Duke Medical Center looks to lock down patient data and ease the strain on IT staff

James Rogers, Contributor

July 13, 2006

4 Min Read

Duke University Medical Center is currently overhauling its security and storage operations in an attempt to lock down its critical data and meet its regulatory commitments.

Rafael Rodriguez, the Medical Center's associate CIO, says the organization is looking to ease the strain on its helpdesk by deploying Tivoli's Identity Manager software to handle passwords across a slew of complex medical systems.

"About 40 percent of the calls to our helpdesk are for password resets," he explains. With Identity Manager, end users can reset the passwords themselves, and these can then be synchronized across medical systems, laptops, and workstations.

With around 1,500 faculty physicians and over 800 staff members, setting and resetting passwords has traditionally been something of a logistical nightmare for Rodriguez and his staff. "Some end users had as many as 20 different applications, so you can imagine this was quite a high pain point," he explains.

After choosing Tivoli earlier this year, the Center is now deploying the software, and Rodriguez expects to have the password system in production mode in the fourth quarter. Initially, he says, the organization will roll out Identity Manager across six key applications, followed by another six by the middle of 2008.

"Our primary focus is clinical applications," he explains, adding that a patient information application and the hospital's system for ordering medications will be amongst the first to get the new password protection. "We also plan to manage the passwords for our email systems."

The applications are hosted on two IBM pSeries mainframes running the AIX operating system. These, in turn, are linked to the university's 170-Tbyte SAN, which is built from Cisco MDS Directors and hardware from HP, IBM, and Sun.

Rodriguez explains that the password lockdown will be particularly useful during the summer when the Center gets an influx of doctors. "This month, we have the new class of residents coming in," he says. "This will make the process of setting up passwords and setting up accounts on the different systems automatic."

Duke is also looking to boost its internal security. For example, if a doctor or nurse forgets to sign off from a computer linked to the patient records system, the software monitors the device and ends the session, requiring the next user to sign on again.

Although he would not reveal specifics, Rodriguez says that the Center spent "several thousands of dollars" on the Tivoli product, although he is looking for a speedy ROI. "I expect that we would get a return on this investment in the next couple of years."

In addition to Tivoli, Duke also looked at a product from BMC for handling its passwords, although Rodriguez says that the former won out thanks to its ability to support a range of different systems. "Tivoli made a commitment to do this work with us in the academic medical environment, which is complex," he says, adding that Identity Manager was also competitively priced.

The deployment, according to Rodriguez, is also helping the University meet its Health Insurance Portability and Accountability Act (HIPAA) commitments, which dictate who can access patients' medical records. (See Users Self-Destruct on Governance.) "Because all the passwords are synchronized, the end user can set up stronger passwords [so] they don't have to write them down," he explains. "[So] there's less risk that the passwords will be compromised."

Additionally, the Center is better positioned to meet the stringent audit requirements of HIPAA. "Identity Manager has its own audits of people who have changed passwords and audits of who is accessing the system," says Rodriguez.

But the exec admits that deploying this type of technology in a byzantine multi-system medical environment is easier said than done. "The challenge is that this is a complex environment because we have a lot of different applications working together."

At the same time it is deploying Identity Manager, however, Duke is rolling out IBM's SAN Volume Controller to better monitor its SAN. Although this is not yet in production, Rodriguez says that the move was prompted by growing volumes of data on the SAN.

The University's health system currently accounts for 130 of the SAN's 170 storage volumes, with the remainder allocated to the Duke campus. Only 90 percent of health system data, however, is currently held on the SAN, and Rodriguez is planning to migrate the remaining 10 percent at some point in the future. "[The] targets for expansion are data in remote data centers."

— James Rogers, Senior Editor, Byte and Switch

About the Author(s)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights