Authentication at a Small Hospital
Boosting Security While Easing Clinician AccessIn an interview (transcript below), Kristi Roose, director of IT at Mahaska Health Partnership, which owns 25-bed Mahaska Hospital in Oskaloosa, Iowa, explains the organization's authentication strategy for compliance with the HITECH Act. The critical access hospital, which is implementing clinical information systems:
- Uses hardware tokens to generate codes that physicians use to access clinical systems remotely via the Internet;
- Determined through a "time study" analysis that the technologies pay for themselves in the time saved by clinicians when they sign onto computers and access systems they're authorized to use.
- Uses fingerprint recognition technology to authenticate clinicians when they're on campus;
As information technology director at Mahaska, Roose develops long-term information technology strategies. She leads project teams in the selection, development and implementation of hardware, software and network infrastructure. She also develops and implements legal and regulatory compliance policies and processes, including education and compliance assurance programs.
HOWARD ANDERSON: For starters, can you tell you us a little bit about your organization. Mahaska Hospital is a 25-bed critical-access hospital in Oskaloosa, Iowa, correct?
KRISTI ROOSE: That's correct. We offer the full continuum of medical services for the community, things like obstetrics, home health, public health, inpatient and outpatient care, hospice, mental health, surgical services and physical and occupational services as well.
ANDERSON: Tell us a little bit about what stage your organization is at in terms of implementing electronic health records.
ROOSE: Following the HIMSS Analytics Model, we're at a stage three. So we have clinical documentation in probably 90 percent of our clinical areas. We have lab, pharmacy and radiology interfaces and we're implementing document scanning.
ANDERSON: Your organization recently implemented a single sign-on system from Imprivata paired with two authentication technologies. So tell us a little bit about what prompted this investment and how the various technologies work together.
ROOSE: What happened was after the HITECH Act was put in place over a year ago, we reviewed where we were at with HIPAA compliance and what impact that would have on our organization, and understood from that review that we needed to tighten things up a bit. So in doing that, we got some feedback from clinicians and took a look at how what we were proposing would impact patient care in our facility. That what led us to conclude, "Gosh this is going to have a really big impact. What can we do? What can we do to ease that burden of tightening down authentication and security on our clinicians?"
ANDERSON: Describe for us how you are using fingerprint scanners. Why did you select this biometric technology over other authentication methods for use inside the hospital, and how did you decide which brand of scanners to use?
ROOSE: Well when we went through our review and understood that we needed to implement some technologies to help those clinicians, we looked at single sign-on technology. Talking with our clinicians about some authentication options available, the fingerprint scanners were by far their preference. We looked at different things, such as smart cards, and decided to go with something that you can't lose. So that what led us to fingerprint scanners: Those clinicians don't have to carry anything extra; they don't have to do anything extra. They can just place their finger on the reader and that can be their authentication.
ANDERSON: What brand of fingerprint technology did you end up using and how did you select that one?
ROOSE: We looked at a number of them and ended up going with Imprivata's recommended scanners, the UPEK Inc. They're very compact and portable. ... We've got a number of mobile laptop devices, so the scanners really worked well with the technologies we had in place.
ANDERSON: Have you had to make any adjustments to the technology as you rolled it out, in terms of improving its reliability?
ROOSE: We have had pretty good success with them. In the winter months, we have a few more instances of folks with fingers getting cracked and dry. ... So we have maybe a little bit lower success rate with the fingerprint scanners in the winter. But for the most part, they're working very well. We do have a handful of clinicians who just don't use the scanners at all because their fingerprints just don't ever seem to take a good read. But for the vast majority of the clinician population here, it's been very successful.
ANDERSON: Describe how you are using tokens for authentication when clinicians access information systems remotely. Why did you select that method over other options for remote access, and how did you choose the type of tokens you are using?
ROOSE: We're using RSA tokens through an SSL virtual private network. We chose the tokens because we were looking to achieve two-factor authentication. ... We chose the RSA token brand basically just because of industry reviews and the positive responses that we've heard from other customers using that authentication solution.
ANDERSON: Tell us a little bit about who can access what systems remotely using the tokens.
ROOSE: The main audience that we were targeting is physicians. Physicians have the tokens that they carry with them when they are off campus, and they can get on any Internet connection and use their token as well as their password to achieve the two-factor authentication, and they can access our electronic records via the VPN.
ANDERSON: And the token generates a randomly generated code of some sort that they have to type in?
ROOSE: Yes that's correct. So they've got a PIN, something that they know, and the token, something that they have.
ANDERSON: So how are all these technologies -- single sign-on, biometrics and tokens -- helping you to comply with HIPAA and the HITECH Act?
ROOSE: They have helped us to achieve compliance without significant impact on our clinicians, and that is really what we were going after. You know, it was fairly clear from the regulations, as well as our security strategies, what we needed to do, but the question is how do you implement that without negatively affecting patient care? So that is really what we were focusing on: How we can achieve a high level of security and implement the authentication needed without having such a big impact on our clinical staff.
ANDERSON: So what advice would you give to other small hospitals that are considering implementing authentication technologies but are very concerned about the cost involved or their ability to implement it?
ROOSE: As a critical access hospital, the cost of these types of technologies is a big concern to us. And what we ended up doing is using lean practices to help us understand really what impact the changes we were planning on making -- tightening down on some of our security -- would have on the clinicians. We used lean time study practices to understand how much the clinicians would be impacted in real minutes and converted that into cost. When we completed that study, it was very clear that the time savings that would be experienced by our clinicians from implementing this technology paid for the software. So it was a very easy decision after that.
ANDERSON: Describe for us how it saves time.
ROOSE: Well we can take an example down in our lab. We have multiple workstations used by multiple users down in our lab environment. And when we made some of our security changes, it was important that our clinicians make sure that they are logging into the computer systems themselves -- they are not sharing logins, they're not sharing passwords. Those computers are logged in and authenticated back to each individual independently.
But what this software does is it allows those people to change who is using a computer quickly. One clinician can walk up to a computer and log into a particular patient record and then they can just hit one key and leave that computer, and then go process one of the instruments in the lab. Another clinician can come up to that same computer and lay their finger on the reader and it will log them in the exact same place that they left off last time they were at the computer. So every clinician down in our lab can log into that computer and see exactly the same spot they left off.
Without that technology, the impact that we would see is each clinician would have to walk up to the computer, they would have to hit Ctrl/Alt/Delete, they would have to enter their user name and password, they would have to wait for the computer to log them in, they would have to fire up their applications, and when they were done they would have to close it all and log out of them. So that time savings is very significant in those shared workstation areas.
ANDERSON: Any other advice you'd give to other small hospitals that are just starting on this road?
ROOSE: I think it's a great idea to really take a look at the cost savings that you're going to achieve and the employee satisfaction and improvement to patient care that can be experienced by implementing some of these technologies to offset the impact of tightening down on security and ensuring compliance with regulations.
