Single Sign-On, Multiple Security Layers

One of the first lessons anyone learns when implementing a large technology project is to “expect the unexpected.” As the organization I work for, Southwest Washington Medical Center (SWMC), completed a company-wide project to electronically enable its patient records and organizational data, we discovered that among all of the benefits that the new system gave the organization (increased security, better organization, ease of information finding, compliance with regulations) — there was one unintended problem that it created as well. The system greatly increased the amount of time staff needed to access records and data, as there were several passwords to remember and several protocols for logging in and out each time they entered a room or needed information.

The password policies in place required staff to use — and therefore remember — a different password for each application. To make matters worse, each login was taking an average of 30 seconds, or five minutes per day, per employee. For SWMC's 3,000-plus employees, that resulted in 25 hours wasted per day, or more than 150 hours per week. With the average hospital cost at $17 per hour, the total time and money lost to the login process comes to $2,500 per week, or $130,000 per year.

It was easy to see that this was something that needed to be fixed, as it was becoming a huge frustration for staff and had the potential to become something that could both hurt retention efforts and ultimately take time away from providing patient care.

User Access, Frustrations and Compliance

SWMC is a community-owned, not-for-profit medical institution located in Vancouver , Wash. , that provides a full range of outpatient and inpatient diagnostic, medical and surgical services to Clark County residents. The region's health care leader and steward for nearly 150 years, SWMC is one of its largest employers and a six-time winner of the Solucient Top 100 Hospitals award. SWMC's employees help support dozens of medical specialty services and programs, focused on cancer, heart, emergency, trauma, neuro-musculoskeletal, family birth and primary care.

As frustrations with the electronic record/information systems came to light, the organization was also dealing with two other concerns: compliance with the Health Insurance Portability and Accountability Act (HIPAA); and staff and physician retention in the highly-competitive healthcare industry.

The healthcare industry presents a significant challenge for internal IT organizations. In the healthcare setting, there are far more users than workstations; the workforce is highly mobile; every worker needs to be able to access an IT workstation from just about anywhere — and be able to securely access a wide variety of applications from it. The challenge for SWMC was to figure out how to both protect patient information and at the same time, find a way to securely provide acute care clinical staff the ability to walk up to any workstation and log into the network to access applications and information that enable them to provide timely care and service to patients.

After researching various technologies and options, SWMC's IT leadership team determined that a comprehensive single sign-on (SSO) implementation could solve several of these issues: it would eliminate the password problem, producing significant efficiencies for both the IT team and hospital staff; it would reduce costs; it would increase the time spent on patient care; the project would help satisfy HIPAA regulations on patient information protection, user login requirements and workstation time-outs; and it would enable IT staff to gain organization-wide, centralized control over all IT access control management.

Finding the Right Fit

SWMC chose the OneSign single sign-on solution, an appliance-based product from Imprivata that provides a solution for password management and user access. In our evaluations, we agreed that there were two major features that set OneSign apart from the other solutions:

• It was easy to use, meaning care staff would have no problem learning how to use it—and it would not force them to change the way they work, other than limiting the time spent on password logins and logouts; and

• It could be integrated with existing systems and with a zero-server-footprint. This was especially important for our situation, as we had information stored in dispersed and different locations, across 160 applications, with multiple authentication schemas (Novell NDS, RADIUS, MS Active Directory) — and were in the process of migrating over to Microsoft Active Directory as the new source of all access authentication. We needed a solution that could easily take information from and seamlessly interface with all of these areas.

Making SSO Work for SWMC

With more than 3,000 users, 125 departments and 160 applications, we decided to break the project down into two phases: phase I, the full deployment of SSO with fifty core applications; and phase II, the deployment of the balance of critical applications. Because of the success of phase I, phase II was quickly undertaken and the whole system was up and running within three months.

Instead of custom scripting or VB code, the product uses what Imprivata calls the OneSign Application Profile Generator (APG) to “learn” the login behaviors of the target applications and generate the correct XML profile that is securely distributed to SSO users on a session basis. That way, as new applications are added or existing applications are upgraded, the APG can make the appropriate changes without interruption or downtime.

Citrix was selected as a basis for remote delivery, which called for developing the OneSign application profiles for the Citrix server farm. Through the use of Softricity's (now Microsoft's) SoftGrid solution, SWMC realized that only one of the Citrix servers needed the applications loaded into a virtual drive space, freeing up the other Citrix servers in the farm. This approach enabled the delivery of applications to look just like a local “Fat“ (full, local) client to the desktop and to OneSign – one profile fit both the Fat client and Citrix/SoftGrid-delivered applications, saving tremendous amounts of time and resources.

At SWMC, the Microsoft Active Directory group policies manage all role-based-access-control at the enterprise level — including internal use, outside vendor access and remote VPN access by coders, transcriptionists and “road warriors.” The SSO product then manages the initial application-layer access — which has its own access controls, especially within the clinical systems. Access to Protected Health Information (PHI) is managed down to the screens or menus within the PHI-enabled applications. Each workforce member's access rights are set within an enterprise standard — via a Human Resources job code — which is then mapped to access control groups at the application layer.

Because of this, any user can use any workstation within the network, because the security now follows the user. Every workstation is what we call a “fast user switching” workstation that can log a user off of a machine, close all applications and get the machine ready for the next user login in about 15 seconds. This approach gives us the security we need to protect patient data — but at the same time eradicates the old hassle of locked workstations and prevents the use of the power switch to unlock the machine, a process which can potentially cause hard disk corruption.

Imprivata's solution provided SSO access, enabling users to get a common log-in across all applications, using either a password or a finger biometric to authenticate. The solution allowed SWMC to create one consistent user interface, one security posture for policy management and one principal authentication store for HIPAA — and did so without requiring any code changes to internal or external applications.

Falling in Love with SSO

In short, our SSO initiative has transformed our ability to provide quick access to applications and information for the clinical staff, while enabling them to provide more timely and therefore better care to patients — all while helping the organization meet strict HIPAA guidelines. SSO saves our staff 15 to 30 seconds per logon — or roughly five minutes per day, per employee.

The security improvements that our SSO implementation has brought about cannot be overstated. Before, it was difficult to get users to adhere to password policies and change their password every six months or so — especially when the number of passwords grew as more and more workflow at the organization was done electronically. Now, password changes happen when they are supposed to — and we can easily tell when staff is not adhering to policy and make them change their password.

The SSO initiative enabled SWMC's IT team to:

• Reduce the number of application profiles, since the same profile can be used for Fat or Citrix/SoftGrid delivery methods;

• Allow SSO to work for remote users since applications are accessed via a browser over the Internet in a Citrix session, even though the remote user's workstation may not have a OneSign client loaded on it;

• Easily generate, update and maintain profiles;

• Centrally manage security policies;

• Enforce role-based access control, greatly simplifying user provisioning and management;

• Fold remote users into the same Active Directory authentication data-store; and

• Reduce support for remote users to a browser-support issue for our help desk.

Feedback has been resoundingly positive. Our use of single sign-on is appreciated every time a user walks up to a workstation, which happens thousands of times each day. The staff loves SSO — and now wants it on all of their other (non-core) applications.

The productivity gains have just begun to be measured, but the user satisfaction experience and the reduced “hassle-factor” of SSO has transformed one of our biggest challenges to an initiative that separates SWMC from the rest of the health services industry and shows our willingness to innovate to improve patient care.

About the Author

Christopher Paidhrin is the Chief Security Officer at Southwest Washington Medical Center in Vancouver, Wash. He has worked for many years in IT and Business Operations, in higher education, private sector and entrepreneur environments, where he has held numerous director-level positions.