Identity Management, SSO, Biometrics: Prescription for High Quality of Service at Digital Hospital

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4  Next  »

A digital, nearly paperless hospital tackles data security and regulatory compliance issues with identity management and authentication solutions incorporating roles-based provisioning, single sign-on (SSO) and biometrics.

When was the last time a human life depended on the efficiency of your identity and access management solution?  That's the bottom line challenge health-care providers face -along with the more mundane issues of meeting state and federal regulations about keeping patient data confidential and secure and limiting access to controlled substances. Like many other enterprises, providers also are under pressure to work more efficiently and reduce costs, even while improving their quality of service.

That was largely the list of requirements for Dublin Methodist Hospital, the newest facility in the 17-hospital OhioHealth system, which also encompasses 23 health and surgery centers. Dublin Methodist, a 3,000-square foot, 94-bed facility, opened in January 2008. It was designed as a paperless, wireless, all-digital facility, the goal being to streamline administrative and clinical record-keeping so that caregivers could focus on the patients, not paperwork.

In such an environment, "the big challenge was ensuring secure access to digital data," said Joe Greene, CISSP, director of information security for OhioHealth. JoeGreene.jpgGreene (pictured) discussed how Dublin Methodist met that challenge in his webinar presentation "SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital," presented by the Healthcare Information and Management Systems Society (HIMSS) in June, and in a late July interview with Security Squared.  

Like most health-care providers, Dublin Methodist is subject to the dictates of the Health Insurance Portability and Accountability Act (HIPAA), which lays out a web of security and audit requirements about accessing patient clinical records and other personal information. In addition, Ohio's State Board of Pharmacy mandates proof of identity when caregivers prescribe and actually dispense drugs and controlled substances.

Yet even as Dublin Methodist needed secure, audit-survivable access methods, those methods also had to be convenient and easy to use so physicians, nurses and other caregivers could quickly get to the clinical data and applications they needed. That was no small order: the hospital would be running as many as 150 applications from many different vendors. Also, caregivers often would share PCs, such as the "computers on carts" on patient floors.

In addition, Greene and his six-member dedicated implementation team had to address remote access and authentication: Many physicians access clinical records from their office or home. In addition, the hospital planned to use an electronic pharmacy order entry application from McKesson for electronic prescriptions that physicians could remotely access. However, remote use of that system also would be subject to the state pharmacy board positive ID requirement.

The Identity Management Treatment

The project vision was "the right person with the right access to the right applications on the right device at the right time," Greene said. To accomplish this, Greene and his team decided on an identity management solution from Framingham, Mass.-based Courion and an authentication solution with single sign on (SSO) capabilities from Imprivata, based in Lexington, Mass.

The identity management implementation was not only selected to ensure the right person had proper access to his authorized applications--but also to streamline this "provisioning," or equipping of the user with the software tools and data necessary to care for patients. So instead of assigning applications on a user-by-user case, Greene's team turned to roles-based provisioning.

This approach to provisioning calls for enterprises to create roles and associate applications, data and facilities access rights to the role, instead of a person to an application.  A broadly defined role of "registered nurse" might include rights to applications like electronic clinical records, lab systems, digital radiology picture archival and communications systems, physician order-entry--but exclude access to hospital accounting and billing systems.

Page:   1   2   3   4  Next  »

A digital, nearly paperless hospital tackles data security and regulatory compliance issues with identity management and authentication solutions incorporating roles-based provisioning, single sign-on (SSO) and biometrics.

When was the last time a human life depended on the efficiency of your identity and access management solution?  That's the bottom line challenge health-care providers face -along with the more mundane issues of meeting state and federal regulations about keeping patient data confidential and secure and limiting access to controlled substances. Like many other enterprises, providers also are under pressure to work more efficiently and reduce costs, even while improving their quality of service.

That was largely the list of requirements for Dublin Methodist Hospital, the newest facility in the 17-hospital OhioHealth system, which also encompasses 23 health and surgery centers. Dublin Methodist, a 3,000-square foot, 94-bed facility, opened in January 2008. It was designed as a paperless, wireless, all-digital facility, the goal being to streamline administrative and clinical record-keeping so that caregivers could focus on the patients, not paperwork.

In such an environment, "the big challenge was ensuring secure access to digital data," said Joe Greene, CISSP, director of information security for OhioHealth. JoeGreene.jpgGreene (pictured) discussed how Dublin Methodist met that challenge in his webinar presentation "SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital," presented by the Healthcare Information and Management Systems Society (HIMSS) in June, and in a late July interview with Security Squared.  

Like most health-care providers, Dublin Methodist is subject to the dictates of the Health Insurance Portability and Accountability Act (HIPAA), which lays out a web of security and audit requirements about accessing patient clinical records and other personal information. In addition, Ohio's State Board of Pharmacy mandates proof of identity when caregivers prescribe and actually dispense drugs and controlled substances.

Yet even as Dublin Methodist needed secure, audit-survivable access methods, those methods also had to be convenient and easy to use so physicians, nurses and other caregivers could quickly get to the clinical data and applications they needed. That was no small order: the hospital would be running as many as 150 applications from many different vendors. Also, caregivers often would share PCs, such as the "computers on carts" on patient floors.

In addition, Greene and his six-member dedicated implementation team had to address remote access and authentication: Many physicians access clinical records from their office or home. In addition, the hospital planned to use an electronic pharmacy order entry application from McKesson for electronic prescriptions that physicians could remotely access. However, remote use of that system also would be subject to the state pharmacy board positive ID requirement.

The Identity Management Treatment

The project vision was "the right person with the right access to the right applications on the right device at the right time," Greene said. To accomplish this, Greene and his team decided on an identity management solution from Framingham, Mass.-based Courion and an authentication solution with single sign on (SSO) capabilities from Imprivata, based in Lexington, Mass.

The identity management implementation was not only selected to ensure the right person had proper access to his authorized applications--but also to streamline this "provisioning," or equipping of the user with the software tools and data necessary to care for patients. So instead of assigning applications on a user-by-user case, Greene's team turned to roles-based provisioning.

This approach to provisioning calls for enterprises to create roles and associate applications, data and facilities access rights to the role, instead of a person to an application.  A broadly defined role of "registered nurse" might include rights to applications like electronic clinical records, lab systems, digital radiology picture archival and communications systems, physician order-entry--but exclude access to hospital accounting and billing systems.

<!--nextpage-->

In addition, with integration between physical and logical systems, a role can include physical access permissions, such as access to a parking garage, specific floors, and diagnostic equipment. 

The advantage to roles-based provisioning is that as employees are hired or as their jobs change, they can be assigned a role that automatically enables access to all the data and software they require.

At Dublin Methodist, the identity and access management team looked at job codes, cost centers, facilities and activities of physicians and associates, identifying 142 roles. Greene acknowledged one benefit was that his team could do this work and create processes before the hospital opened--yet they would have only two to three months in autumn 2007 in which to actually train and provision the staff for the hospital's opening in January 2008.

The identity management system established unique user identifiers for consistency across all the applications, regardless of their vendor. The Courion system draws from the HR system to create a master workforce database as well as the unique identifier: Active Directory is a subset of this database, containing only the currently active users.

Enter Biometrics, SSO


Once provisioned, the next question was how to ensure caregivers had quick and easy access to their applications--even in highly regulated areas, such as the pharmacy. Given the state's requirements for positive ID for remote pharmaceutical order entry, and Dublin Methodist's objective of being a paperless facility, the implementation team settled on biometrics as an authentication method.

Biometric authentication also answered the question of how to incorporate some form of electronic verification to replace the signatures caregivers normally scribble on paper charts--charts the hospital intended to supplant with electronic health records.

<!--nextpage-->

Once the biometrics choice was made, Greene said coupling it with a SSO solution seemed logical. An enterprise SSO solution enables a user to log in and be authenticated once, thereby gaining access to all the applications for which she is approved.

Greene told Security Squared the team selected Imprivata's approach to SSO because of its ease of deployment. Given that he wanted to the SSO solution to initially encompass 120 applications from many different vendors, the process had to be easy to implement and manage.

"We needed it to scale very easily," said Greene, who also noted that there are 1,000 different applications across OhioHealth's health-care delivery system.

Other SSO solutions would have required brokering of connections to each individual application and its database, Greene said. In contrast, the Imprivata approach incorporates an "Application Profile Generator" that learns each application's authentication requirements, such as how they internally administrate password authentication and changes for specific user profiles. The SSO appliance can then insulate both system administrators and users from these behind-the-scenes intricacies.

A Painless Rollout


Greene said the biometrics/SSO program received 100 percent acceptance from Dublin Methodist users. Today, physicians, nurses and other clinicians use fingerprint biometrics readers on keyboards to log in.

"Being able to walk up to a workstation, swipe their finger and not have to remember 30 different user ids and passwords has really made it simpler for the nursing staff," Jeff Krumholz, information security technical engineer at Dublin Methodist, told webinar listeners.

<!--nextpage-->

In the pharmacy, clinicians use OneSign's ProveID capability along with McKesson's Horizon Expert Orders and Horizon Emergency Care solutions to satisfy Ohio's strong identity verification regulations. Per usual, staff members swipe their fingerprints, have access to the order entry application to select medications. However, once they hit the "submit" button, the OneSign appliance prompts them to enter their finger swipe a second time, to verify the same person who initiated the session is still running it. After that swipe, OneSign re-verifies credentials and authorization as well; then the order is submitted.

Dublin Methodist has also been successful in extending its paperless concept to remote physician order-entry. Physicians placing patient orders from their offices or homes use Overland Park, Kansas-based PhoneFactor's solution and OneSign integrated with the McKesson order-entry system for authentication.  After authenticating once with their fingerprint, the physicians receive a phone call from the PhoneFactor system. Correct acknowledgement of the call then authenticates them a second time.

The solution eliminates the need for a $65 key-fob for generating passwords, which created a first-year savings of $39,000, and provides the "who what when why" audit trail the state requires.

Training as Critical as Technology

To get users comfortable with these workflows so they could use them on the day Dublin Methodist first opened its doors, Greene's team worked to ensure caregivers would accept and be comfortable with the biometrics and SSO solution.

They achieved this by offering a wide array of training options and also keeping up a steady thread of communications about the new system. They provided an online training application and hosted IT skills days, during which they trained hundreds of clinical associates. A medical informatics team worked one-on-one with physicians.

Written communication materials, such as flyers and emails, focused on explaining biometrics technology and how it would be incorporated into workflows. One point OhioHealth emphasizes to enrollees is that their biometric data resides securely in the Imprivata appliance and is used only for authentication to the network and to applications.

Dublin Methodist now has a three-person support team, on call 24/7, to personally assist any caregivers having trouble with the system.

Biometrics Business

Biometrics data for the SSO solution is captured during new employee orientation, Greene told us. An IT security staff member goes to these sessions to collect the data; the biometrics profile is then tied to the user's unique identifier in the Courion identity management solution. At OhioHealth campuses where roles-based provisioning is not yet in place, specific application credentials are then tied to the biometrics profile.

"It allows us to capture that data up front, and talk to them about how their workflow changes," said Greene. New employees can try out the system, signing in with their biometric, locking and unlocking workstations. "So when they come on site, they're ready to go," he said.

Dublin Methodist uses swipe-style readers from Emeryville, Calif.-based UPEK; the successful read rate was 94 percent. Wanting a higher success rate at Doctors, there caregivers use a 1 x 1-inch square built into the keyboard on which they place their finger. That's offered a 98 percent success rate. "With that success rate, we have greater user satisfaction," said Greene.

<!--nextpage>

Biometrics readers also are on laptops and integrated with the computers on wheels used at Dublin Methodist and Doctors.

Out of all the biometrics users at Dublin, less than a dozen have found the system has regular trouble reading their fingerprints and of those, only three or four have been switched to PhoneFactor authentication for SSO, said Krumholz during the webinar.

Refining and Expanding the Solution

Initial users when the hospital opened in January 2008 included Dublin Methodist's 800 staff members, plus 300 other "workforce associates," including residents, physicians, nursing students and contractors. Since then, the SSO program has been rolled out to 6,000 users and encompasses 150 applications.

The program has been implemented throughout Doctors Hospital as well as within several departments in two other of OhioHealth's major campuses, Grant Medical Center and Riverside Methodist Hospital, including pharmacy, cardiology and radiology.  The latter two hospitals are not paperless institutions; however, Greene said Doctors is eliminating paper and next year will implement an electronic patient order-entry system like that used at Dublin Methodist.

"So at Doctors, the SSO initiative is directly linked to that effort," said Greene in our interview.

Long-term goals would bring the SSO/biometrics solution to 12,000 workstations and 15,000 users. A 4GB dual path ring connects the major facilities; the OneSign appliances are deployed such that if an outage occurs in one network segment, sign on privileges will continue uninterrupted.  Once a user is enrolled at one facility in the health system, their credentials will be enabled at the other institutions, Greene said.

The Doctors, Grant and Riverside campuses do not yet use role-based provisioning schemes; however, Greene told Security Squared that Ohio Health is replacing desktop systems in the clinical areas of those institutions.  As it does so, it will capture the data necessary to understand roles and associating applications to them, he said. "In these cases, we'll do the roles retroactively," Greene said.

The OneSign appliance has the flexibility to easily tie the logical user identities to physical credentials, such as proximity or smart cards. That's not on the boards just yet, said Greene. Like many health care institutions, he told us Dublin Methodist and OhioHealth are striving to maintain a balance between openness and security. 

Security as Enabler

In the webinar, Greene emphasized getting and keeping support for identity and access control initiatives requires communicating the benefits of the solution again and again--to the implementation team and IT staff as well as to the caregivers and employees being enrolled.

The SSO solution meets all of the HIPAA-compliance regulations, and in fact, running compliance reports is the biggest time factor involved in the system, Krumholz said during the webinar. Dublin Methodist runs several user correlation reports four times a day to check on whether any user forgot to lock a workstation--and whether another user then used the live station to work within an application under the wrong credentials.

Though the solution offers greater reporting and controls, that's not what is most satisfying to Greene.

"Security typically does have an impact on workflow, and in many cases, it's a negative impact," he told Security Squared. "In this case, one of the things that's exciting is seeing workflows get better. The users don't need to remember twenty passwords: they can focus on patient care. That's why they're there."


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/80

Leave a comment