FREE TO ROAM

Jul 1, 2005 12:00 PM, BY CORRINA STELLITANO

Imagine a corporate workforce with no formal assignments to its 3,000 desktop computers: Many times each hour, the employees rise and switch stations. The computers, the software applications — and the unprotected information — belong to everybody and nobody at the same time.

Is this the imaginative nightmare of an overworked IT pro? No instead, this electronic version of musical chairs is a reality at hospitals across the country, where federal legislation, a roving workforce and extensive third-party access complicate the traditional challenges of an IT department.

The challenge of the hospital environment was a constant awareness for the IT team at the University of Colorado Hospital (UCH) in Denver several years ago as it set out to satisfy a line-item in its electronic medical records project designated for a single sign-on system.

Ranked among the top hospitals in the country by U.S. News and World Report's annual survey of “America's Best Hospitals,” the 534-bed University of Colorado Hospital system has two campuses — one at East Ninth Avenue and Colorado Boulevard in Denver and a new Fitzsimons campus in Aurora — as well as several off-site outpatient clinics around the Denver-metro area. In Aurora, the new Fitzsimons campus is home to the Anschutz Centers for Advanced Medicine, including the Anschutz Outpatient Pavilion, the Anschutz Cancer Pavilion and the Rocky Mountain Lions Eye Institute.

Single sign-on — the term describing the use of one password for many software applications — was an easily identifiable need at UCH, says Nancy Rogers, a project manager at UCH. The UCH facility at East Ninth and Colorado Boulevard is a teaching hospital affiliated with the University of Colorado Health Sciences Center. At any given time, hospital staff members and other frequent visitors, such as teaching physicians or respiratory therapists, were required to remember passwords for more than five different applications.

To complicate the matter, says Joe Bajek, director of information technology at UCH, “most vendors do not have a common strategy for managing password length, expiration time and password complexity.”

“In some applications, the passwords may have five characters; in others, maybe seven characters. In some, they may never expire; and in others, they may have to change every 90 days. We were driving users nuts,” Roger says.

The system was not easy on UCH's 80-member IT department, either. “The two biggest categories of calls our help desk gets are passwords and printers,” Rogers says.

Prescription for experience

UCH decided to bring together the five predominate applications: The inpatient nursing documentation system, the electronic medical records (EMR) system, the Web version of the EMR system, the admissions records and the Web access e-mail program. They reviewed more than five companies, realizing quickly that many companies may not understand the unique needs of the healthcare environment.

“A lot of very good security companies knew nothing about hospitals,” Rogers says. “They didn't understand that when you have a PC on a unit, it belongs to everyone, and it belongs to no one. It was neat to see all [the new technologies] the security industry has thought of, but it wasn't really what we needed for healthcare. We needed something that allows users easy access, and then when they walk away hides what they were looking at.”

Vendors who work with the hospital industry must also help facilities satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rules require “due diligence” and “reasonable industry practices” when handling protected hospital health information, but does not explicitly detail network security measures required for compliance. The penalties are clear, however, and can include fines or even jail time. Civil penalties of $100 per violation, up to $25,000 per year, can be required. The Chicago-based American Hospital Association predicts healthcare organizations will spend $22 billion in the next 10 years to comply with HIPAA, with each institution spending an average of $100,000 - $300,000.

The UCH team chose to spend its dollars with Boise, Idaho-based HealthCast, beginning a pilot trial of HealthCast's eXactACCESS in summer 2003. “When they did their demonstrations they showed that they actually understood how hospitals and healthcare worked,” Rogers says.

Trip O'Donnell, senior vice-president of business development for HealthCast, acknowledges the unique needs of hospitals. “The thing with hospitals is that they have so many shared workstations, and they have to come up with a way to enforce HIPAA regulations to ensure the privacy of patients' information without making it more difficult for physicians and clinicians to access their information,” he says. “Healthcare is different in that most industries do not have people sharing workstations that access information from so many different legacy and disparate systems.”

Mimicking the familiar

The 2003 trial of eXactACCESS led to enlightenment, if not success. “The first program they gave us was a separate application on top of Windows. It would take control of the PC, and you would see a single box asking you to enter your single sign-on password,” Rogers says.

The UCH team quickly realized that while they could train daily employees to be familiar with the new-looking system, third-party visitors to the hospital were often stumped. “Doctors, specialists, respiratory therapists — all need to use the system,” Rogers says. “We learned that the single sign-on system needed to look familiar to any user — and to us, that meant a Windows log-on.”

“The second most important thing we learned was the pilot program would allow nurses to hide (or lock) the application, but you could only return to that work on the same PC,” he continues. “That hidden work has to be able to be picked up from any PC.”

This realization led to the development of Roaming Sessions, now trademarked by HealthCast and introduced to UCH in a second pilot in January of 2004.

“Roaming Sessions allow them to walk away from any workstation, see a patient, and then go back to any available workstation. When they come to the next workstation and authenticate themselves, all of their screens show up just as they left them,” Bajek says.

“Having the ability to roam to different workstations is a benefit,” O'Donnell says. “I think in the long run that's going to be the preferred way for nurses and doctors to work. Doctors, especially, move even beyond the unit, to other units or to their offices, so roaming for them can be very important. But you need a certain infrastructure (including Citrix or Terminal Services) to be able to do that.”

In Roaming Sessions, users can enter a domain name and password to log-in and choose from the five applications to which they have been granted single sign-on access after a one-time enrollment process. A bar at the top of the screen indicates they are logging into a Microsoft Terminal Services server, “but most people don't notice that,” Rogers says.

And working off of the terminal server enables users to return to their work on any workstation. “A benefit for nurses is when they are charting and walk away from a workstation; all their work is suspended as they left it so they can return to their charting on any workstation at any time, and pick up where they left off,” O'Donnell says.

To make the system even easier, UCH and Healthcast incorporated proximity badge readers by Chicago-based RF Ideas. Once the badge is swiped, the system fills in the user name and domain name and leaves the cursor ready for users to enter their password.

Small sonar devices provided by RF Ideas detect any presence in front of the workstation. Users can push lock when they would like to suspend their session activity, or they can simply walk away. After a predetermined amount of time during which the sonar device does not detect a presence, the system locks the user's session and hides the potentially sensitive information.

The system settings vary by department. “In the patient care desk area, the sonar unit is set for 18-24 inches. When they walk away, the sonar may wait for two minutes, in case they just walked over to the printer,” Rogers says. “But we also have computers sitting around in the hall on moving carts. These are set for 12 inches, and they will only wait for 15-20 seconds before they hide your work. That is appropriate in a hallway.”

Employee proximity badges also control entry to the parking lots, employee entrances, employee elevators, and certain limited floors, including the VIP suite. Eventually, UCH plans to integrate fingerprint readers.

A C•CURE physical security system provided by Software House and installed by SimplexGrinnell covers both of the hospital's campuses. Bosch DiBos DVRs connected to Pelco cameras contribute to CCTV surveillance.

Single sign-on has been rolled out to the Anschutz Inpatient Pavilion on the Fitzsimons campus, and installation at East 9th Avenue is planned for late summer 2005.

The staff, which formerly offered only complaints about passwords, has offered positive feedback. “We trained them one-on-one during an enrollment process when we verified that their badge worked and that they could access their applications correctly,” Bajek says.

This acceptance is founded on the new convenience of the system, and the flexibility of the hospital IT staff, O'Donnell says. “Sometimes in hospitals, one department may choose a technology and implement it without fully understanding the implications,” he says. “There can be a bit of a disconnect in the workflow of the doctors and nurses; UCH's IT team is very oriented toward security but also convenience for the doctors and clinicians. They worked with us to deploy solutions that would secure patient information as well as speed up user access to that information — and allow caregivers to spend more time with their patients.”

---

ABOUT THE COMPANIES

For information, circle the Reader Service Card number (listed below) or visit securitysolutions.com

Bosch	80
HealthCast	81
Pelco	82
RF Ideas	83
SimplexGrinnell	84
Software House	85

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue