Staying safe

James Koenig on the role of single sign-on in identity access management.

“The return on investment depends on the profile of your workforce and how many logins they average in a given day”
-James Koenig

There are challenges within the hospital IT environment: legacy applications may not support modern authentication controls; there is a need to share access to equipment and patient care areas, across multiple users who require access to medication records; the open nature of hospital floors causes problems of physical security; and regulatory compliance requirements are increasing.

If that’s not bad enough, there is the additional, often underestimated, risk of improper access and even medical identity theft by knowledgeable insiders, as James Koenig, Practice Leader, Privacy & Identity Theft, and Practice Leader, HIT Privacy & Security, for PricewaterhouseCoopers, explains: “Knowledgeable insiders have surpassed outsiders and hackers as the leading cause for identity theft within companies. Within hospitals, the main areas that have been vulnerable have been within collections, within patient enrollment, with physical security, with IT and even the janitorial crew. There are a lot of risks within the environment to electronic health records.

“There are many reasons for which information is improperly accessed. Some of the more notable ones have been when healthcare providers and staff have accessed the medical records of celebrities; that’s one type of improper access that is still relatively common. The other type is for gaining information that can be used for medical identity theft, to get a health insurance ID number or other information that could allow someone else to access medical care, or to even obtain prescription drugs that are commodities that can be used on the street.

“That’s one of the new major underestimated risks within an environment, and within hospitals you have so much change, so much vulnerability, so many people, that this is naturally starting to grow.”

Hospital IT departments are also now faced with the challenges of complying with the requirements of HITECH, which has expanded on those originally set out by HIPPA. Koenig recommends that healthcare providers focus on the changes to HIPPA under HITECH, specifically on the protected health information breach notification requirement.

A number of requirements were added under HITECH, which was part of the stimulus bill. One of these is to create in the US a federal breach notification provision if protected health information becomes improperly accessed or compromised. Hospitals  must notify the individual whose information has been compromised, whether the information is in electronic form or paper form. They must also notify Health and Human Services, who will list the breaches on a website; the state attorney generals if there are more than 500 people in a particular state that have been compromised; and the local media.

“This new notification provision is stronger than any state requirement,” Koenig points out. “Providers are quickly focusing on this for three reasons. One, most of the state breach notification laws that existed before didn’t include health information; now health information under HITECH is included.

“Second, providers had a strong program around HIPPA but HIPPA security only applied to electronic protected health information. HITECH now includes paper-based protected health information, which providers may not have focused on before.

“And third, HITECH now requires that all business associates comply completely with the HIPPA privacy and security rules. Previously they only had to agree to provide adequate safeguards in a contract. Now, when entrusting protected health information to a third party – which could be a lab or another vendor – the focus around protected health information is growing.”

Koenig says that the types of information that can be compromised, not just healthcare information, but employee information and the requirements under other privacy laws, including the state breach notification laws, have changed the environment and made it much more complicated for healthcare providers to comply.

 Single sign-on

Despite the rising concerns about security and the need to comply with increased regulatory requirements, the adoption of single sign-on in healthcare has been slower versus other industries, often due to the inability of older specialized medical equipment to talk and to accommodate some of the new identity management and single sign-on tools.

According to Koenig, this is becoming less of an issue as technology matures and hospitals continue to upgrade their systems, especially around electronic health records. “Vendor consolidation has reduced the number of tools in the market’” he says. “It has also consolidated some of the developer talent, and the remaining tools tend to be a little more consistent so that there’s no longer a reducing number of platforms and standards and options that healthcare can focus around. They’re probably behind other industries, but it’s maturing and getting better.”

What is clear is that the use of single sign-on does confer a number of benefits, including fewer passwords to remember, lower support costs, more ability to push secure authentication standards and controls across the enterprise in at one time, centralized support, centralized logging and monitoring, and fewer accounts to maintain each year.

In general, Koenig says, organizations using single sign-on will spend less time looking into many different types of applications; instead, they can track it across the single sign-on. “The return on investment depends on the profile of your workforce and how many log-ins they average in a given day, and with this reduced time and cost of the people entering in passwords repetitively it allows more time to focus on healthcare delivery.

“Resetting of passwords will fall if you have fewer passwords to remember. You will also find people writing them down less, and writing passwords down is what makes them insecure; this is how some of the security incidents at hospitals have occurred. Also, because of the new technology, many payers are upgrading their electronic health records and related systems and architecture in preparation for certification to get stimulus funds for the meaningful use of electronic health records.”

As part of this overall update of the systems and investment in the infrastructure at hospitals, single sign-on will also be accompanied by self-service resets as opposed to a manual call to a help desk. These new systems often have features that allow users to go to an intranet site and through self-service and answering a couple of challenge questions, they can reset the password themselves.

The benefits can be summarized as: reduced cost for the enterprise, quicker response time for people who need to get their passwords, fewer instances of these passwords because people remember a single sign-on better, and less need to write passwords down.

 Implementation

As with any new technology implementation, there are challenges involved in bringing single sign-on into a hospital or healthcare setting. Koenig believes the main challenge is cost. “Return on investment is based upon building a core framework and then adding additional applications over time. Part of the challenge is adding that to our legacy applications that aren’t quickly compatible. You can always build them in, you can always address it, but the question is, at what cost?

“The second challenge is that by having a single sign-on, people will potentially have access to a wider group of systems, applications and information with each sign-on across this system of single sign-on applications.

This means it will be more difficult for providers to make sure that access control rights and authorizations given to employees, doctors and staff are limited to the areas that they need for legitimate business and healthcare purposes.

“For example, there may be a staff person who used to have a log-on for the practice management application, which would do scheduling and billing for patients. There was another application for the electronic health records that needed a different sign-on. There’s another sign-on for the laboratory, and for the blood work. There’s another sign-on for radiology data.

“Four different sign-ons, just in this one example. If they’re all part of a single sign-on, hospitals have the challenge to make sure that the right person can only go into where they need to. If there’s a staff member who doesn’t need radiology data, maybe they’re improperly looking at a patient’s data or multiple patients’ data in radiology.”

Koenig says the challenge will be to limit controls and adjust them when people get promoted or terminated, or at a minimum review them each year. “With single sign-on, you can do a lot more and seamlessly move across areas. That’s great unless you haven’t checked to make sure that the areas are appropriate.

“Right now the management is done because there isn’t single sign-on, it’s all manual. When somebody says, ‘I need another sign-on,’ you ask, ‘Is it appropriate for that person?’ Now, when you’ve seen them all together someone may have too much access to information that they don’t need.”

Authentication

Another method of ensuring only the right people are allowed access to the correct areas is authentication. Strong authentication centers around one type of authentication, such as a password: how many characters are there, are they letters and numbers? Do you need a special character like an asterisk or an exclamation point? How hard is the password to crack? Multi-factor authentication involves the number of questions you need to answer to get in. For example, single-factor authentication could be just a user ID. If someone had a user ID 123, and someone else knew that ID number, they would be able to access that system.

Two-factor or multi-factor authentication adds other information to the equation, related to ‘something you have’ or ‘something you are’. “When you’re logging in to your bank or calling up, they may ask you challenge questions about your mother’s maiden name or other things, that’s multi-factor,” says Koenig. “It goes beyond the simple stuff.

“How does single sign-on work with two-factor authentication? Strong authentication or strong passwords should always be part of the equation. Two-factor authentication, using a name plus a password, is currently industry common practice. The financial services industry addressed this issue several years ago, requiring it for online financial information.

“Since then, financial institutions and frankly most large and medium-sized organizations have used two-factor authentication to allow access to any system. That would be a sub-requirement for a single sign-on. Sometimes, for example, if you’re going from a simple access into the radiology system, where a limited number of people have access, you might just have someone’s user ID number and not necessarily a password, and maybe the password requirements aren’t that hard.

“But when you’re going to a single sign-on environment, you want to make sure that the person who is entering, who now has access to a lot more information, actually is that person. It’s very common, when you’re moving from a smaller environment that may not have these controls to single sign-on, that people will need to have more complex passwords in addition to what might previously have just been a user ID.

“Part of that goes to the success of the single sign-on. People need to be trained and they need to get used to the fact that instead of having multiple IDs to remember, they may now have only one, but a more complicated one that would truly make sure that it’s them.”

Identity management

Koenig points out that typically, single sign-on is part of an organization’s identity management program, or it could be thought of as a component or a benefit of some of these identity management tools. Organizations’ websites will very often already have single sign-on and some of these identity management access control solutions built in, but other areas are not so secure.

“Very often it’s the internal intranet connections between the laboratory, radiology, billing and the practice management system’s electronic health records that aren’t connected,” Koenig says. “That’s the area where there needs to be work and often a separate investment focusing on extending what might be an existing identity management approach, which covers certain applications to some of these older legacy systems and applications.

 “For example, many organizations have a wide variety of applications that leverage what’s called an active directory, which is like a single vault of ID. Every time someone enters the system, they check against this active directory. But typically right now, it’s only covering email and a couple of other applications. It doesn’t always get out to those separate ancillary, important healthcare delivery applications. Extending identity management beyond the existing areas that are covered – email, web and some basic applications – will take a separate investment.

“It’s part of regular authentication of controls, but when people buy these systems in these different departments, they don’t always integrate them with the existing identity management controls and functionality that already exists elsewhere. That’s the connection that needs to be done now.”

Koenig’s forecast for the use of SSO and identity access management tools in the healthcare sector is bright: continued deployment in the industry will occur as providers mature their systems and applications in to prepare for certification to get the stimulus funds for the meaningful use. There will be increased purchasing and use of some of these single sign-on and identity management tools to help grow secure access from beyond the areas in which it now exists.

“A big stimulus or driver for that will be the stimulus funds and the meaningful use certifications over the next couple of years,” he concludes. “It’s a great opportunity to use those funds and those existing efforts around enhancing your technology, plus the need to certify around privacy and security when you apply for the meaningful use funds. That’s an important part that a lot of people who are just focusing on the technology are potentially missing.”

James Koenig is Practice Leader, Privacy & Identity Theft, and Practice Leader, HIT Privacy & Security, for PricewaterhouseCoopers.

This article was first published in EHM magazine: www.executivehm.com/article/Staying-safe