20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial Overview of

FairWarning® for IAMCustomer-Only Webinar

April 3, 2014

2014 © FairWarning, Inc. – Private & Confidential

Watch Replay

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Today’s Panel

Kurt Long

• FairWarning® Founder and CEO

• Office: (727)576-6700 Ext. 101

• Kurt@FairWarning.com

Chris Arnold

• FairWarning® VP of Product Management

• Office: (727) 576-6700 Ext. 118

• Chris@FairWarning.com

Mike Lyons

• Director of Product Development

• Office: (727)576-6700 Ext. 160

• Mike.Lyons@FairWarning.com

Mike Nessen

• Customer Community Manager

• Office: (727)576-6700 Ext. 133

• Mike@FairWarning.com

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Agenda

• Business Problem

• Building on your FairWarning® Investment

• FairWarning® for IAM

• Unique Solution Benefits

• Packaging & Pricing

• What’s Next

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

IAM in Healthcare

Who and where are your users?

What can they do?

What do they do?

Compliance and Info Security Risk

CERNER

MEDITECH

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

§164.312(a)(1): Access Control

HIPAASection

Established Performance Criteria Key Activity Audit Procedures

§164.312

§164.312(a)(1): Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

Identify Technical Access Control Capabilities

Inquire of management as to how technical access control capabilities are defined. Obtain and review evidence to determine whether and how technical access capabilities are defined for in-scope systems. Obtain and review screenshots from in-scope systems to determine whether technical access capabilities are defined, i.e., read-only, modify, full-access.

§164.312

§164.312(a)(2)(i): Access Control - Assign a unique name and/or number for identifying and tracking user identity.Ensure that system activity can be traced to a specific user.Ensure that the necessary data is available in the system logs to support audit and other related business functions.

Ensure that All System Users Have Been Assigned a Unique Identifier

Inquire of management as to how users are assigned unique user IDs. Obtain and review policies and/or procedures and evaluate the content in relation to the specified criteria to determine how user IDs are to be established and assigned and evaluate the content in relation to the specified criteria. Obtain and review user access lists for each in-scope application to determine if users are assigned a unique ID and evaluate the content in relation to the specified criteria for attributing IDs. For selected days, obtain and review user access logs to determine if user activity is tracked and reviewed on a periodic basis and evaluate the content of the logs in relation to the specified criteria for access reviews.

§164.312

§164.312(a)(1): Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

Review and Update User Access

Inquire of management as to whether user access to systems and applications is reviewed on a periodic basis. Obtain and review policies and/or procedures to determine whether formal procedures are in place over the review of user access that address the recommended performance criteria, such as enforcing the policies and procedures as a matter of ongoing operations; determining whether changes are needed based on periodic reviews; and establishing and updating access. Obtain and review documentation to determine whether reviews have been performed over user access and evaluate the content in relation to the specified criteria for reviews.

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Typical IAM/IdM Proposal

$5 Million

3 Years

Consulting & Planning

Software or SaaS

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

FairWarning® for IAM Goals

• Dramatically reduce cost of compliance

• Leverage FairWarning® investment

• Improve quality using actual access logs

• Complement existing provisioning workflow processes

• Accelerate & improve IAM vendor solutions

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

CERNER

MEDITECH

Building on Your FairWarning® Investment

Application 1 Audit Log

Application N Audit Log

FairWarning® Patient Privacy Monitoring

FairWarning® for Identity Access Management

1 … through 250+

Private Service Cloud

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Discover, Correlate, Cleanse, and Centralize Identities

Active Directory EHR Audit Logs Lawson

1. Discover identities from data already going into FairWarning®

2. Correlate Identity’s based on your existing provisioning rules

3. Cleanse names based on rules of where the best data exists in your current systems

4. Centralize Identity

DN=William Doe, dc=acme, dc=comEmail: william.doe@acme.com

User ID = wd7323Title = Doctor

Login=BdoeEmployeeId = 1234

Centralized Identity: William Doe

Email: william.doe@acme.com

Title: Doctor

EmployeeId = 1234

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Automate HIPAA Access Control Review

Fill gaps in existing HIPAA Access Control Processes

Examples• Access after Termination Date

• Discovery of unknown users

• Discovery of orphaned accounts

Discover Identities

Correlate Identities

Cleanse Identities

Centralize Identities

Audit Identity

Processes

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Complement & Accelerate IAM through FairWarning® Ready for Identity

FairWarning® Ready for Identity Cooperation between patient privacy monitoring and identity management

Creates Identity Intelligence for patient privacy monitoring across an enterprise

Increased ROI in both products through shared Centralized Identity Repository

Nominate your IAM Vendors Operates similar to FairWarning® Ready for Security and HealthCare Applications

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Summary of FairWarning® for IAM

• Discover Identities

• Correlate and Cleanse Identities

• Centralize Identities

• Automate HIPAA Access Control Review

• Ongoing HIPAA Access Control Review

• Complement & Accelerate IAM

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Unique Solution Benefits

• Discover and build identities from authoritative user sources and access logs

• Analyze roles, permissions, and actual use based on activity in the access logs

• Reduce time and expense by leveraging FairWarning®

• Fill gaps in existing HIPAA Access Control processes

• Accelerate & improve IAM projects

• Patent-pending solution

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Packaging & Pricing

Base FairWarning® License• Strengthened analytics• Strengthened Filtering• Delegated Incident Review

Full FairWarning® for IAM License• Automate Access Control Review• Roles Analysis & Export to IAM

The information in this presentation is confidential and proprietary to FairWarning and may not be disclosed without the permission of FairWarning. This presentation is not subject to your license agreement or any other service or subscription agreement with FairWarning. FairWarning has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and FairWarning’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by FairWarning at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality.

SECOND HALF 2014

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

What’s Next

• In Production Now at Major Beta Site

•Accepting 5 more Beta Sites

•General Availability as early as August 1

•What Else You Can Do

20

14

© F

airW

arn

ing,

Inc.

–P

riva

te &

Co

nfi

den

tial

Questions?

Please submit via the Webex Q&A or Chat windows to the right side of your screen