Lausanne University Hospital: securing sensitive medical data

The Lausanne University Hospital (CHUV) is one of the five Swiss university hospitals. Through its collaboration with the Faculty of Biology and Medicine of the University of Lausanne, CHUV plays an advanced role in Europe in the areas of medical care, medical research and training.

The CHUV wished to make access to patients’ records easier, better and more secure for medical staff by using an Identity and Access Management (IAM) solution.

Challenges

Securely managing the digital identities of 12,000 users.
Managing access based on a complex business role model.
Managing quickly changing medical staff assignment.
Managing emergency situations to provide medical practitioners with access to required data.

Our solution
Application Security

We implemented an IAM solution for CHUV using the Evidian Identity and Access Management product.

We first addressed the challenges of identity management for large-scale teams by setting-up the identity management stack of Evidian IAM. We addressed the complex issue of managing roles by using the product’s customisation capabilities and, more precisely, custom Java code to define a complex Role Based Access Control matrix. The matrix’s main dimensions were function, location and application.

We configured delegated administration at the business manager level to handle rapid re-assignment of medical staff. This way, business changes (such as change of service for a nurse) can be translated quickly in terms of application roles, and thus correct application access.

The emergency situation management was implemented using the “Break Glass” concept and means that emergency access to patient information can be quickly given to medical staff even if not initially configured. Exceptions granted in these specific cases are traced in the central IAM solution and managers are immediately notified.

Benefits

REDUCED OPERATION COSTS

Thanks to the delegated rights management strategy, administrators no longer need to manage all access rights. What’s more, by automating identity lifecycle management and self-service features, such as requests for access request or password resets, CHUV is seeing its IT costs fall.

EFFICIENT RIGHTS MANAGEMENT

No more cumbersome and inefficient processes to access a resource. New employees have their rights established directly by their manager in accordance with their responsibilities. Subsequently, if employees change position, their access rights are also adjusted accordingly.

COMPLIANCE WITH REGULATORY CONSTRAINTS

Evidian Identity and Access Management guarantees compliance in a context of increased personal responsibility. Information is compartmentalised, ensuring compliance with integrity and confidentiality rules. Services automatically check the compliance with security policies by, among others, withdrawing rights from employees who no longer need them. The effectiveness of measures can be proven at any time by presenting compliance reports to external auditors.

Partners