A Password Plight
Apr 1, 2008 12:00 PM, By John Clark and Christopher Paidhrin
Southwest Washington Medical Center deploys a single sign-on solution for user access.
Some consider security to be beyond the reach of usual measures of return-on-investment, but most would agree that the costs of a security program should be known and under control. As Southwest Washington Medical Center (SWMC) completed a company-wide project to electronically enable access to its patient records and organizational data, the IT staff discovered many benefits of the new system — increased security, better organization, ease of information finding and compliance with regulations. However, the resulting passwords and protocols greatly increased the amount of time staff needed to access records and data.
SWMC is a community-owned, not-for-profit medical institution in Vancouver, Wash., that provides a range of outpatient and inpatient diagnostic, medical and surgical services to Clark County residents. The region's health care leader and steward for nearly 150 years, SWMC is one of its largest employers and a six-time winner of the Solucient Top 100 Hospitals award. SWMC's employees help support dozens of medical specialty services and programs focused on cancer, heart, emergency, trauma, neuro-musculoskeletal, family birth and primary care.
The health care industry in general presents a significant challenge for internal IT organizations. In the health care setting, there are far more users than workstations; the workforce is highly mobile; every worker needs to be able to access an IT workstation from just about anywhere — and be able to securely access a variety of applications from it. The challenge for SWMC was to figure out how to protect patient information while enabling members of the acute care clinical staff to walk up to any workstation and log into the network for access to applications and information they need to provide timely care and service to patients.
The password policies in place required staff to use — and therefore remember — a different password for each application. This added strain was compounded by help desk calls to reset forgotten passwords. Furthermore, “adhesive” memory tactics (using sticky notes to remind users of new passwords) hurt patient privacy far more than the new security programs helped. Even successfully executed logins were taking an average of 30 seconds, thus adding up to an average of five minutes per day, per employee. Considering SWMC's more than 3,000 employees, 25 hours were wasted per day, or 150-plus hours per week - assuming zero password-related problems that week. With the average hospital cost at $17 per hour, the total comes to $2,500 per week, or $130,000 per year — time and money lost to the login process. The system also supports 2,800 clinical and medical support staff of partnering community clinics, making this a cost issue outside the hospital's walls.
The problem needed to be fixed quickly, as it was becoming a huge frustration for staff and had the potential to become something that could hurt employee retention efforts and, ultimately, take time away from providing patient care.
Beyond frustrations with the electronic record/information systems, the organization was also dealing with two other concerns: compliance with the Health Insurance Portability and Accountability Act (HIPAA); and staff and physician retention in the highly competitive health care industry.
After researching various technologies and options, the IT leadership team determined that a comprehensive single sign-on (SSO) implementation could solve several of these issues: eliminate the password problem, producing significant efficiencies for both the IT team and hospital staff; reduce costs; increase the time spent on patient care; help satisfy HIPAA regulations on patient information protection, user login requirements and workstation time-outs; and enable the IT staff to gain organization-wide, centralized control over all information access control management.
SWMC chose to go with Lexington, Mass.-based Imprivata's OneSign Single Sign-On solution, an appliance-based product that provided an intelligent and affordable solution for password management and user access.
The system is easy-to-use, meaning care staff would have no problem adapting — and it would not force them to change the way they work. It could also easily be integrated with existing systems and with a zero-server-footprint. SWMC had information stored in dispersed and different locations, across 160 applications, with multiple authentication schemas (Novell NDS, RADIUS, MS Active Directory) — and was in the process of migrating over to Microsoft Active Directory as the new source of all access authentication. SWMC chose a solution that could easily take information from and seamlessly interface with these areas.
With more than 3,000 users, 125 departments and 160 applications, the IT staff decided to break the project down into two phases: phase I, the full deployment of SSO with 50 core applications; and phase II, the deployment of the balance of critical applications. The whole system was up and running within three months.
At SWMC, the Microsoft Active Directory group policies manage all role-based access-control at the enterprise level — including internal use, outside vendor access and remote VPN access by coders, transcriptionists and “road warriors.” The SSO product then manages the initial application-layer access, which has its own access controls, especially within the clinical systems. Access to Protected Health Information (PHI) is managed down to the screens or menus within the PHI-enabled applications.
Therefore, any user can use any workstation within the network; the security now follows the user. The “fast user switching” workstations can log a user off of a machine, close all applications and get the machine ready for the next user login in about 15 seconds.
Imprivata's solution provided SSO access, enabling users to get a common login across all applications, using either a password or a finger biometric for authentication. The solution allowed SWMC to create one consistent user interface, one security posture for policy management and one principal authentication store for HIPAA — and did so without requiring any code changes to internal or external applications.
In short, SWMC's SSO initiative provided quick access to applications and information for the clinical staff, while enabling them to provide more timely and, therefore, better care to patients — all while helping the organization meet strict HIPAA guidelines. SSO saves staff 15 to 30 seconds per logon, or roughly five minutes per day, per employee.
Feedback has been resoundingly positive. The staff wants SSO on all of their other (non-core) applications. SWMC has a new competitor hospital just eight miles away, so keeping staff happy is more essential than ever.
John Clark is a senior product manager at Imprivata, a provider of authentication and access management solutions. Christopher Paidhrin is the information security officer at Southwest Washington Medical Center in Vancouver, Wash.
Want to use this article? Click here for options!
© 2014 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.