Anyone who has tried to itemize their tax returns or filled out myriad medical claim forms without the help of a licensed professional knows how confusing these tasks can be. Multiply that by 27,500 — and perform these exercises on a daily basis instead of once a year — and you get a sense of the challenge faced by health benefits giant CIGNA Corporation when it began six years ago to establish a comprehensive workflow for controlling access to sensitive data by its employees.
Even before the advent of the federal Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) security compliance requirements, CIGNA recognized that the days of "model me after" access controls were numbered.
"You can no longer assume that if John leaves the company and is replaced by Sally, that Sally should have the same access to risk-related data that John had," notes Craig Shumard, CISO, CIGNA.
CIGNA's companywide workflow for role-based access governance, which began with cumbersome, homegrown tools and Excel charts, is now being transformed into a sleek, automated and self-auditing system with the use of Aveksa's package of Enterprise Access Governance Solutions.
Before agreeing to install the Aveksa 3 system, CIGNA went well beyond standard proof-of-concept vetting of test scripts. The company gave the system a multi-million-transaction "stress test" to determine whether it could really manage and monitor the astronomical number of access-control transactions that CIGNA must track on a regular basis. According to Aveksa vice president of marketing Brian Cleary, the CIGNA test established a benchmark for performance that Aveksa is now citing in presentations to potential clients in the financial sector and other high-risk environments.
CIGNA is using the Role Manager module of the Aveksa 3 package to automate the administration of 2,400 roles that must be created and constantly updated to certify user entitlements and access governance across the company's vast IT enterprise network, which deploys more than 300 applications to process thousands of electronic protected health information (EPHI) transactions daily.
The need at CIGNA to define "sub-roles," as well as roles governing access, required Aveksa to adapt the Role Manager to allow for increased flexibility, including customization of naming conventions to permit hierarchical levels of access. At CIGNA, access by claim processors to protected data is determined by a complex variety of factors, including the type of claim and its monetary value threshold.
"There are literally thousands of permutations," says Shumard.
The Aveksa system is configured to tailor management of entitlement and role reviews to comply with the "minimum necessary" standard called for in HIPAA and SOX security guidelines, limiting access to sensitive data to the minimum number of "role owners" who need it. Control of access remains in the hands of business managers, but the tool ensures that the level of access always matches the assigned role of the end-user. "Out of role" requests also are tracked and verified. Shumard says the tool has eliminated much of the labor-intensive abstract analysis that previously was required to define role ownership governing access.
Aveksa's Compliance Manager module is being deployed at CIGNA to provide full transparency for access governance, enabling a significantly higher level of visibility into the state of user access rights for risk-relevant activities than the previous manual workflow. "It is head and shoulders above what we could do before," says Shumard. "It dramatically simplifies reporting for continuous compliance and streamlines approvals."
The system audits the user provisioning infrastructure, tracks all entitlement changes, and issues access certifications. Its records could serve as the basis for a response to the event of a HIPAA security audit, which CIGNA — with its proactive stance on access governance — has never experienced. The company also has taken the lead in encrypting its file systems and email, and is extending this protection to removable devices.
According to Shumard, ease of use was the key attraction in CIGNA's choice of Aveksa 3. "The people who are using this system are not IT technicians. We looked at another tool, but we didn't get far with it because it was too cumbersome. The [Aveksa] tool puts everything in plain language for non-IT people," he says.
Aveksa's Cleary says the company has incorporated a metadata layer into the Role Manager that permits users to express access entitlements in business-friendly terms. "Entitlements can be defined in a business context," he says.
While workflow efficiencies and related cost savings currently are key selling points for automated access governance systems, Cleary notes that many companies are now taking a preventive approach that places increasing importance on what he calls "cost avoidance." This type of forward thinking is spurring more interest in the high-level risk analytics that are built into Aveksa 3.
Cleary also predicts that automation of access governance will soon be driven by a toughening in the enforcement of HIPAA guidelines, which since their finalization in 2003, have been widely characterized as toothless due to lax enforcement and a dearth of audits.