Regence Group was formed from the 2000 merger of four US health insurers. And not only is it still dealing with the legacy of that merger today, it is also having to conform to rigorous new medical privacy legislation which came into force this year.
As a result of the merger, Regence Group inherited more than 450 different systems from the four companies – each of which had built up different a infrastructure. One was a ‘Microsoft shop’, another was mainframe-based and the other two were different mixes of Microsoft and Unix.
Quite apart from the integration challenge, this also posed a complex security problem. On the one hand, staff would have to sign into multiple different systems throughout the day – each with different passwords. On the other, simply administering all the user accounts – and dealing with the inevitable support calls from staff who had forgotten their passwords – presented an intolerable burden on IT.
“User provisioning and account management was lacking in a lot of areas,” admits Regence technology architect Chris Bates, “such as password synchronisation, mandatory password characteristics [part of Regence’s security policy management] and automatic account revocation.”
Over the past four years, Regence has consolidated the number of IT systems – but it still runs some 250 different systems, says Bates.
Alongside that, the company needed to simplify its sign-on procedures and to tighten access control security in order to meet a variety of new regulations, particularly the 1996 Health Insurance Portability and Accountability Act (HIPAA).
In 2002, Regence Group opted to implement BMC Software’s Control-SA identity management package in order to help it meet those twin challenges.
Surprisingly, the company has not conducted a return on investment (ROI) study to determine how much money it has saved, but Bates is adamant that the savings have been significant. Staff that do forget their passwords, for example, can now use an online tool to retrieve them.
And the benefits have certainly been felt in the IT department where staff have been re-deployed from support to more productive and rewarding tasks.
However, that may partly have been at the expense of the human resources department, which now handles account management. That helps ensure that passwords are always current. “It’s integrated into our [Lawson Software] human resources system so that when a person is hired or terminated, action is automatically taken on all of their accounts,” says Bates.
But the length of time that the project has taken also underscores the fact that while identity management software has the potential to deliver both major security improvements and running cost reductions, it is no trivial application to implement.
However, the benefits are incremental and ought to be felt within the first few months.