At Denver Health, Smart Cards Equals Controlled Access

Nov. 2, 2004
HIPAA rules push access control cards into hands of computer users for Denver-area hospital

Under the Health Insurance Portability and Accountability Act's data security rule, provider and payer organizations must maintain an audit trail of who is gaining access to electronic protected health information. As part of its preparation for the rule, which has an April 21, 2005, compliance date-and to support single-sign-on access to multiple information systems-Denver Health is rolling out "smart" cards to about 2,000 computer users to control access to data.

A computer chip embedded in a photo ID card contains a computer user's name and duration of the user's digital certificate. The certificate is associated with a personal identification number. This enables two-factor authentication of a person's identity, because the certificate identifies a user and the PIN that authenticates the user. "The card is something you have and the PIN is something you know," says David Boone, technology service project manager at Denver Health.

The digital certificates also support the public key infrastructure-based encryption system of Denver Health's information network.

The delivery system, anchored by 398-bed Denver Health Medical Center, last fall started distributing smart cards to clinicians and medical residents. About 1,200 clinicians and 800 residents now have the cards and an additional 1,000 clinicians will receive then by the end of 2005. The smart cards are being used at the hospital and at most of Denver Health's nine family clinics and 11 school clinics, and at associated facilities at the local health department, Boone says.

Denver Health is using smart cards, standalone card readers and software from Horsham, Pa.-based Gemplus Corp., and a certificate server from Redmond, Wash.-based Microsoft Corp. It also uses embedded card readers in the keyboards of some workstations from Round Rock, Texas-based Dell Computer Corp.

Upon reaching a workstation, an authorized user inserts the card into a reader and enters a PIN to access information systems. When finished, the user removes the card, is automatically logged off, and the screen locks up.

Managing Residents

Denver Health Medical Center is a teaching facility associated with the Colorado University School of Medicine. In the early months of distributing smart cards to clinicians and residents, Denver Health information technology officials learned they needed a better understanding of how medical residents come in and out of the organization.

"A resident may be here for three months, then back to school, then back here next year," Boone explains. "Their 'permissions,' or areas of authorized access to data, change as they change areas of studies and doctors they are working with. So, we had to get a handle on how to administer residents."

Residents would come back and find their digital certificates had expired, or they did not have authorized access to data appropriate for their new areas of study.

I.T. administrators worked with the medical school and Denver Health's director of education to coordinate processes so I.T. knows when to deactivate a card and when to reactivate it.

"Managing this process was the biggest hurdle we had to identify and get over," Boone says.

While the cards have helped Denver Health ensure appropriate access to patient data, they also have eased clinician access to data, thus improving patient care and physician satisfaction, Boone says.

"The smart card is the tool we're using to centralize access to applications," he adds. "The faster physicians can access patient data, the better care they can provide. Physicians do find smart cards are helping them."

Boone is working on a return on investment analysis and concedes that "those numbers are very hard to come by." He is looking at a variety of possible efficiencies, such as whether easier access to information systems is enabling more efficient inputting of data, which in turn is speeding the billing process.

Growing Interest

Denver Health's experience is indicative of a growing interest by provider organizations in using smart cards for clinical data access control, says John Osberg, president of Informed Partners LLC, a Marietta, Ga.-based consulting firm.

This could bring new opportunities for smart cards, which have not been widely accepted in the U.S. health care market.

"Increasingly, major clinical information technology vendors are adding smart card solutions to their product offerings," Osberg adds. "In requests for proposals from providers, I've seen more smart card capabilities being required."