By Dean Wiech
This first appeared in the December 2012 issue of DOTmed HealthCare Business News
Health care and security through single sign on and two-factor authentication
In hospitals and health care settings, work station computers are often used by several people, meaning restricted information can be viewed by unauthorized individuals if accounts are not securely managed.
Story Continues Below Advertisement
Healthcare is in the midst of a shift toward interoperability, data sharing and value-based care. At McKesson we understand that diagnostic imaging should never be an island of information. Click to see how we can help you fulfill the promise of your EHR
Yet, clinicians frequently share a common user name and password with peers to avoid wasting time switching between users.
With several users logged into one machine, it is impossible to track how each employee is using the system in case there’s ever a need to construct an audit trail or to track how employees use the systems.
The first step to reducing the risk of exposing sensitive data to those who shouldn’t have access is to create user accounts for every person that needs access. While this may seem like an easy task there are number of considerations to keep in mind. For example, it’s necessary to ensure accounts are created in a timely fashion and that proper access rights are given in the network, and that the account is disabled if the employee leaves.
But even with strict security requirements in place, users increasingly have to enter a separate combination of usernames and passwords for each application they wish to access. Taken daily, users can easily enter credentials for more than a dozen applications, producing even more issues. It takes time and opens up other security issues (passwords written on sticky notes stuck to the monitor or on pieces of paper slid under the keyboard for example, or overly simply passwords). Help desks also frequently field calls from users who’ve lost passwords, resulting in elevated support costs.
One practical and secure solution to this problem is the use of a Single Sign On (SSO) product. SSO allows each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials.
Results from a survey in the health care market revealed some concerns though with SSO, including that the e-mail applications of the users might be available to others. Users expressed concern, being very protective of their e-mail and their personal information. Of course, this issue also can occur if users have shared accounts on the same computer and fail to completely close a browser when logged into an e-mail account.
The concern that information may be easily accessed by non-account owners in a SSO environment can easily be alleviated by using two factor authentication. Two-factor authentication asks a user to present a second form of identification in addition to their user name and password like a pass card, pin code or USB token to access the workstation. This ensures there is an added level of security of their e-mail and other accounts and means even if someone besides the account owner has possession of a password, they are unable to access the account without that second piece of information.
Using the two pieces, SSO and two-factor authentication, in conjunction solves HIPAA security problems for keeping electronic information safe while also addressing the users’ concerns of privacy for their accounts. The two-factor authentication also allows for fast user switching, thereby reducing time spent by clinicians waiting on their profile to load.
By utilizing automated solutions for identity and access management, the burden on the IT staff also can be decreased and overall system security will increase, allowing employees more time to focus on the real work at hand without having to worry about sharing access to systems or worrying about multiple password applications.
About the author: Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as User Provisioning, RBAC, Password Management, SSO and Access Management, serving more than five million user accounts worldwide.