For hospitals, securing patients’ personal information involves granting access to a limited selection of organizational units and roles. Those that use SAP IS-H for patient admissions, for example, cannot view any patient data that might offer a more detailed indication of existing illnesses.
Seeking to improve its own data protection, Berlin’s Evangelisches Krankenhaus Königin Elisabeth Herzberge (KEH) Hospital implemented the application SAP BusinessObjects Access Control – one of SAP’s offerings for governance, risk, and compliance (GRC). “Our goal was to make it easier to display and monitor the access authorizations of our users, profiles, and roles in SAP and other systems,” explains Ralf Korzendorfer, head of IT at KEH.
A transparent monitoring system
In addition, KEH wanted to fulfill the requirements and regulations of the German Corporate Governance Code and support a transparent internal-monitoring system. With SAP BusinessObjects Access Control, the hospital now has the ability to produce qualified reports – as required by financial auditors, for example – on the effectiveness of this system.
SAP BusinessObjects Access Control offers simple integration into existing installations from SAP and other providers, which enables users to identify possible conflicts in role separation across multiple systems.
Next page: Risk analysis reveals access conflicts
Risk analysis reveals access conflicts
To check existing authorizations, SAP BusinessObjects Access Control provides an extensive set of rules that covers role-separation conflicts and critical access rights, as well as the corresponding risks. Based on these rules, users, roles, and profiles – along with their authorizations – undergo risk analysis. If the results indicate that a user could gain unauthorized access to certain data, the SAP application then displays the possible access conflicts.
SAP BusinessObjects Access Control can perform this analysis both during initial user verification and when later changes are made to individual authorization profiles. If a user needs additional access rights, a system administrator can use the application to check whether granting them would lead to conflicts with the user’s existing authorizations.
T-Systems provides missing rule set for hospitals
While SAP includes such rule sets in its standard software packages for industrial firms, no corresponding template designed specifically for hospitals has been available. T-Systems has now filled this gap by developing SAP IS-H authorization rules tailored to midsize hospitals in a pilot project. In doing so, T-Systems assembled the specifications for critical authorizations and role-separation conflicts in SAP IS-H and imported the resulting rule set into SAP BusinessObjects Access Control.
Having assisted KEH since a joint SAP R/3 implementation in 1999, T-Systems – a full-service provider of SAP support – was also the project partner SAP recommended to the hospital for its implementation of SAP BusinessObjects Access Control. SAP and T-Systems have a long history of partnership, particularly in the field of GRC.
The SAP BusinessObjects Access Control implementation at KEH proceeded in multiple phases, starting with hardware procurement and installation of the new application and continuing with the creation and customization of the rule set according to the specifications of managers responsible for finance, accounting, SAP IS-H, and other areas. The project concluded with training courses and joint tests, and preparations were made to integrate a third-party system at a later date.
Next page: Secure creation of new access rights
Secure creation of new access rights
With its enhanced rule set in SAP BusinessObjects Access Control, KEH is currently revising its existing access authorizations in SAP IS-H and other components and carrying out risk analyses through its entire system. “The new application gives us the advantage of being able to identify and address critical authorizations and role-separation conflicts much faster, easier, and more thoroughly – even when creating new access rights,” Korzendorfer reports. With SAP BusinessObjects Access Control, it’s possible to create timely reports on the current risks of existing and newly established authorizations in SAP systems.
SAP BusinessObjects Access Control makes it much easier for KEH and other hospitals to fulfill their obligations in monitoring and verifying how they handle sensitive patient data. Looking ahead, KEH now sees itself better equipped to meet the increasing legal and regulatory requirements.
GRC outsourcing available from 2011
Based on experiences gathered in its pilot project, T-Systems has developed a GRC outsourcing model along with SAP that will be available starting in 2011. “Unlike the pilot project at KEH in Berlin, T-Systems will be providing a centralized GRC platform from its own data centers, which will give customers remote access without having to install anything themselves,” says André Bennewitz, service manager at T-Systems. “This will make using SAP BusinessObjects Access Control for risk analysis and monitoring even more attractive to midsize hospitals.”