All organizations must protect their data and systems, but some industries face greater security pressures than others.
As a member of the healthcare industry, a pharmacy benefit management company serving more than 30 million people must comply with the stringent privacy and security regulations of the Health Insurance Portability and Accountability Act (HIPAA). Because it is a publicly traded company, the company must also adhere to stricter auditing regulations than private organizations.
Dave, senior administrator for the company’s IBM i, notes that the security requirements are further complicated by the need for both employees and external users to access the company’s systems. For example, pharmacies send transactions to its system. The organization’s insurance company customers then need to access any transactions subject to claims—but only for the parties they insure, not for other insurance companies’ customers.
To maintain the necessary healthcare privacy, the pharmacy benefit management company must set up unique security profiles for each user.
Strengthening Security to Achieve HIPAA Compliance
IBM i is one of the most secure platforms available, but its security out of the box failed to meet this organization’s requirements. The organization uses the Powertech suite of products to close gaps and significantly reduce the cost of managing security on its IBM i-based claims systems.
IBM i offers a number of access interfaces that organizations can use to meet their unique needs, but it doesn’t inherently provide a means to fully control access to those interfaces. Powertech Exit Point Manager for IBM i gives this organization a way to fill that security void. It can, for example, control who is allowed to access what through FTP with a very high level of granularity. The company currently restricts access at the library level, but it can control access right down to the object level if it needed to do so.
It’s not only the access interfaces that present a security threat on IBM i. “IBM i gives you exit points, but it doesn’t give you an application to secure them,” explained Dave. “Powertech Command Security for IBM i gives us the ability to build rules around what commands are allowed and what you can do with them.”
Highly Efficient, Accurate Security Administration
With so many user profiles in its system—about 30,000 in total—administering profiles with only the tools available on IBM i would have created a costly burden for the company’s IT staff. Instead, it uses Powertech Identity Manager for IBM i and Powertech Authority Broker for IBM i to slash the administrative overhead.
Identity Manager for IBM i provides a centralized approach for administrators to create and manage user profiles on one system or across multiple systems, allowing the company to apply customizable profile templates virtually at the touch of a button. And Authority Broker for IBM i makes it easy to reduce the number of user profiles with special authorities—a common security concern. This dramatically reduces the time required to create and manage profiles. For example, the organization recently needed to create 300 new profiles. Dave estimates that, in the past, that job would have taken at least five days, but it took only an hour with Identity Manager for IBM i and Authority Broker for IBM i.
The value of this solution extends beyond saving time. It’s also a matter of accuracy. In the past, employees manually created each individual profile and errors were common. Now, errors are rare. Dave estimates that using the Powertech products has reduced the error rate by 90 to 95 percent.
Making HIPAA Audits Easier
Operating within the healthcare industry, the organization is subject to HIPAA regulations, which makes system auditability even more critical. And the company’s auditors are particularly demanding when it comes to the system usage data they need to see.
IBM i maintains audit journals, but accessing that data and delivering it in the form required by auditors would be a challenge, to say the least. Powertech Compliance Monitor for IBM i easily overcomes that difficulty. It collects and compresses all of the data from the audit journal into a single database. It then allows the organization to quickly produce the variety of reports requested by auditors.
“Without Compliance Monitor, we could not produce the necessary reports within the turnaround time required by the auditors,” said Dave. “Audit rules change from year to year, and auditors go to different depths in different areas in different years. With all of the Powertech tools, we can keep our auditors happy.”
What’s more, Powertech allows the pharmacy benefit management company to meet its stringent security and auditing requirements efficiently and accurately. “With the all of the reporting we have to do, we’d need to write a lot of the interfaces ourselves if we didn’t have the Powertech tools,” said Dave. “So the Powertech suite allows us to reduce our staff and provide better quality reporting to meet HIPAA and other regulations.”