How a SSO Implementation Improved Security While Easing On-The-Job Frustrations of Staff

by

John Clark

Some consider security to be beyond the reach of usual measures of return on investment, but most would agree that the costs of a security program should be known and under control. As Southwest Washington Medical Center (SWMC) completed a company-wide project to electronically enable its patient records and organizational data, the IT staff discovered that among all of the benefits that the new system gave the organization (increased security, better organization, ease of information finding, compliance with regulations) the resulting passwords and protocols greatly increased the amount of time staff needed to access records and data.

SWMC is a community-owned, not-for-profit medical institution located in Vancouver, Washington that provides a full range of outpatient and inpatient diagnostic, medical and surgical services to Clark County residents. The regions health care leader and steward for nearly 150 years, SWMC is one of its largest employers and a six-time winner of the Solucient Top 100 Hospitals award. SWMCs employees help support dozens of medical specialty services and programs, focused on cancer, heart, emergency, trauma, neuro-musculoskeletal, family birth and primary care.

The healthcare industry in general presents a significant challenge for internal IT organizations. In the healthcare setting, there are far more users than workstations; the workforce is highly mobile; every worker needs to be able to access an IT workstation from just about anywhereand be able to securely access a wide variety of applications from it. The challenge for SWMC was to figure out how to both protect patient information and at the same time, find a way to securely provide acute care clinical staff the ability to walk up to any workstation and log into the network to access applications and information that enable them to provide timely care and service to patients.

The password policies in place required staff to useand therefore remembera different password for each application. This added strain was compounded by help desk calls to reset forgotten passwords and adhesive memory tactics (using sticky notes to remind users of new passwords) that hurt patient privacy far more than the new security programs helped. To make matters worse, even successfully executed logins were taking an average of 30 seconds, adding up to an average of five minutes per day, per employee. For SWMCs more than 3,000 employees thats 25 hours wasted per day, or 150 + hours per week assuming zero passwordrelated problems that week. With the average hospital cost at $17.00 per hour, the total comes to $2,500 per week, or $130,000 per yeartime and money lost to the login process. The system also supports 2,800 clinical and medical support staff of partnering community clinics, making this a cost issue outside the hospitals walls.

It was easy to see that this was something that needed to be fixed quickly, as it was becoming a huge frustration for staff and had the potential to become something that could both hurt retention efforts and ultimately take time away from providing patient care.

As issues around frustrations with the electronic record/information systems came to light, the organization was also dealing with two other concerns: compliance with the Health Insurance Portability and Accountability Act (HIPAA); and staff and physician retention in the highly-competitive healthcare industry.

After thoroughly researching various technologies and options, the IT leadership team determined that a comprehensive single sign-on (SSO) implementation could solve several of these issues: eliminate the password problem, producing significant efficiencies for both the IT team and hospital staff; reduce costs; increase the time spent on patient care; help satisfy HIPAA regulations on patient information protection, user login requirements and workstation time-outs; and enable the IT staff to gain organization-wide, centralized control over all IT access control management.

After looking at companies such as IBM, Novell, CA and Sentillion, SWMC chose to go with Imprivatas OneSign Single Sign-On solution, an appliance-based product that provided an intelligent and affordable solution for password management and user access. In evaluations, the team agreed that there were two major features that set OneSign apart from the other solutions:

(1)It was easy-to-use, meaning care staff would have no problem learning how to use itand it would not force them to change the way they work, other than limiting the time spent on password logins and logouts; and

(2)It could easily be integrated with existing systems and with a zero-server-footprint. This was especially important for SWMCs situation, as it had information stored in dispersed and different locations, across 160 applications, with multiple authentication schemas (Novell NDS, RADIUS, MS Active Directory)and were in the process of migrating over to Microsoft Active Directory as the new source of all access authentication. SWMC needed a solution that could easily take information from and seamlessly interface with all of these areasand OneSign was it.

With more than 3,000 users, 125 departments and 160 applications, the IT staff decided to break the project down into two phases: phase I, the full deployment of SSO with fifty core applications; and phase II, the deployment of the balance of critical applications. Because of the success of phase I, phase II was quickly undertaken and the whole system was up and running within three months.

At SWMC, the Microsoft Active Directory group policies manage all role-based-access-control at the enterprise levelincluding internal use, outside vendor access and remote VPN access by coders, transcriptionists and road warriors. The SSO product then manages the initial application-layer accesswhich has its own access controls, especially within the clinical systems. Access to Protected Health Information (PHI) is managed down to the screens or menus within the PHI-enabled applications. Each workforce members access rights are set within an enterprise standardvia a Human Resources job codewhich is then mapped to access control groups at the application layer.

Because of this, any user can use any workstation within the network the security now follows the user. Every workstation is what we call a fast user switching workstation that can log a user off of a machine, close all applications and get the machine ready for the next user login in about 15 seconds. This approach gives the needed security to protect patient databut at the same time eradicates the old hassle of locked workstations and prevents the use of the power switch to unlock the machine, a process which can potentially cause hard disk corruption.

Imprivatas solution provided SSO access, enabling users to get a common log-in across all applications, using either a password or a finger biometric to authenticate. The solution allowed SWMC to create one consistent user interface, one security posture for policy management and one principal authentication store for HIPAAand did so without requiring any code changes to internal or external applications.

In short, SWMCs SSO initiative has transformed its ability to provide quick access to applications and information for the clinical staff, while enabling them to provide more timely and therefore better care to patientsall while helping the organization meet strict HIPAA guidelines. SSO saves staff 15 to 30 seconds per logonor roughly five minutes per day, per employee.

The security improvements that the SSO implementation has brought about cannot be overstated. Before, it was difficult to get users to adhere to password policies and change their password every six months or soespecially when the number of passwords grew as more and more workflow at the organization was done electronically. Now, password changes happen when they are supposed toand the team can easily tell when staff is not adhering to policy and make them change their password.

Feedback has been resoundingly positive. The use of single sign-on is appreciated every time a user walks up to a workstation, which happens thousands of times each day. The staff loves SSOand now wants it on all of their other (non-core) applications.

SWMC has a new competitor hospital just eight short miles away, so keeping staff happy is more essential than ever. As I alluded to earlier, physician and medical staff satisfaction with their work environment has become a crucial part of staff retention. Providing a positive environment that limits mundane taskslike repetitively logging in to several applications throughout the dayand freeing up time for patient care are critical components of our organizations retention efforts.

Imprivata, Inc.10 Maguire RoadBuilding 4Lexington, MA 02421-3120 USAphone: 781-674-2700fax: 781-674-2760toll-free: 1-877-OneSign

Article Source:

How a SSO Implementation Improved Security While Easing On-The-Job Frustrations of Staff}