buchachon - Fotolia

What to look for in healthcare enterprise SSO technologies

If your healthcare organization is ready to purchase single sign-on technology, consider the various types offered, and make sure to take a close look at federated SSO.

It's an ever expanding world of healthcare enterprise apps, as many a harried CIO will attest. That environment leaves ripe opportunity for SSO technologies.

From internal systems to cloud offerings, enterprise employees access applications from a growing universe of devices and hosts, all of which require access control.

In the past, enterprise systems were built, hosted and maintained internally, making access control via login and password manageable (unless you worked for the help desk). Today, however, that often is not the case, as apps migrate from traditional mainframes and servers to the Web and cloud, and access control moves outside firewalls.  Hosting architectures may have changed, but the need to reliably identify users has not -- and externally hosted applications often layer additional login and password credentials onto the user's burden.

As a credentialing strategy, a login-and-password approach has become unwieldy, error prone, vulnerable, inefficient -- and really annoying. All too often, users choose to minimize workflow disruption by maintaining a simple, single login-and-password combination for multiple applications and sites.

Bad idea.

SSO technology explained

For the healthcare CIO, the credentialing dilemma is severalfold. How does an organization reliably identify users and protect data as app-driven communication channels soar, but not apply the brakes to productivity? How does a hospital protect data among shared workstations, software as a service, business process outsourcing, and other points of entry throughout a distributed hosting architecture?

The answer, at least from a process perspective, is to have a single set of credentials for all applications. That benchmark is met by single sign-on (SSO), an authentication process that allows a user to log in once and gain access to different applications. SSO technologies are popular because they improve productivity and reduce the possibility that employees will use easy-to-crack passwords. As an enterprise credentialing solution, it offers several advantages, including:

  • Eliminating credential re-authentication and help desk requests, thus improving productivity
  • Reducing risk
  • Streamlining workflow
  • Minimizing malicious intrusions, such as phishing
  • Improving compliance through a centralized database
  • Enabling HIPAA audit and access reporting

SSO comes in several varieties, ranging from password synchronization to enterprise SSO, true SSO, Web SSO, and federated SSO.  Let's look at these options in more detail:

  • Password synchronization, the simplest approach, allows multiple systems to have unique usernames but a shared password
  • Enterprise SSO is more flexible but leaves pockets of non-coverage due to integration issues
  • True SSO is typified by Microsoft's Active Directory, which stores user names and passwords and uses them to secure access to computers on Windows domains 
  • Web SSO is similar to enterprise SSO but with a Web front end
  • Federated SSO is an Internet-friendly solution that allow users to share identities among multiple organizations and applications

To varying degrees, this range of SSO technology delivers benefits to IT, clinical users and business associates. Users don't need to remember a laundry list of credentials, and a single credential streamlines workflow and boosts productivity. The help desk fields fewer user calls, clinical and business transactions are accelerated and network administrators can exercise tighter control over application access.


So which flavor of SSO is best? Within the firewall of the healthcare enterprise, simpler forms, such as enterprise SSO, are easier to deploy incrementally and face a lower bar to adoption. But as business relationships radiate beyond the walls of the enterprise, greater Web-enabled, more secure credentialing tools are in order.  Many organizations opt for a blended approach, with enterprise SSO deemed sufficient for internal authentication and a federated approach for Web and external organization access.

In today's complex healthcare enterprise, trusted relationships between unrelated organizations and systems are necessary for clinical and business operations.  With one-click access to Web applications, federated SSO is becoming the new normal of multi-enterprise access and interoperability.

Federated SSO is becoming the new normal of multi-enterprise access.

When a technology is federated, all participants agree to conform to a common methodology and standard of authentication. It works this way: In a federated relationship, a service provider issues a token or permission to log on, and an identity provider authenticates the user. The receiving organization trusts the person logging in, who is then approved to enter the system. The token can be re-used across any number of applications and organizations.

The federated approach provides a secure, standards-based, user-friendly mechanism that eliminates Web application passwords. This type of SSO technology allows users to enjoy "click-and-work" access to colleagues, business partners and Web applications. It can be mated with other multifactor security technology -- such as a token (e.g., smart card or badge) or a biometric (e.g., retina or fingerprint) to accommodate a variety of use cases and connection types.

But standards make federated SSO work, and there are SSO standards aplenty. Three bear particular attention. One of the earliest SSO standards, Security Assertion Markup Language (SAML), has since 2001 been a dominant standard for cross-vendor and Web browser SSO, but has failed to optimize for mobile and extranet environments.

Two newer standards, OAuth, an open standards spec, and OpenID Connect, which builds on OAuth, fill this gap. OAuth 2.0 extends federated SSO to third parties (e.g., Facebook), and OpenID Connect is optimized for cloud apps. Of the two, OpenID is the more flexible because it adds an identity layer to OAuth's authorization layer. 

The bottom line

Here are some tips to choose your approach to single sign-on technologies:

Assess the environment. A good point of departure in attacking any organizational problem is to first define the customer and the problem to be solved.  Are the users employees or business partners? Are internal, external or Web systems involved? What are your enterprise pain points?  Healthcare CIOs and their staff should research their constituents to identify their unique requirements and build the SSO solution accordingly. Determine the applications that are being used most and include in them in the scope. The help desk is a good place to glean this user and application information.

Figure out the size. How many target systems need to be integrated? Will these systems still be in use one to two years from now? Do vendors being looked at have authentication options that can use enterprise standards? Select SSO technologies that yield the greatest immediate benefit in terms of access, security, integration and convenience. Decide if any current systems are being phased out and do not need SSO consideration. A matrix of use cases will help identify patterns in architecture and must-have features.

Use what you've got. Can existing tools like Active Directory for Windows be employed, even for only one or two applications, to reduce the scale of the task? What staff members will be assigned to this process, who will manage the SSO system and what is their expertise with the technology? From a cost standpoint, it's likely that the investment in enterprise resources -- including people, process and product -- can be effectively managed to lessen the effect of SSO deployment on budget and operations.

Look to the horizon. Applications are moving to the cloud, so SSO technology should anticipate a future when Web apps and external trust relationships will eclipse the need to service internal systems. Recognize that new applications will continually come online and that new access methods will challenge SSO capabilities. 

Be patient choosing a vendor. Take a slow, measured approach to vendor selection. Look for a seller that has experience, a proven record and a willingness to deploy your SSO solution -- enterprise, federated, or blended -- at a digestible pace.

Next Steps

Ask the expert: How has single sign-on technology evolved?

Why healthcare needs an SSO approach

Integrating SSO technology with mobile apps

Dig Deeper on Workflow and process management software and systems