Biometrics and HITECH ComplianceShould the Technology Be Paired With Single Sign-On?
For example, 25-bed Mahaska Hospital in Oskaloosa, Iowa, chose to use fingerprint scanners paired with single sign-on to help "ease the burden on clinicians as we tighten authentication and security," says Kristi Roose, director of IT at Mahaska Health Partnership, parent of the hospital.
In contrast, 243-bed Saratoga Hospital in Saratoga Springs, N.Y., implemented fingerprint scanners without single sign-on to minimize the cost and complexity of the project, says Gary Moon, security analyst. The "cookie-cutter approach" to pairing single sign-on with biometrics wasn't a good fit for his hospital, he adds.
HITECH ComplianceBoth hospitals were motivated by a desire to beef up security to help comply with the HITECH Act, which, among other things, called for higher penalties for failure to comply with the HIPAA privacy and security rules and required that major breaches be reported to federal authorities.
"We understood that we needed to tighten things up a bit," Roose says.
By adding authentication technology, Saratoga Hospital now can create a better audit trail to track who is monitoring what systems and minimize inappropriate access, Moon explains.
Ease of UsePairing single sign-on from Imprivata Inc. with fingerprint scanners from UPEK Inc. made sense for Mahaska because the pairing enables physicians and nurses to complete authentication for all systems with one simple step, Roose says. Once clinicians register their fingerprint, they simply scan their finger to gain instant access to all systems for which they have authorization.
About 300 of Mahaska Health Partnership's 360 employees now use the biometric scanners, paired with single sign-on to access various systems, Roose says.
For physicians who want to access clinical systems remotely, the 25-bed hospital is using two-factor authentication with hardware tokens from RSA, the security division of EMC. The physicians access systems through a virtual private network by inputting a personal identification number as well as a randomly generated password from the token.
Using fingerprint scanners for remote access would have proven impractical, Roose says, because many of its physicians visit from various larger hospitals in Des Moines and they use a variety of computers.
Not a Good FitAt Saratoga Hospital, Moon determined that single sign-on wasn't a good fit. "Plus, the single sign-on market is still shaking out," he contends. "Companies are changing their products rapidly, and they're getting better. But single sign-on is a major undertaking in terms of management and expense. And our systems here aren't very easy to implement with single sign-on."
In particular, the hospital's core information system, from Meditech, is difficult to integrate with single sign-on, he notes.
Moon portrays the use of fingerprint scanners from DigitalPersona Inc. as "effortless multiple sign-on." He adds: "Users don't mind putting their finger down each time to sign on to various systems. It's not a big speed barrier."
So far, the hospital has 641 staff members registered to use the scanners on 250 PCs. Its goal is to sign up 1,500 users on 700 PCs.
For remote access, the hospital is studying whether to apply biometrics for authentication. For now, it's relying on user name and password. Saratoga likely won't use tokens for remote access because it wants to offer one standard approach to authentication, he adds.
Why Not Two-Factor?Saratoga and Mahaska both chose not to use two-factor authentication within the hospitals' four walls. Instead, the fingerprint scan simply triggers an appropriate password on the backend.
"We didn't feel the use of two-factor would be any improvement over the recognition of somebody's fingerprint as validation that they are who they say they are," Moon says. "We want to reduce barriers to accessing systems while remaining compliant with security needs. And fingerprint scanners encourage clinicians to be compliant.
Before Saratoga implemented biometrics, some clinicians would jump on the computer sessions of others "to avoid the cumbersome login process," Moon says. Now, with the ease of fingerprint scanning, access control is improved, he contends.
Roose joined Moon in noting that an important reason for not implementing two-factor authentication was resistance from clinicians. "It's all about simplicity for users," Roose says.
Raising the Stakes?But pairing single sign-on with biometrics "raises the stakes" for security, says Kate Borten, president of The Marblehead Group. "If the authentication to a single account that gives you access to multiple systems is compromised, more information is at risk," Borten notes. As a result, she recommends the use of two-factor authentication, such as biometrics plus a front-end ID number, when a single sign-on system is used.
For remote access, two-factor authentication should be a "fundamental requirement" for security because of the high risk of unauthorized access to clinical systems via the Internet. That's why the use of tokens plus PINs is becoming widespread, the security expert argues.
And no matter what authentication technologies are selected, providing staff with adequate training is the key to success, Borten stresses. "A lot of people in healthcare are not computer literate," she notes. "And you want to make sure the solution is not burdensome."