Security

Sign of the Times

As the government promotes universal electronic medical records, single sign-on technology gains momentum.

Federal healthcare providers must balance control of patient information with ease of data access. Single sign-on (SSO) technology offers a viable solution, especially when tied to the government’s ongoing efforts to develop secure and reliable ID verification for those who need access to government networks.

Healthcare SSO technology helps providers access systems and applications through a single authentication action that might combine a simple password and fingerprint scan or other biometric security element.

There are different types of single sign-on technologies. For instance, web SSO targets a user’s internal or external web portal. Conversely, enterprise SSO targets a user’s desktop sign-on, enabling access to enterprisewide systems and applications through a single authentication.

In Demand

No matter the delivery model, SSO consistently remains top of mind as a healthcare technology priority. In its annual survey, the Healthcare Information and Management Systems Society noted that moving to SSO ranked among the top 10 IT priorities for healthcare organizations over the next two years. SSO leads all other IT security categories, including disaster recovery, e-mail encryption and intrusion detection.

SSO, which can be deployed as part of a broader identity and access management initiative, protects patient information from unauthorized access. It also must let authorized healthcare personnel authenticate to the healthcare network and gain access to the multiple systems that healthcare organizations find critical to good patient care.

Ideally, in a healthcare environment, this would be invisible to practitioners. Technology manufacturers are also sensitive to the fact that healthcare IT shops need the ability to set up SSO programs in hours, not days. One manufacturer, Imprivata, offers an SSO “black box” appliance that addresses digital authentication. The Imprivata SSO tool provides a password and biometric authentication, such as a fingerprint scan, to gain access to applications. The overall strategy is to reduce complexity while still providing necessary security for IT access.

“We have to be noninvasive,” says David Ting, founder and chief technology officer of Imprivata. “Healthcare providers have told us to ‘get IT out of the way and let me treat the patient,’ so we have to slot right in without getting a development team involved.”

This scenario is reflected at Glencoe Regional Health Services. The healthcare provider, based in Glencoe, Minn., currently uses Imprivata single sign-on devices to power an SSO strategy for its main facility and two satellite offices. With approximately 360 doctors, nurses and other clinicians using the technology, Glencoe Regional found the benefits of SSO can multiple quickly.

Keystroke Mania

Michael Sprandel, network administrator for Glencoe Regional, performed simple calculations to determine if there was an efficiency benefit beyond providing better security. Based on the number of logins required per system and the number of patients seen per hour — about four — Sprandel determined that practitioners were logging in to data systems almost 100 times during an eight-hour shift and performing more than 1,200 keystrokes.

“These estimates are extremely conservative,” says Sprandel. “Many of our practitioners are seeing double the average number of patients per hour.”

With SSO installed, Glencoe Regional users gained time savings, avoiding constant login and logout scenarios. “Everyone in the practice now wants [SSO] access to solve this problem,” he says.

36% Healthcare organizations using single sign-on

49% Organizations that plan to use
single sign-on by 2011

SOURCE: Healthcare Information and Management Systems Society Leadership Survey, 2008

Glencoe Regional’s business office is also using SSO for claims submission and claims management processes, an unanticipated additional benefit.

“We found that [administrative users] typically had more than 20 passwords to juggle as well,” says Sprandel. SSO speeds their access to different systems used to enter and remediate patients’ medical insurance claims. There is a push to authorize patient insurance and verify coverage before patients receive care; SSO helps in this regard.

“It is turning into an end-to-end solution for the entire process,” he says.

Sprandel says that the SSO device was also cost-effective and worked with all existing healthcare information systems used at Glencoe Regional. The healthcare provider plans to ratchet up security by increasing the number of authentication factors needed to log in to the network.

Other users cite flexibility and automation as the main drivers for SSO adoption. As the number of passwords explodes for many employees, security solutions need to address convenience.

“Technology should make people’s lives easier, and SSO does that,” says Rifat Ikram, vice president of electronic delivery and support services for the Justice Federal Credit Union in Chantilly, Va.

The nationwide credit union has more than 150 users of Imprivata SSO products. Some employees were juggling as many as 50 passwords, which prompted the credit union to act. It uses fingerprint biometrics for identification and will expand that to include proximity cards. The solution also automatically resets passwords for employees after specific time periods.

The experiences at Glencoe Regional and Justice Federal illustrate how SSO creates value, says Gerry Gebel, vice president and service director for Burton Group Identity and Privacy Strategies. “The next step beyond security is productivity enhancement,” Gebel says. “Many hospital environments don’t have a lot of extra people or time to help in the data acquisition process, so SSO is a benefit.”

Anywhere and Everywhere

Gebel also points to other positive aspects of SSO technology, such as providing a single point of integration for security tokens, readers and other strong authentication methods.

He also says that many doctors now want to review medical records from home. With SSO, doctors have extra security that allows such “pre-care” work to occur outside the medical facility.

“Without SSO, many healthcare organizations were afraid to put this information over the Internet,” says Gebel.

SSO is typically part of a larger security and integration strategy that can include multiple technologies and other forms of user authentication, such as biometrics, smart cards and proximity cards. When partnered with context management solutions, SSO provides even greater value.

This answers the question of what automation tools healthcare providers should employ with SSO to improve patient care. The combination of SSO and context management allows convenient access to basic patient records as well as the ability to launch systems to provide doctors with laboratory, radiology or cardiology information automatically.

“This gives doctors all the information they need for complete patient care,” says Imprivata’s Ting.

Tools of the SSO Trade

Obviously, a single device does not a single sign-on system make.

Typically, in an enterprise setting, these systems integrate several components: the sign-on solution, the agency’s identity management system and its user authentication service.

On the back end, a server hosts the identity management system and authentication tools behind the agency’s firewall. The use of rack-mountable systems (such as a 2.83-gigahertz, quad-core Xeon E5440 HP ProLiant DL380 G5) or blade servers (such as a 3GHz, quad-core Xeon E5450 Sun Blade X6250 Server Module) make it possible to scale the system up or down as the medical facility adds clinical services and users.

As to the authentication software, some possible applications include RSA Authentication Manager Enterprise Edition, Gemalto Strong Authentication (SA) Server and Vintela Authentication Services. The authentication software can be used to set access policies and privileges across the network and to allow remote access by users to services, a crucial component in most healthcare environments.

Finally, users need a way to interact with the system on the front end and in most cases will use two-factor authentication. For instance, using their secure government ID cards, federal workers could scan their IDs with a card reader, such as RF Ideas’ pcProx Proximity Card Reader, to validate their identity when signing on. For healthcare setups, proximity readers can plug in to a USB port on a central computer so doctors and nurses can simply flash their smart cards, sign on and access clinical systems.

Kerberos Explained

Many single sign-on technology tools rely on Kerberos, an encrypted authentication protocol originally developed in the 1980s for the Massachusetts Institute of Technology’s Project Athena, whose continuing focus is on distributed networking for educational environments. Kerberos has since left the campus confines and is now widely deployed for authentication and authorization.

It’s “the hound that guards the gate,” says Jack Santos, executive strategist for the Burton Group’s Executive Advisory Program. Santos has also served in leadership roles for Aetna, Kaiser Permanente and Catholic Medical Center Hospital.

To the user, the protocol is invisible and transactions across and between systems occur seamlessly because the manufacturers embed the protocol in the products that use it for single sign-ons.

Here is how it works: During login, Kerberos caches the session key for future use. The result? A user can log in once to access shared resources across the network enterprise. If the network has trusted connections with other networks, the user will also be able to access resources on those networks via the same key.