Single Sign-on: One Authentication for All Applications

hiit040307.jpgSingle sign-on — an authentication process that allows users to enter just one user name and password to access multiple applications — is a technology that has healthcare organizations singing songs of praise. Overall, interest in single sign-on is experiencing about 18 percent annual growth, thanks to privacy and security regulations and the maturity of available products.

Changing minds

Stefan Hopper, CIO and director of IS at Gateway Health System, a private, not-for-profit system serving Upper Middle Tennessee and South Central Kentucky, watched single sign-on technology for several years before deciding to go ahead with OneSign from Imprivata Inc.

Hopper saw a demonstration of the product at a conference and discussed single sign-on with other healthcare CIOs who were very happy with it. He organized an education program at Gateway based on Imprivata’s technology and learned that the physicians did not want to eliminate their generic logins. However, the generic password policy left the organization’s sensitive data open to internal attack and limited auditing capabilities. Plus, password resetting was a huge strain on the IS staff, Hopper says.

With single sign-on, employees only have to remember one secure password to access every application required to do their job. For sure, it didn’t take long for Hopper to show physicians the benefits. “They came on board pretty quickly once they realized it was going to make their lives easier.”

Hopper conducted a 30-day demonstration process and extensive testing with Imprivata staff assisting. “It had to prove itself to us. We could not have this fail. It would have been disastrous.” The testing was very successful, he says. He needed to be sure that the product would integrate with Gateway’s core information system.

It was and Hopper implemented OneSign in September 2005. The process basically required IS staff to show employees how to use the password reset function — a three-click task. Users must change their password every 60 days while the IS team controls passwords on applications on the back end, providing additional security. Hopper also plans to implement a biometric reader supported by OneSign over the next three or four years for an even higher level of security.

To ensure easier access to computer applications, emergency and radiology departments have Touchpass installed. When an application goes unused for several minutes, it shuts down but users can quickly re-login with one touch.

Cutting down on calls

Password-related help desk calls used to comprise about 30 percent of call volume at Beverly Enterprises, a network of more than 400 nursing homes, assisted living facilities, and hospice centers nationwide. David Valcik, vice president of technology services, decided to implement Citrix Access Suite two years ago to centralize the organization’s IT infrastructure. Valcik already used Citrix solutions so its Access Suite was a natural fit.

Password Manager is a component of the Citrix solution which enables enforcement of uniform password policies and the use of strong passwords across the organization. The main goal was to spare users the need to deal with up to 15 different passwords, Valcik says.

Valcik is very pleased with the result thanks to ease of implementation and the minimal maintenance required. For example, his staff enabled Beverly’s six web applications in 30 minutes. They sent out reference cards to the nursing homes explaining how to use the new system. The initial rollout covered 7,000 employees in one week and resulted in just 35 help desk calls from 70 facilities. After 30 days, the system was seamlessly rolled out to all 38,000 employees, Valcik says.

Beverly’s administration recognized the solution as a win-win from all sides, he says. The quality assurance, and beta site testing revealed no pain points and security calls in the first 90 days decreased by 28 percent. And, Password Manager changes passwords behind the scenes as necessary so users are spared any involvement in security policies.

Part of a larger plan

Steve Banyai, CIO of Bridgepoint Health, Canada’s largest and most extensive integrated healthcare organization for specialized complex care services, developed a strategic plan for the organization’s information services three years ago. Part of that plan was single sign-on, “a critical component of seamless access,” says Banyai. Users won’t log on to an application if they have to drill down 16 screens or remember 10 passwords, he says.

So, Banyai and his team inventoried every application used within Bridgepoint to determine how they could provide a single, secure entry point. He found that Novell had a product line right in line with his vision.

Banyai took his entire IT vision for the next three to four years to the board of directors for budget approval. “It’s harder to sell bits and pieces to boards that aren’t technically savvy,” he says. “Having multiple kicks at the can doesn’t work. I didn’t want the uncertainty of not having everything approved and budgeted for up front.”

Engaging Novell Consulting was part of the project plan. “To train our staff from scratch would have been a long haul,” Banyai says. Instead, his staff shared the experience of the build with the Novell consultants. “It was a collaborative effort with a lot of knowledge transfer involved. Novell taught our staff how to carry on.” After the implementation, Banyai would draw on Novell’s professional services if he encountered a unique problem.

To deliver a one-stop portal for all applications, Banyai sought out user opinions by establishing a pilot group. Since those at the executive level have a significant demand for information, he started with their input. He wanted to make sure that the tools could adapt to the needs of the individuals using them. “There’s no point trying to force people into a view. It must morph to the needs of the individual,” he says. Another goal was to tailor applications to users, based on common sense. For example, admitting staff needs to get into Meditech to register new patients but managers only need access to Meditech reports.

After about one month of fine tuning, Banyai was ready to implement. He anticipated the need for significant change management so he planned a lot of upfront communication. Thanks to “lunch and learn” sessions and other communication efforts, the “rollout was almost a nonevent,” he says. And, “if no one notices, then we’ve absolutely done our job. That was how we measured our effectiveness.”

Development of the solution began last February and the entire project was finished in September. Bridgepoint uses Meditech which originally could not function in a single sign-on environment. Banyai met with some resistance but worked with them to integrate single sign-on. Now there is no application that can’t run through the portal with single sign-on.

Know what you want to do

When looking at deploying an enabling technology, you need to do it in the context of a bigger picture, says Banyai. “Don’t look at single sign-on as a solution to something without looking at how it figures into your larger strategy. So many other things need to be in place that are bigger than single sign-on.”

Banyai also recommends strong involvement with your vendor. “I would encourage people to rely on their partner, but drive that vision with them. Help them understand what you want and make the vendor appreciate that. Sometimes they will have had different experiences and won’t have necessarily perspective that you want.”

Do your homework, says Valcik. He recommends talking to users and understanding your organization’s business needs. And although he found that single sign-on required minimal engineering, the rollout and setting user expectations was the bigger challenge. “After that, it’s a no-brainer. Single sign-on allows users to care for patients rather than worry about passwords and security.”