Single sign-on and context management capabilities provide a secure alternative to clumsy, multi-password login processes.

Ali Pabrai

The health care environment poses unique data security challenges. Caregivers and other end users share a limited number of workstations, and the information they access is very sensitive and often spread across several systems and applications. To comply with HIPAA and other regulations, each application must provide an audit trail of access to patient information. And because any delay in accessing patient information can impact the quality of care, clinicians and end users expect the sign-on process to take only a few seconds.

Health care organizations need an easy-to-deploy solution that is secure and efficient and simplifies accessing multiple password-protected applications. Users who share workstations need to be able to switch in seconds instead of performing a time-consuming full log-on/log-off procedure.

To ease the burden on users while providing better data security for health information systems and electronic health records, many organizations are exploring a single sign-on solution. SSO allows users of enterprise, middleware or Web applications to log on once with a single authentication and access authorized resources. Then, a context management capability provides a unified, integrated view of patient information across multiple applications.

Three Categories

There are three major categories of SSO solutions: enterprise, Web and federated. Enterprise SSO enables employees to access a variety of applications within the enterprise from their desktop. These include Web and non-Web applications, such as host/mainframe, virtual private networks and remote access to data center-based applications.

Web SSO uses a central authorization engine that determines the extent—based on role—the end-user will be able to access a Web application. This type of SSO is best for non-employees, including business partners that process data on behalf of the organization (such as a transcription company) and patients who wish to access their health records or send messages to providers.

Federated SSO enables organizations to share trusted identities between businesses and in applications across enterprises. When used in a hospital or health system, clinicians can exchange lab results and other sensitive information across authorized organizations.

Laying the Groundwork

As part of the SSO adoption process, health care organizations need to address several challenges related to enforcing strong password policies. First, password protection of applications must be strengthened to support compliance. For example, regulations require organizations to establish policies and procedures to ensure that only authorized individuals have access to sensitive information. Typically, the sensitive information is accessed through an application interface. If that interface is password-based, every attempt should be made to ensure that consistency exists between operating system password policy and application password policy, and that both are aligned with regulatory requirements. At the same time, the organization should strive to reduce the help desk’s burden of managing password problems and requests, while ensuring periodic password changes across the organization.

Finally, as SSO is implemented, the health care organization should take the opportunity to streamline the log-on/log-off process by ensuring that a password change is consistently applied to all key user accounts and applications.

Many organizations struggle with integrating disparate applications in order to synchronize and provide a single view of patient information. There is a real need for caregivers to be able to quickly access complete information about a patient. Context management solutions can significantly reduce the time caregivers spend moving between applications to gain a complete view of a patient’s health status. With a context management solution, it is possible to view information about a patient across multiple applications in seconds without compromising any application’s functionality.

Essential Considerations and Features

Implementing a single sign-on and context management solution is the first step in enhancing security and improving the user experience. For SSO, there are a handful of important considerations that must accompany the implementation process.

Authentication type: Strong authentication is not a requirement when implementing SSO, but it should be seriously considered. Strong authentication means that more than one factor is used to authenticate a user or a resource. ATMs require strong authentication because the user must have the ATM card and know the PIN. Obviously, the number of passwords that the user has to remember decreases significantly with the SSO solution. It is important to consider strong password or strong authentication options such as tokens, biometrics or smart cards.

User enrollment policy: A good SSO solution provides both user-controlled and administrator-controlled account management. For example, it should be easy for users to manage their passwords and easy for the system or application administrator to set controls for user accounts that meet the organization’s requirements.

Self-service user capabilities: SSO solutions should support self-service capabilities so end users may retrieve their login information themselves. The objective is to have a robust SSO solution; that is, one that does not create a burden for the help desk or administrators, yet delivers a strong level of security and identity protection.

Application support: The SSO solution should support a seamless, consistent and easy-to-use login experience regardless of the application being accessed.

When selecting a context management solution, there are three essential features. First, it must support the interoperability of several different health care applications on a desktop. The objective is to create a patient-centered, user-driven information workforce. The solution also must enable bi-directional communication between SSO and context management for user login and logout along with information about patient selection. Finally, it must support audit capabilities at the record level. Any access of patient information needs to be tracked and recorded for future reference. This includes signing onto applications and tracking the selection of patient records.

A Graceful Solution

An integrated SSO and context management solution enables employees to quickly access authorized information by logging in only once. Then, they only need to select the patient, encounter or event once and have multiple applications synchronize to support a unified, singular view of the records. Compliance requirements are met and the security of the organization is enhanced because it removes password vulnerabilities and provides for graceful logout from applications.

Ali Pabrai, CISSP, ISSAP, ISSMP, CSCS, is chief executive of ecfirst.com, Waukee, Iowa.

GIVE US YOUR COMMENTS!

HHNMostWired welcomes your comment on this article. E-mail your comments to hhn@healthforum.com, fax them to Most Wired Magazine Editor at (312) 422-4500, or mail them to Editor, Most Wired Magazine, Health Forum, One North Franklin, Chicago, IL 60606.

This article first appeared on January 23, 2008 in HHN's Magazine online site.

To respond to this article, please click here.

This website contains links to sites which are not owned or maintained by the American Hospital Association(AHA). The AHA is not responsible for the content of non-AHA linked sites, and the views expressed on non-AHA sites do not necessarily reflect the views of the American Hospital Association. Copyright ©2010 Health Forum.