Authentication Changes With the TimesWhy Denver Health Relies on Smart Cards
Like many hospitals and integrated delivery systems, Denver Health has seen its user authentication strategy evolve as it has rolled out electronic health records and shifted to new desktop hardware.
Today, the Colorado delivery system, which owns 498-bed Denver Health Medical Center and nine family health centers, relies on smart cards for two-factor authentication of 3,500 clinicians. But as the price of biometrics technologies, such as fingerprint scanners, continues to decline, Denver Health may add a third layer of authentication to improve security, Pelot says.
The HITECH Act , which calls for tougher enforcement of HIPAA privacy and security rules and higher penalties for violations, is motivating more hospitals to consider two-factor authentication, pairing passwords with authentication technology.
"Relying only on common user IDs and passwords have been a significant weakness to information security for many years," says Mark Ford, principal in the security and privacy services unit at Deloitte. Now that the cost of many two-factor authentication systems is declining, hospitals should give serious consideration to using them for regulating clinical information system access, he says.
Key steps to take, Ford says, include:
- Conduct a risk analysis to help determine which authentication technology best mitigates your specific risks;
- Thoroughly test and validate the technology in a real-world environment based on various scenarios.
For seven years, Denver Health's authentication strategy has been based largely on making it as easy as possible for doctors and nurses to access systems while protecting sensitive clinical data from unauthorized access, Pelot says.
And the organization has come a long way from the "old days."
Back in 2003, Denver Health determined it needed to beef up authentication beyond user name and password as it began implementing clinical information systems from Siemens Healthcare, Malvern, Pa.
"One person in the department would log onto all the PCs in the morning, and everyone would share that one person's ID for the rest of the day," Pelot recalls. "We had to stop that dangerous practice."
So Denver Health paired a single sign-on system from Siemens with smart cards from Gemalto Inc., Arlington, Va.
One important reason for selecting smart cards, Pelot says, is that they serve multiple purposes. Clinicians use the photo ID cards' technology, including a magnetic stripe, to gain access to certain areas in the hospital and to enter the parking garage. A computer chip in the card gives doctors and nurses access to information systems they've been approved to use.
Clinicians using the card for initial logon enter a password and gain access within 30 seconds. When they finish a session they remove the card and instantly log off the device. Then, for up to three hours, they can repeatedly access clinical systems within just seconds by inserting the card into a reader, Pelot says.
Time for a change?
The healthcare organization reconsidered its authentication approach when it made the decision to shift from PCs to thin clients using application virtualization from Citrix Systems Inc., Fort Lauderdale, Fla. The shift in hardware strategy was motivated by lower maintenance costs, reduced energy consumption and longer life, among other factors, Pelot says.
Denver Health considered thin clients from several companies, which could have accommodated a variety of authentication technologies. But it settled on devices from Sun Microsystems Corp., Santa Clara, Calif., because of their speed and "consistent user experience," Pelot says.
In reviewing authentication options while considering its thin client choices, Denver Health concluded that sticking with smart cards was the best strategy. The login methods for other options, such as fingerprint readers, took too long, says Kristen Garrison, security manager. Plus some of the systems required a centralized database, such as to store biometric images, leading to additional log-in delays, she contends.
The Sun devices, however, could only be accessed by using a specialty card from Sun, which posed a problem. "We decided we wanted to stick with our existing smart cards, which had cost us $18 each," Pelot notes. So the provider organization worked with Sun to accommodate the Gemalto cards.
Looking ahead, Pelot remains open to considering biometrics technology as a third layer of authentication to help bolster security. But first, he's waiting for biometrics prices to decline and performance to improve.
For now, he advises others shopping for authentication technologies to consider such technical issues as whether the technology supports a variety of security protocols, including Kerberos, and integrates well with Microsoft certificates.