<Insert Picture Here>

Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics

Agenda

• Panel Discussion

• Challenges and Implementation Overview

• The Solution Behind the Implementation

• Q&A

Panel Discussion

Jason W. ZellmerDirector, Strategy and Information

ManagementKaiser Permanente Information

Security

Viresh GargDirector

Oracle Identity Management

Rex ThextonManaging Director, Advisory

Services

PricewaterhouseCoopers

PwC Health Information Privacy & Security (HIPS) & Oracle Security Practice Overview

PwC

PwC Healthcare Information Privacy & Security (HIPS) Service offerings

5

PwC

PwC - Oracle Security Overview

6

Our practice has years of experience in Security and Identity & Access Management with over 1000 professionals in NA.•PwC is the leading Oracle IdM partner for five consecutive years

•PwC has completed over 150 implementations over the last 4 years

•PwC is the only Oracle partner to be a four time Titan Award winner

•PwC has conducted more 11g implementations than any other Oracle partner

•PwC has been nominated to Oracle’s Deputy CTO program since its inception

•PwC is involved in a significant % of all large Security Deals at Oracle

•PwC is the only Diamond Partner with advanced specialization area in identity

PwC

Kaiser Implementation Overview

7

Kaiser Permanente’s Goals

• Resolve significant deficiencies identified by internal audit for access management controls across the enterprise

• Develop sustainable and cost effective compliance processes through the automation of access management and recertification

• Standardize on a new IAM product suite (Oracle – OIA/OIM) and retire the legacy IAM technology stack (IBM Tivoli)

• Collapse existing IAM functions (help desks, security admins) within the regional business units by expanding the footprint of centralized IAM services

• Implement self-service functionality to enable business users and reduce administrative burden for care delivery staff (doctors, nurses, etc.)

• Objectives to span across: • 7 major business units• 150+ SOX applications• 1300+ HIPAA applications

PwC

Kaiser Identity Management

8

8

Identity Administration Overview at KP (Current State)

Role Life-cycleManagement

Identity Life-cycleManagement

KP- OIA

• Authoritative Source for Roles

• Role Life-cycle Management• Advanced Role Certification

Capability

KP-OIM

• Authoritative Source for Identities• Automated Roles based

provisioning• Identity Synchronization

DefineNew Users

UsersLeaveChange

Events

Refine

Verify

• Access Review by Applications• Access Review performed by line

managers - view users access specific to one application .

Key Pain Points:• Lack of Holistic View• Absence of automated remediation

and remediation validation mechanisms.

• Inability to perform role certification.

Identity Administration Overview at KP (Future State)

PwC 9

Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground

Published: Fall 2011

Data is quickly becoming one of the health industry’s most treasured commodities. Yet, health organizations are acutely aware that sensitive data can be easily compromised. In just the last year and a half, a breach of personal health information occurred, on average, every other day. Breaches erode productivity and patient trust. They’re costly, unpredictable, and unfortunately quite common. More than half of healthcare organizations surveyed by PwC have had at least one privacy/security-related issue in the last two years.

Download this report from PwC at www.PwC.com/us/HITprivacysecurity

PwC 10101010

How to Engage with PwC

Rex Thexton rex.thexton@us.pwc.com(908) 868-1386

Danielle Butkedanielle.i.butke@us.pwc.com(617) 510-7432

Matthew Lawsonmatthew.d.lawson@us.pwc.com(415) 515-0276

© 2011 PwC. All rights reserved. "PwC" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics

Viresh Garg, Director, Identity Management, Oracle

This document is for informational purposes.  It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.  The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle.  This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle.  This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle.   This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.

IT/Helpdesk Costs

HITECH

EHR Access

Staff Productivity

Patient Care SLA

Meaningful Use

HIPAA

VIP Cases

Sarbanes-Oxley

Secure Access Control

Sustainable Compliance Practices

Healthcare Challenges Are Unique, Acute

Key Elements to The Solution

Identity Warehouse

Resources Identities Entitlements Roles

Risk Assignment

Risk Aggregation

Low Risk

Mainframe

DB

Identity Data Sources

Applications

High Risk

Approve

Reject

Auto Certify Cert360

Med Risk

Events

Building User’s Risk Profile

Closed-Loop Feedback

User On-boarding

User Access Change

User Off-board

SOD Checking

Aggregate

Risk Score

• IT and Business Roles SOD Checks

• Preventative

• Remedial

• Risk Feedback

• User Administration

• Access Certifications

• Automate Roles Based Provisioning / Deprovisioning

• Identify orphaned accounts and take remedial action

• Self-service requests including password management

• Provide risk feedback and audit trail for compliance reporting in Identity Analytics

Automating User Administration

HR System WorkflowEmployee Applications, Systems

GRANT

REVOKE

GRANT

REVOKE

GRANT

REVOKE

Oracle Identity Manager

Automating Compliance Certification

Report Built

And Results

Stored in DB

ArchiveAttested Data

Attestation Actions

Delegation Paths

Delegate

Reject

Certify

Decline

Reviewer Selections

Comments

Set Up Periodic

Review11 Reviewer Is Notified

Goes to Self Service

Automated Action

is taken based on

Periodic Review

Who Reviews

It?

What Is Reviewed?

Start When?

How Often?

Notify Delegated Reviewer

Notify the Process Owner

Automatically Terminate

User

Email Resultto User

22 33 44

Oracle Identity Management Solution SetComplete, Innovative and Integrated

Platform Reduces Cost vs. Point Solutions

46%

Cost Savings

Source: Aberdeen “Analyzing point solutions vs. platform” 2011

48%More Responsive

35% Fewer Audit Deficiencies

Summary

• Boost Security & Compliance• Enforce and prove compliance, prevent privilege

abuse with Identity Analytics• Improve patient care SLA, curb unauthorized

access, reduce costs with Identity Manager tied to Identity Analytics

• Boost user productivity by 80%

• For More Information• Contact: Richard.Caldwell@oracle.com

• Call him: 1-781-565-1779

• www.oracle.com/identity

• Blogs.oracle.com/OracleIDM

Q&A

Jason W. ZellmerDirector, Strategy and Information

ManagementKaiser Permanente Information

Security

Viresh GargDirector

Oracle Identity Management

Rex ThextonManaging Director, Advisory

Services

PricewaterhouseCoopers