NetIQ Identity Manager Driver for Epic Implementation Guide

Epic is an Electronic Medical Records (EMR) management system that maintains medical records and provides providers and patients with access to said medical records. Epic is one of the leading EMR systems in use throughout the healthcare industry. Epic contains PHI and PII and is therefore required to meet HIPAA regulatory requirements.

Driver Concepts

The Identity Manager (IDM) Driver for Epic EMP is a connector that allows for identity life cycle management of Epic EMP (login account) records. Within the Epic EMR ecosystem there are 2 main record types; EMP and SER; this driver manages EMP records only.   The driver works on the Subscriber channel only, as Epic currently does not have an event system or a full database query facility.

Epic does not utilize groups as part of its architecture. Instead, Epic utilizes the concept of security templates to assign access within the application. The Epic EMP driver takes advantage of this architecture and allows the assignment of these templates and sub-templates within Epic via the assignment of IDM entitlements. A user may only be assigned a single template, but sub-templates may be assigned to the user to supplement their security access within the Epic system.

Data Transfer Between Systems

The Epic driver communicates with Epic using the Epic SOAP APIs.

In order to use the Epic driver, the Epic Interconnect Web Services must be licensed and enabled within the Epic system. Contact the Epic administrator for help enabling this service.

Publisher Channel

The publisher channel is not currently supported on this driver.

Subscriber Channel

The driver synchronizes the User class from the Identity Vault to Epic (on the subscriber channel). Attributes synchronized are specific to each individual implementation but typically contain the CN, jobCode, Login Disabled, naming attributes, and other user level attributes.

How the Driver Works

The Epic EMP driver shim is a java shim that establishes a SOAP connection to the Epic EMP interface. Epic EMP records are updated via this connection.

The CSV file containing the linkable templates and sub-templates should be provided by your Epic security team and updated regularly. The CSV format is as follows:

ID,DESC,TYPE
T00239,ABSTRACTION SUBTEMPLATE,Subtemplate
TACCESS,ACCESS PROJECT TEAM,Linkable Template
ADMIN,"ADMIN, EPIC",Linkable Template
T3102601,ADT ADMIT SUPERVISOR TEMPLATE,Linkable Template

Standard Use Cases

The following is a list of standard use cases and benefits for the Epic EMP driver:

  • Automatic user account creation in Epic.

  • Automatic updates in Epic on managed accounts and attributes.

  • Mapping of Epic security template assignment to job or business roles in IDM.

  • Security templates may be assigned via policy on the Epic EMP driver subscriber channel.

  • Security templates may be assigned via role and resources in IDM Dash.

  • Security templates may be assigned via role and resources via Identity Governance business roles or technical roles.

  • Re-evaluate Epic security when job roles change within the organization.

  • Enforce least level of security within Epic.

  • Management of external account assignments within Epic.