Single sign-on — an authentication process that allows users to enter just one user name and password to access multiple applications — is a technology that has healthcare organizations singing songs of praise. Overall, interest in single sign-on is experiencing about 18 percent annual growth, thanks to privacy and security regulations and the maturity of available products.
Stefan Hopper, CIO and director of IS at Gateway Health System, a private, not-for-profit system serving Upper Middle Tennessee and South Central Kentucky, watched single sign-on technology for several years before deciding to go ahead with OneSign from Imprivata Inc.
Hopper saw a demonstration of the product at a conference and discussed single sign-on with other healthcare CIOs who were very happy with it. He organized an education program at Gateway based on Imprivata’s technology and learned that the physicians did not want to eliminate their generic logins. However, the generic password policy left the organization’s sensitive data open to internal attack and limited auditing capabilities. Plus, password resetting was a huge strain on the IS staff, Hopper says.
With single sign-on, employees only have to remember one secure password to access every application required to do their job. For sure, it didn’t take long for Hopper to show physicians the benefits. “They came on board pretty quickly once they realized it was going to make their lives easier.”
Hopper conducted a 30-day demonstration process and extensive testing with Imprivata staff assisting. “It had to prove itself to us. We could not have this fail. It would have been disastrous.” The testing was very successful, he says. He needed to be sure that the product would integrate with Gateway’s core information system.
It was and Hopper implemented OneSign in September 2005. The process basically required IS staff to show employees how to use the password reset function — a three-click task. Users must change their password every 60 days while the IS team controls passwords on applications on the back end, providing additional security. Hopper also plans to implement a biometric reader supported by OneSign over the next three or four years for an even higher level of security.
To ensure easier access to computer applications, emergency and radiology departments have Touchpass installed. When an application goes unused for several minutes, it shuts down but users can quickly re-login with one touch.
Cutting down on calls
Password-related help desk calls used to comprise about 30 percent of call volume at Beverly Enterprises, a network of more than 400 nursing homes, assisted living facilities, and hospice centers nationwide. David Valcik, vice president of technology services, decided to implement Citrix Access Suite two years ago to centralize the organization’s IT infrastructure. Valcik already used Citrix solutions so its Access Suite was a natural fit.
Password Manager is a component of the Citrix solution which enables enforcement of uniform password policies and the use of strong passwords across the organization. The main goal was to spare users the need to deal with up to 15 different passwords, Valcik says.
Valcik is very pleased with the result thanks to ease of implementation and the minimal maintenance required. For example, his staff enabled Beverly’s six web applications in 30 minutes. They sent out reference cards to the nursing homes explaining how to use the new system. The initial rollout covered 7,000 employees in one week and resulted in just 35 help desk calls from 70 facilities. After 30 days, the system was seamlessly rolled out to all 38,000 employees, Valcik says.
Beverly’s administration recognized the solution as a win-win from all sides, he says. The quality assurance, and beta site testing revealed no pain points and security calls in the first 90 days decreased by 28 percent. And, Password Manager changes passwords behind the scenes as necessary so users are spared any involvement in security policies.
Part of a larger plan
Steve Banyai, CIO of Bridgepoint Health, Canada’s largest and most extensive integrated healthcare organization for specialized complex care services, developed a strategic plan for the organization’s information services three years ago. Part of that plan was single sign-on, “a critical component of seamless access,” says Banyai. Users won’t log on to an application if they have to drill down 16 screens or remember 10