  could be added to spreadsheet
• Mapping exercise may inform changes required to
  both ESR positions / assignments and to PBAC
  positions
• Mapping to be signed off
• PBAC and Positions Mapping can be phased by
  taking sections of the organisation at a time
  rather than doing this as a big bang exercise

27
(No Transcript)
28
UIM Implementation

• Position Based Access Control (PBAC) adoption in
  an NHS organisation is a pre-requisite for UIM
  implementation
• Load / enter positions into UIM
• Worklists to be established
• Association of staff to positions
• Sponsors would normally be given a completed
  piece of paper now they will need to log in to
  a worklist and digitally sign to approve a
  request
• All RA users will need to know how to use UIM
• Web based guidance will be available

29
(No Transcript)
30
Smartcard ESR Implementation

• Solution available from January 2009 to pilots
• 14 pilots to prove solution / data match, cleanse
  load mechanisms / implementation methodology /
  documentation Jan 09 to Mar 09
• Methodology / documentation / support model to be
  defined and updated in Mar 09
• Rollout from Apr 09 Aug 09 facilitated by
  monthly load
• Schedule of slots / phases to be published (1 per
  month will be available from Apr-Aug) trusts to
  be asked to commit to a date
• Expectation to enable access for all ESR users
• NHS ESR Data Team will provide support for data
  match / cleanse / load

31
ESR/UIM Interface Implementation 1

• Pre-Requisites
• Smartcard enabled ESR
• HR/RA Process Integration
• PBAC / Positions Mapping
• UIM implementation
• Milestone Checkpoint to be completed before
  commencing interface implementation to ensure
  pre-requisites are met
• Implementation can be phased or big bang
• UUIDs will need to be loaded into ESR for all
  matching employee records on SUD

32
ESR/UIM Interface Implementation 2

• Ensure end users are familiar with new
  functionality
• ESR set up also required for NACS code, worklists
  and RA sponsor roles
• Organisations must then complete a Milestone
  Checkpoint to confirm all activities completed
  before turn on of the interface
• Interface turn on follows UUID data load
  involves initial population of position pick list
  in ESR showing UIM positions
• Interface activities are only triggered when
  positions are linked thereby giving
  organisations ability to control timing / phasing
  of implementation

33
Support and Guidance
34
Toolkits Guidance

• A number of toolkits guidance documents exist
  or are being developed
• HR / RA Process Integration (available now)
• Update due Spring 09 to HR/RA toolkit to include
  Wider Business Process Integration
• Strategic Decision Making Toolkit (Mar 09)
• Implementation Approach Toolkit (Mar 09)
• Smartcard ESR Implementation Guide (draft
  available for Pilots)
• UIM Implementation Guide (draft available for
  pilots)
• PBAC Toolkit to include ESR mapping guidance
  (Mar 09)
• ESR / UIM Interface Implementation Guide (draft
  available for pilots)
• User guides and training (to be updated
  available ready for UIM and ESR/UIM interface
  launch dates)

35
Support

• CFH Access Control Team (PBAC, UIM
  Implementation, HR/RA Process Integration)
• Lynda Scott (HR/RA Process Integration)
• NHS ESR Data Team (Data Matching/Cleansing/Load)
• Existing NHS ESR Operations and Benefits Team
• 10 RPP Account Managers 1 per SHA from May 2009
• SHA RA Leads (Supporting Implementation)
• Joint Implementation Team (Central monitoring
  of progress and overall management of project)

36
Timeline Summary
37
Strategic Decision Making

• NHS organisations will have a strategic decision
  between 3 proposed implementation models

38
Implementation Summary