A large, non-profit provider of healthcare services had challenges with its Identity and Access Management (IAM) systems. The company needed to implement significant enhancements to its user access controls to improve compliance with Sarbanes-Oxley (SOX). The healthcare organization targeted three controls to improve: quarterly access reviews, provisioning, and termination. Manual processes for reviews of user access to 150 applications and for new-hire provisioning resulted in lost productivity, compliance and security risks, and inefficient and costly back-office processes. Furthermore, a solution that notified application teams to remove terminated employees’ access to applications subject to SOX regulations was largely ineffective, allowing former employees to maintain access.
The healthcare provider engaged PwC to help improve its SOX controls and develop an IAM strategy that would be aligned with investments and resources for compliance mandates. We helped the organization select and implement a tool that automates the compliance monitoring, reporting, certification, remediation, and change validation of user entitlements and to design a self-service web application to streamline its provisioning system for new hires. To improve the termination system, we enhanced the existing termination notification service and helped the company increase the number of integrated applications from 15 to 93, enabling the company to better meet SOX compliance.
Impact on client's business
Our engagement with the healthcare services provider has resulted in dramatically reduced time and costs for access reviews and access termination. Quarterly access reviews now require hundreds of hours less effort for managers and system owners. Notification of terminated employees is now achieved within hours. We assisted the client in implementing systems that clearly document provisioning and de-provisioning processes and preserve all audit trails, which enable the healthcare provider to better meet compliance and security objectives. As a result of the initiative, the healthcare services company now has consistent processes across divisions, and that will help reduce costs and inefficiencies over the long term.