Hospital Employee And Resource Tracking & Searching (HEARTS) evolved from a requirement of a major Hospital region in Melbourne Australia. Like many similar organisations, this Hospital was frustrated by their multiplicity of data repositories for employees and contractors, and the consequent lack of a single trusted authoritative source of staff information. This lack of co-ordinated directory services was seen as a major impediment to implementing other Identity Management Systems, particularly for security and provisioning.

HEARTS provides a hospital with a centralised publishing point for staff, contractor, and visiting identity information and single point of update for all Allied Health contact information. It is the product of, and focal point for the integration, consolidation and automation of Identity Management systems, processes and procedures. HEARTS meets the requirements of multiple stakeholder groups supporting them in the functions they perform.

Centralised Repository
HEARTS provides a central point for the management of internal staff, external staff resources and other related data. It can also contain and publish other locally managed data for which there is no other source. This could include:
• Non payroll staff - consultants, contractors, volunteers, research students, etc.
• Functions and Roles - Duty Nurse, emergency reception, on-call reception, etc.
• Resources (e.g. Meeting rooms) locations, booking details and contact
• Committee groups - linkages of resources into groups
• External contacts –information relating to external stakeholders such as GPs, Health clinics and other Hospitals.

Seaching Capabilities
Users are not always precise in searching a directory: names can be mis-heard, transcribed incorrectly or shortened. Furthermore there is a wide range of names from different languages. HEARTS supports a range of approximate matching strategies to better support searches by human users. These include:
• phonetic matching - e.g. "pane" will match "payne", “wong” will also find “wang”
• typing correction - compensates for missing and transposed characters e.g. “fisotheraphy” will match “physiotherapy”
• stem matching - e.g. "optics" will match "optical"
• synonym matching - e.g. "Bob" will match "Robert", "road" will match "street", “Cancer” will match “oncology”
• Abbreviation matching - e.g. "NSW" will match "New South Wales"
• word matching, including word synonyms, word phonetic matching and typing correction
• fuzzy logic used to rank and return the best results and specialized indexes for rapid evaluation of approximate matches on large databases

Delegated Access Control
Access controls protect privacy and sensitive information from inappropriate disclosure and provide a delegated administration model allowing differing levels of update to be made by a number of identified ‘Stakeholder’ groups. So Both Role Based and Attribute Based Access controls are supported with fine grained Access control based upon a combination of factors such as Time of Day also possible. For instance the cost centre managers are responsible for the accuracy and maintenance of information specific to their staff within their cost centre.

Single Sign On (SSO) and User Self Service
Proxy Authorisation functionality is employed to provide ‘Single Sign On’ based on the users Windows account. This reduces the maintenance cost and removes the need for administrators to maintain user authentication credentials in HEARTS. It also enables the provision of ‘User Self Service’ empowering staff to maintain key personal contact information within the ViewDS Staff directory.

Integration and Automation
HEARTS can leverage existing corporate systems and processes to produce an up to date view of contact information.
The regular automated synchronisation of staff and organisational information provides provisioning and de-provisioning of staff and automated maintenance of the core Directory information.
Corporate applications receive a ‘copy’ of HEARTS information through automated synchronisation.
Examples are Windows Active Directory, Switchboard Interface, Finance, Payroll and Contract Management, Call Accounting System, Administration Systems and HMO systems

Phone Lists
Departmental phone listings and report are generated from the Staff Directory providing real time information which can be presented on the screen and printed on demand.

Organisational Charts
Entries in a directory are arranged in a hierarchy called the directory information tree (DIT). The directory is most useful when the DIT mirrors a real-world hierarchy e.g. the organizational structure of a company or government.
These reports are generated automatically from the current information stored in HEARTS.
A whole range of Reports are available from ViewDS
HEARTS uses the advanced ViewDS discovery server technology developed in Australia. This technology enables the unique functions of HEARTS. See www.viewDS.com

• Standalone Edition
• AD Synchronisation Edition
• Universal Data Repository Synchronisation

• Customised reporting such as Cost centre reporting and Employee reporting
• Organisation charts
• Delegation Management & Appointments Management
• Skills database including User self service and competencies
• Emergency and first aid
• Location management (Floors, Buildings, cubicles, network nodes linked to building plan layouts)
• PKI certificates
• External facing Health Portal, including self-service

Single Sign On for Clinical Applications

Simple Installation
• Appliance-based platform eliminates the complexity of installing servers; instead just plug the appliances into a power outlet and a network feed and expreSSO is ready for set-up
• Quick-start wizard guides administrator through streamlined process for expedited system set-up
• Workstations across the enterprise automatically download centrally administered SSO-related configuration data

Streamlined Administration
• Automatic user identity import, ongoing synchronization with enterprise directories along with automated application password learning to enable rapid deployment
• Plug-and-play automated SSO user account management via Sentillion’s proVision solution
• Published interface for automated SSO user account management allows integration with third part enterprise provisioning systems
• Easy to use centralized system administration with automatic event notification

Ease of Application Integration
Intelligent agent technology automatically senses when applications are launched, resulting in an intuitive and seamless experience for end users
• Sophisticated support for connecting to Windows, web, and terminal applications.
• Unique point-and-click wizard for generating application connectors, where each connector’s capabilities are presented as a series of interactive animations that can be easily configured to meet the specific needs of each target application.
• Extensive catalogue of pre-built SSO application connectors, which Sentillion continues to expand, that provide “off the shelf” application integration
• Seamless support for Integrated Windows Authentication applications, even for shared workstations
• Extensive support for Citrix published desktops and Citrix/WTS hosted applications

Flexible Authentication
• Leverages existing enterprise directory for authentication (Active Directory, Novell eDir) Built-in support for strong authentication including fingerprint biometrics, active proximity, or passive proximity and combinations of these technologies.
• Enterprise Grace Period* to enable organizations to automatically adjust the type authentication required during the course of each caregiver’s work day

Purpose-Built for Healthcare
• Supports personal workstations generally used by just one person and shared workstations used by many people during the course of the day
• Single sign-on enables caregivers to quickly gain access to patient data
• Graceful single sign-off and automated logoffs helps protect against unauthorized patient data access
• Fast User Switching, enabling users to log on and off of shared workstations in a matter of seconds,
• Secure self-service password reset, even on a locked workstation, to eliminate help desk calls
• Seamless easy to use solution enables caregivers to naturally apply best security practices

Comprehensive Auditing and Reporting
• Centralized SSO audit log with built-in reports
• Ability to export report data for post-processing
• Ability to maintain circular logs or to archive logs

Scaling and High Availability Features
• Platform capable of supporting and maintaining more than 100,000 users
• Scalable from departmental to enterprise-wide to national deployments
• Proven architecture provides five nines (99.999%) uptime
• Powerful deployment options available to provide business continuity and disaster recovery capabilities

Clinical Workstation

Feature highlights of Vergence Clinical Workstation include:

For Caregivers
Single Sign On with Fast User Switching

Vergence provides a full-featured single sign-on capability enabling caregivers to enter their id and password once in order to gain access to any application they are allowed to use. Further, with Fast User Switching, the process of signing on and off on shared workstations takes only a few seconds.

Context Management

Once logged on, Vergence enables caregivers to select the patient of interest once, in any application, in order to tune all applications to the same patient. This ability to automatically share context between applications saves time and minimizes the risk of mixing data for different patients.

Role-based Access

Vergence offers the option of a role-based toolbar called Launch pad to standardize the look and feel of diverse workstations across the enterprise, making it easy for caregivers to find and access the applications to which they have access based on their role.

Patient-centric System Navigation

A drop-down list of recently viewed patients that can be used for selecting a patient’s record for viewing across multiple applications.

"Hot" Applications

Vergence can be configured to allow applications to run “hot,” eliminating the load times of clinical applications. Instead of waiting for applications to launch, caregivers are accessing clinical applications in just a few seconds.

One-click Single Sign-off

When caregivers are finished using their workstation, signing off is as easy as clicking on a single icon. Vergence will properly sign the user off all applications, including answering and closing any dialogues boxes that pop up as part of the sign-off process. This ensures patient records are not erroneously left in a locked state from the unexpected termination of an application.

For IT
One Solution

Unlike solutions that force organizations to integrate multiple products that perform one function, Vergence is a full clinical workstation, designed, tested, implemented and supported by a single vendor.

Scalability and Reliability

Sentillion’s appliance-based platform enables customers to easily scale their Vergence system to support tens, hundreds, thousands, or tens of thousands of users. With proven uptimes of 99.999% or better, Vergence also creates a foundation that organizations can rely on, all day long, every day.

Integrated Strong Authentication

Sentillion provides support for strong authentication devices such as biometric fingerprint readers and both passive and active proximity badges out of the box, including Sentillion’s unique Sentillion Tap & Go™ solution. These technologies are fully integrated into the Vergence solution. This means they are sold, implemented and serviced directly by Sentillion.

Preservation of Native Application Functionality

Applications can be integrated into the Vergence without requiring any modifications to the application. Caregivers continue to use each application’s native user interface and existing workflows, leveraging your investments and eliminating the need for new application training.

Extensive Support for Citrix

The majority of Sentillion’s customers leverage Citrix to publish applications or entire desktops. Vergence works with a broad range of Citrix deployment models and enables Citrix-hosted applications to seamlessly achieve single sign-on and context sharing with thick-client and Web applications.

Advanced Audit Capabilities

The privacy auditing capability built into Vergence provides a single view of all user interactions including user log-on/off, authentication methods, failed login attempts, applications launched and patient records accessed. Reports can be flexibly and easily generated using popular third party reporting tools.

Business Continuity Options

Vergence includes built-in disaster recovery capabilities for the extreme event that an entire Vergence system fails, for example due to a data centre outage. Entire Vergence systems can be replicated and distributed across data centres to augment existing business continuity strategies, including hot stand-by Vergence systems and/or multiple active Vergence systems.

Advanced Authentication - Support for Clinical Workflows
Capability Overview

Sentillion Tap & Go™ is a patent-pending, advanced authentication capability that leverages standard passive proximity cards to deliver the easiest sign-on process in the healthcare industry today.

With Sentillion Tap & Go, physicians and other caregivers can roam throughout a defined work area and sign on to different workstations simply by tapping their passive proximity badge against a workstation reader. Sentillion Tap & Go is easy to adopt because it leverages the same badge that organizations use for physical access. Caregivers can now use one badge for entry into the parking lot, building access, as well as single sign-on to their workstation.

How It Works

With Sentillion Tap & Go, users perform a two-part authentication at the beginning of their shift by tapping their passive proximity card against a card reader and entering their password or providing other verifiable authentication such as a fingerprint biometric. Once this two-part authentication is completed, Sentillion’s technology initiates an authentication grace period. During the grace period, the user can access any other shared workstation in a defined area, such as the emergency department, simply by tapping their badge against a reader. Users only need to perform the two-part authentication when their grace period expires or when they move to an area of the hospital with a different Sentillion Tap & Go policy. Sentillion Tap & Go is a feature of Sentillion’s single sign-on solution, expreSSO™, as well as the Vergence® Clinical Workstation solution version 4.2 or later.

Feature highlights of Sentillion Tap & Go include:
Centrally controlled grace periods

The duration of the grace period is centrally controlled and can be set for the enterprise or by workstation group, enabling security protocols to be matched to specific clinical venues and patient care workflows.

One click log-off

Signing out of all applications gracefully is as easy as clicking a single icon.

Works with proximity cards you already have

The solution provides out-of-the-box support for a wide variety of proximity cards, including from suppliers such as HID, Casi-Rusco, Indala, Kantech, AWID and Pyramid. Please contact Sentillion for additional details concerning card compatibility.

Identity Management - Provision

Sentillion’s user provisioning solution, proVision, replaces the burdensome, slow, and error-prone challenges of manually administering user accounts for clinical and non-clinical systems with a single, centralised, automated solution. With proVision, healthcare professionals can be up, running and productive on a healthcare organisation’s information systems on the first day of their residency, staff assignment or upon receiving admitting privileges. When a user leaves the organisation or changes roles, proVision uniformly alters, disables, or terminates their access to systems and applications.

Uniquely designed for healthcare, proVision enables organisations to automatically provision clinical applications, such as CPOE, PACS, and portals; administrative applications such as billing, enterprise directories; and personal applications such as e-mail. Further, proVision enables healthcare organisations to easily and automatically create user accounts for employees and for users who are not employees but who nevertheless require access to computer resources. This includes medical students, community physicians, and agency nurses.

In addition to supporting automated feeds from trusted sources such as human resources and credentialing systems, proVision includes rich delegation features to enable self-service capabilities for non-technical users. proVision can also be configured to automatically seek formal approvals from authorised users for outstanding provisioning requests. To provide a complete and real-time status of users’ electronic identities, proVision lets IT administrators track users and application accounts enterprise-wide – for example, to report on which users have accounts in which applications, or what provisioning actions occurred when.

Key to the successful implementation of a provisioning system is the mechanism for interfacing to the applications that are to be provisioned. proVision is uniquely designed to enable comprehensive, fine-grained provisioning into target applications, including clinical systems that require dozens of parameters in order to create accounts. As a result, proVision is able to automatically provision applications from corporate e-mail to the most complex clinical systems.

Benefits
Dramatically Increases Speed of Provisioning Requests

Turnaround time on provisioning requests can be reduced from weeks to same day, increasing clinician satisfaction through proVision’s predictable and consistent process for responding to requests and status updates.

Improves Security & Audit Ratings

proVision’s comprehensive workflow management capabilities enable consistent and thorough organisational adherence to computer authorisation policies. The risk of unauthorised information access is minimised through effective, consistent processes for managing terminations, temporary separations, re-hires and temporary system users.

Reduces IT Costs & Support

proVision’s process automation eliminates personnel intensive manual procedures and reduces errors by establishing a consistent, repeatable provisioning process for all computer users.

Meet Compliance Requirements and Achieve Best Practices

Organisations can implement security and privacy policies that support regulatory compliance.
Organisational best practices can be achieved by “fine-grain provisioning” applications with all necessary account attributes to provide end users with thoroughly defined and configured
Accounts to support their roles and workflows.

Desktop Virtualization for Healthcare

vThere is a packaged client-side virtualized desktop solution, which leverages virtualization technology to create a corporate managed secure end-point that runs on any contemporary Windows based workstation. End points at remote locations are secure and controlled by creating corporate virtual computers, which run on, but are isolated from, the unmanaged machines they run on. Packaged desktop virtualization adds significant management capabilities over generic desktop virtualization products by enabling scalable deployment and administration with limited resources and technical expertise. Additional benefits include:

• Isolation of processes and resources from the unmanaged host machine, which provides predictability and protection from malicious software, avoids contamination of the enterprise's internal network and data theft of corporate information.
• A consistent, normalized set of operating system, software and hardware in the secure end point, regardless of the actual physical hardware and underlying host environment.
• Consistent desktop control over corporate computing assets and intellectual property at remote locations
• Flexibility and manageability to deploy and update software based
managed machines with the same set of management tools used within the enterprise.

How vThere Works

An administrator creates virtual role-based images once, which can be deployed to an unlimited number of users. User-specific policy settings can be provided to customize the vThere image for individual users. The vThere image consists of all of the necessary software and configuration settings, including the Windows operating system, corporate virus protection software. Corporate VPN client software and the specific applications
That the user will require access to from the remote venue. Typically different images or virtual computers are created for different end-user roles within the organization. For example, it is likely the customer service department users would have a different image than the finance department users. The image that is created is used by all users that have that same role, but when assigned to an end user, the vThere image is automatically copied and customized to include unique information, such as the Windows SID and the computer name so the image will not conflict with other copies. This hands-off, automatic image setup and customization process frees up IT resources to focus on other mission critical tasks.
Once the image has been prepared for distribution vThere provides two options to deliver a copy of an image to an end user. The first is the ability to create a standard ISO file that can be burned to a DVD and physically delivered to an end user. The second approach is to create a web package that is posted to www.vThere.net, which is a secure hosted service provided by Sentillion vBusiness. With either approach the user is issued a unique Activation ID, which is a single use key that includes an expiration date that allows the user to install vThere on their unmanaged PC either in their home or other remote office location.
In both the DVD and web based download scenarios, the Activation ID is always verified against www.vthere.net using secure web services calls. The Activation ID determines if the user has actually activated vThere and also allows the organization to revoke vThere from that user. In addition, www.vThere.net records information about the ongoing use of vThere by the end user by logging events every time the user runs the vThere image. Upon first use of vThere, the end user's vThere virtual computer securely connects back to the corporate network to gain access to network resources, creating a contained, controlled and fully functional software environment on an unmanaged machine. The vThere image also automatically joins the Active Directory Domain, making it a fully managed domain computer
just like any other computer on the corporate LAN. The remote user now has full access to the complete set of applications and resources they need, based on their role, from a corporate managed secure end-point that has all the security characteristics required by the organization.

Clinical Application Support - Bridges

Sentillion’s Bridges provide a flexible, extensible and uniform mechanism for interfacing to applications in order to achieve single sign-on, single patient selection, or user account provisioning. Bridges drive the user interface of targeted applications as though they were the end users of those applications. In other words, Bridges can “see” what the user can see and operate the application and input data in the same way the user can.

Key to the successful implementation of any identity and access management (IAM) solution is the mechanism for interfacing the IAM system to the applications that is to be managed. While IAM interfacing standards exist, such as HL7’s CCOW for single sign on and single patient selection and SPML from OASIS for user provisioning, the adoption and application of these standards by healthcare vendors continues to be inconsistent. Sentillion developed its Bridge technology and BridgeWorks tool kit in order to provide a practical, scalable, robust and cost-effective approach for creating interfaces for the vast majority of applications that do not support standards. A Bridge effectively turns an application’s user interface into an application programming interface. For example, to accomplish provisioning, a Sentillion Bridge navigates the user interface for the target application’s administrative console, inputs data into the necessary fields, selects the desired choices from menus and pick lists, completes dialogues, and checks for errors. All of this is accomplished automatically, with no need for a user to be in attendance. Sentillion’s Bridges inherently support the broad range of workflows found in a healthcare organization including fast single sign-on, fast single sign-off, graceful termination of applications at sign-off, and enabling applications to remain running “hot” between user sessions. Further, Bridges support bi-lateral single patient selection, enabling the user to select the patient of interest in any application so that all other applications automatically tune to the selected patient. Sentillion Bridges also support deep provisioning of user accounts into clinical and non-clinical applications. Since Bridges need to interact with an application at the same speed as a real user, BridgeWorks includes event-based programming capabilities, which support a wide range of events ranging from desktop behaviours’ such as program launching and windows appearing as well as browser actions and identity events (i.e., the user logging off or changing the currently viewed patient identity). Sentillion Bridges can be created by non-programmers using a GUI-based wizard, called BridgeBuilder, which is part of BridgeWorks and generates BridgeWorks scripts automatically. In addition, Bridges can be created using BridgeWorks' powerful set of building blocks for programming in J-Script.

Benefits
Extensibility to Meet New Requirements

• BridgeWorks are designed to be extensible, in order to meet virtually any application integration challenge.
• Any scriptable Windows or Web component can be called from BridgeWorks and be a source of BridgeWorks events.

Robust Design Accommodates Change

• The event model supported by Bridges provides a high degree of resiliency to changes in the underlying applications. The event model minimizes the amount of “touch” between a Bridge and an underlying application so that changes to the application are often transparent to the Bridge. However, in the event that changes are required existing Bridges can be readily modified using BridgeWorks or the BridgeBuilder Wizard.

Access to Open Source Community

All Sentillion customers are members of a unique online community called IdMPOWER. IdMPOWER contains discussion groups, knowledge base, and product updates. It also contains a library of Bridges that are contributed by Sentillion and customers that available for IdMPOWER platinum members to download and use. This open source model empowers our community to accelerate application integration.

One Tool, One Methodology