As health care organizations search for faster and safer ways to deliver patient care, more technology is emerging...
to help achieve that. Single sign-on, or SSO, is one of those technologies that is already making its presence felt in the health care space.
SSO technology aims to give hospital staffers -- including physicians, nurses, administrative workers and IT teams -- a clear sense of access control among software systems. It employs, among others, a variety of methods including finger biometrics, proximity cards, personal identification numbers (PINs), smart cards and other identification cards, and one-time-password tokens (OTP) with integrated Windows authentication. SSO automates the login process, thereby allowing staffers to log in just once from their desktop to gain entry to all systems. The process omits repetitive log in screens, recalling passwords and exhaustive keystrokes.
SSO, like other technologies descending on the health IT industry, brings plenty of benefits and concerns, both of which are vital to health care organizations as they consider SSO adoption and deployment. To that end, this article looks at the implications of SSO, references two studies in which caregivers provide feedback on SSO, delves into curbing costs and, lastly, looks at regulations and compliance.
For single sign-on, the story is on the wall
At a hospital in the Midwest, the burden of numerous passwords was physically present. A wall of the facility was littered with paper, the scrawls of log in information preserved so busy specialists, who worked in a number of different facilities, could remember the passwords they needed in this setting. Aside from the security concerns, the method was not fool proof: one weekend the hospital redecorated and the information was gone. Subsequently, the providers who could not remember their passwords were locked out of systems.
In another hospital, an emergency department doctor decided to ignore a new password-reset policy implemented by the CIO. When it came time to perform a surgery, the doctor was locked out of multiple care systems and applications. By that point, he couldn't do the password reset, and an IT staffer was required to verify the doctor's credentials face-to-face just prior to the surgery.
These stories, recounted by David Ting, the founder and chief technology officer of SSO vendor Imprivata, reveal how password processes can be troublesome. That helps spell out the main benefit of SSO technology in health care: Clinicians have more time for patient care and spend less time remembering passwords.
The future's bright for single sign-on
While health care organizations are testing the waters to see if SSO will benefit care delivery and productivity, the future of SSO is destined to make a splash. People today require instant access to information stored in a variety of applications, which creates a breeding ground for security breaches as users bypass standard security protocols. SSO technology will expand to authenticate users on EHR systems, social media, mobile health and web-based applications, said Ponemon, concluding that this technology will eventually be "single sign-on on steroids."
That awareness has been building over the last decade, he said. "All of a sudden, health care woke up and realized the need to validate who was getting on computers."
Adoption, implementation done with other IT projects
In most cases, SSO adoption and implementation occurs in conjunction with other large-scale IT initiatives such as electronic health records (EHR) systems, computerized physician order entry (CPOE) and e-prescribing (eRx). The reason for that, says IDC Health Data Insights Research Director Judy Hanover, is because "providers tend to switch between applications at the point of care."
That was the case for Beaufort (S.C.) Memorial Hospital, a 197-bed hospital that specializes in acute care, rehabilitation and mental health. In addition to upgrading their Meditech HCIS system, Beaufort also deployed SSO because the current CPOE system was outdated and, to the chagrin of providers, required multiple passwords for usage, according to a report of SSO best practices.
Furthermore, Hanover added, multiple application usage can be done on disparate computer interfaces via "continuous sessions." This enables virtualization so caregivers can move to different computer stations and rooms -- a process that's prevalent among nurses -- and continue care without logging in/out again, or losing their place. The caregiver can continue care after authentication, which can be done through a number of SSO-based methods such as biometrics or voice recognition.
Single sign-on enables clinician satisfaction
The sheer convenience of streamlining multiple application usage creates enthusiasm among providers. SSO technology can lead to satisfaction among caregivers, according to the June 2011 study -- How Single Sign-On Is Changing Healthcare, released by the Ponemon Institute, an independent research and consulting organization that focuses on privacy, data protection and information security.
Of the respondents, 76% said that SSO is an important part of increasing clinician satisfaction. Additionally, respondents were asked to rank -- on a scale from one to six, with six being the most important -- what the primary reasons are for deploying SSO technology within their organization. Clinician satisfaction produced the highest ranking among respondents, who said SSO allowed them to spend less time on password management.
Additionally, satisfaction among clinicians provides more than a morale boost -- it also fosters efficiency when using medical applications and systems. 83% of respondents believe that SSO enables easier access to applications and data. What's more, 31% of respondents say they directly observed or personally experienced efficient gains using SSO, according to the study.
Larry Ponemonfounder and chairman, Ponemon Institute
The Ponemon Institute's study also shed light on how health care organizations are saving money by deploying SSO technology. The study used an average physician salary of $135,000 per year and a 250-day work year, and demonstrated that SSO translated to savings of $68 per day or $2,675 per year, based on 9.51 minutes of time clinicians save, on average, every day through simplified access to applications and patient files. Extrapolating from that, an organization deploying SSO can save more than $2 million from clinicians saving time accessing systems.
As long as the functionality is seamless, savings from SSO technology can be timely. "In my experience, savings happen quickly when SSO is wisely deployed and staff is comfortable," said Larry Ponemon, founder and chairman of the institute, adding that savings just weeks after deployment are possible because other technologies -- such as EHR systems -- require a lot more time and training while SSO is simpler to operate and brings value faster.
Consider technology barriers, leadership roles among staffers
There are many approaches health care organizations can take to deploy SSO technology in order to move away from relying on passwords. The conventional method is to tie a username and password to a PIN number, which can then be used for a number of systems. The conventional method is not gaining a lot of steam forward because "passwords for the most part are obsolete and not difficult to figure out," Ponemon said.
"We are starting to see different forms of authentication used in combination," said Ponemon, citing tokens used with standard authentication badges, a mobile device with a censor or even a chip at the hardware level that offers authentication.
That said, challenges do persist in SSO implementation. A health care organization will generally have a multitude of applications and it's feasible that some will not support SSO or cannot be configured correctly.
A benchmark study previously conducted by the Ponemon Institute revealed SSO will connect to roughly two-thirds of applications, and the rest are not compatible. This is not surprising, said Ponemon, because health care is often vulnerable when it comes to technology and the industry lags behind others when it comes to adoption.
Another challenge is finding the right leadership for implementation. Clashes among IT departments, C-level executives and clinicians can occur, particularly when providers notice repetitive log-in screens during deployment tests. Experts believe a successful implementation combines a mix of staffers, but IT teams are usually the ones to take over since the project involves harmonizing disparate applications.
Although Ponemon agrees that organizations commonly use a mix of staffers in SSO deployments, he says the tide is changing slightly as SSO becomes utilized more. "While anything around access, governance and authentication was an IT issue more so in the past, we are seeing more folks at the business-unit level deploying these tools."
Single sign-on doesn't enable HIPAA compliance, but it does help security
With security regulations from HIPAA on the mind of all health care organizations, identity management solutions have become widespread. SSO does not enable HIPAA compliance directly, but it can lead to a safer security environment in the face of data breaches and computer hackers. Clinicians are under constant stress and do not want to worry about passwords and turning on machines, said Ponemon, adding that the human factor plays a large role when dealing with security.
Ponemon pointed to one example where a provider deployed an EHR system that would give all caregivers access to all facets of care; even specialists and sub-specialists could view primary care data. All caregivers could access the system via iPhone or iPad, but it presented a problem: If a provider lost a mobile device, the person who discovered it would have access to scores of personal health information (PHI), billing information, social security numbers and more. SSO serves as a viable solution because it requires users to have at least some form of authentication, which leads to better compliance and regulations, said Ponemon.