SSO provides relief for password headaches
Few procedures in the hospital cause more consternation for clinicians than passwords. In some facilities, employees need a literal scorecard to keep track of which complex alphanumeric log-on sequence they need for which application. It can number in the dozens for some.
Conversely, those who have adopted a single sign-on system feel like a giant weight has been lifted off their shoulders. No wonder it’s catching on.
“Nobody enjoys typing complex passwords – not even the most masochistic IT nut,” joked Jim Fulton, vice president of marketing for Redwood City, Calif.-based DigitalPersona.
Southwest Washington Medical Center is emblematic of how password management can get out of hand quickly and completely. Four years ago the Vancouver, Wash.-based provider organization – which employs some 3,300 staff members – had people logging on to approximately 200 different applications, with most situated in silos geared to one specific function, says IT security officer Christopher Paidhrin.
“It was, and mostly still is a large group of disparate, stand-alone appliances,” he said. “At the time we were deploying an end-to-end VPN (virtual private networking) system to the 200 clinics in our region, so we actually have more people outside our firewall who need access. At that point I knew we needed to get it down to a single access gateway.”
The situation is very familiar to Reid Oakes, director of healthcare and life sciences technology solutions for Redwood Shores, Calif.-based Oracle.
“In some customer environments, the need for heavy experience management is higher than others,” he said. “In these environments, a provider who needs to access all these [applications] commonly has different credentials for each one. This is pretty painful for providers and is probably the most common application of SSO technology in the healthcare industry.”
For environments that maintain enterprise applications requiring authentication, such as file system permissions, collaboration, calendaring and purchasing, SSO serves as a bridge between the application footprint and the clinical side, he said.
In the course of its due diligence, Southwest Washington looked at six SSO systems and put minimal workforce impact at the top of its list, along with solid architecture and ease of extraction “so we could go back where we were if things weren’t working,” Paidhrin said.
Ultimately, he chose Lexington, Mass.-based Imprivata, which offers multiple access modes, including radius, proximity, biometics, active directory and Citrix.
DigitalPersona focuses on fingerprints, which Fulton contends provides the fastest, most accurate login for users. With proximity badges, users can automatically log off when they step away; or systems can be engineered to automatically sign off after a set amount of time – usually 30 seconds.
‘Kid in a candy store’
Imprivata chief technology officer David Ting says SSO’s primary goal isn’t staff convenience (though that is a big benefit), but protecting highly sensitive data from unauthorized users, including staff.
“We operate from a security perspective, focused on privacy, confidentiality and protecting data from the wrong people,” Ting said. “The recent ‘Octomom’ and Britney Spears leaks reinforce the need to make the system secure, with users only having access to the information they are allowed to see.”
The control point, Ting said, is at log-on.
“Healthcare has a wealth of sensitive information and easy to access – it’s a ‘kid in a candy store’ model,” he said. “Employees are human and prone to weaknesses. The insider threat makes staff more dangerous than hackers.”
The often chaotic environment in healthcare also requires that log-offs be swift and secure, Ting said.
“These are open facilities and difficult to secure,” he said. “People are constantly running around – it’s easy for someone to pretend to be a physician or clinician.”
Help for help desk
Of Imprivata’s nearly 400 healthcare customers, the majority use fingerprint identification.
“It has been very popular because it accelerates the sign-on process, takes away the drudgery of listing eight user names and passwords, especially if you’re doing it a few times an hour,” Ting said.
Paidhrin contends that the Imprivata system has brought much-needed relief to the help desk corps by dramatically reducing the sheer number of forgotten password calls.
“Requests for password resets used to account for about 25 percent of help desk calls,” he said. “Now they are only about 5 percent.”
DigitalPersona likewise reports having largely silenced password-related complaints.
“It solves all the auditor’s needs for having all the complex password rules while solving the staff’s problem of having to remember all those complicated passwords,” Fulton said.
VIP for PDA
In an age when so many clinicians’ computing tasks are being done on portable devices, enabling SSO for PDAs and iPhones appears to be the next logical step. Though still in an organizational phase, Mountain View, CA-based VeriSign’s new mobile credential is available for download onto more than 90 cell phone models.
Known as VeriSign Identity Protection, the system offers “strong authentication with a single credential” for various commercial and social networking sites in the VIP Network. Jen Gilburg, VeriSign’s director of business development, identity and authentication solutions, says the VIP system is primed for assimilation to healthcare.
“The technology is here today – now it’s a matter of getting the right vendors to provide it,” she said. “We have started a concerted effort in targeting the top five EMR vendors and working with integrators to pull the pieces together. It is easy to implement but it’s not quite at the point where a joint solution is in place.”
Going beyond the initial phase of development, VeriSign recently launched a toolkit for mobile application users to easily add in the functionality so the mobile can signal a one-time password with the touch of a key.
“My team is working to integrate with Web services on the back end so they can easily turn this on and have access to the EMR solution,” Gilburg said.