Single Sign-On, Multiple Security Layers

How an SSO implementation improved security, eased frustrations of staff and enabled Southwest Washington Medical Center to meet stringent healthcare regulations

One of the first lessons anyone learns when implementing a large technology project is to “expect the unexpected.” As the organization I work for, Southwest Washington Medical Center (SWMC), completed a company-wide project to electronically enable its patient records and organizational data, we discovered that among all of the benefits that the new system gave the organization (increased security, better organization, ease of information finding, compliance with regulations) — there was one unintended problem that it created as well. The system greatly increased the amount of time staff needed to access records and data, as there were several passwords to remember and several protocols for logging in and out each time they entered a room or needed information.

The password policies in place required staff to use — and therefore remember — a different password for each application. To make matters worse, each login was taking an average of 30 seconds, or five minutes per day, per employee. For SWMC's 3,000-plus employees, that resulted in 25 hours wasted per day, or more than 150 hours per week. With the average hospital cost at $17 per hour, the total time and money lost to the login process comes to $2,500 per week, or $130,000 per year.

It was easy to see that this was something that needed to be fixed, as it was becoming a huge frustration for staff and had the potential to become something that could both hurt retention efforts and ultimately take time away from providing patient care.

User Access, Frustrations and Compliance

SWMC is a community-owned, not-for-profit medical institution located in Vancouver , Wash. , that provides a full range of outpatient and inpatient diagnostic, medical and surgical services to Clark County residents. The region's health care leader and steward for nearly 150 years, SWMC is one of its largest employers and a six-time winner of the Solucient Top 100 Hospitals award. SWMC's employees help support dozens of medical specialty services and programs, focused on cancer, heart, emergency, trauma, neuro-musculoskeletal, family birth and primary care.

As frustrations with the electronic record/information systems came to light, the organization was also dealing with two other concerns: compliance with the Health Insurance Portability and Accountability Act (HIPAA); and staff and physician retention in the highly-competitive healthcare industry.

The healthcare industry presents a significant challenge for internal IT organizations. In the healthcare setting, there are far more users than workstations; the workforce is highly mobile; every worker needs to be able to access an IT workstation from just about anywhere — and be able to securely access a wide variety of applications from it. The challenge for SWMC was to figure out how to both protect patient information and at the same time, find a way to securely provide acute care clinical staff the ability to walk up to any workstation and log into the network to access applications and information that enable them to provide timely care and service to patients.

After researching various technologies and options, SWMC's IT leadership team determined that a comprehensive single sign-on (SSO) implementation could solve several of these issues: it would eliminate the password problem, producing significant efficiencies for both the IT team and hospital staff; it would reduce costs; it would increase the time spent on patient care; the project would help satisfy HIPAA regulations on patient information protection, user login requirements and workstation time-outs; and it would enable IT staff to gain organization-wide, centralized control over all IT access control management.

Finding the Right Fit

SWMC chose the OneSign single sign-on solution, an appliance-based product from Imprivata that provides a solution for password management and user access. In our evaluations, we agreed that there were two major features that set OneSign apart from the other solutions:

This content continues onto the next page...