Developing a single sign-on implementation plan for health care

In health care, a successful single sign-on implementation starts with detailed planning, consultation with practitioners, and consideration of all the technology choices.

Everyone agrees it's a good thing to simplify the rats' nest of software and network access passwords used by health care givers in a hospital, thereby removing constant application logins -- a time-wasting technology barrier between them and the patient. It can be argued that making apps more accessible and easy to use will boost accuracy in medical records and foster adoption of meaningful use compliance for digitizing patient data, as well.

What doesn't everybody agree upon? The best way to do it.

Thankfully there are many different ways to manage a health care single sign-on (SSO) implementation. Like it is in other complex business networks such as financial and manufacturing -- SSO in health care can be thorny, with an overwhelming number of technology choices from simple Web single sign-on (WSSO) managing only browser-based apps to full-boat enterprise single sign-on (ESSO) that can govern all software access. Then comes the decision of how end-users will sign-on: Via biometrics, passive ID badges, active RFID or that old standby, username and password. Or using some combination of those.

Those are single sign-on implementation issues health care has in common with other business sectors. Provider CIOs also have to factor in unique problems to SSO systems. This can include audit trails for HIPAA compliance and the lack of interoperability between applications -- especially legacy apps -- that might stymie what looks at first like a straightforward implementation.

That makes detailed planning a crucial part of successful health care single sign-on implementations, said Archit Lohokare, worldwide product manager for IBM Security Systems, whose Tivoli SSO system is one of the top six used in health care according to a recent Ponemon Institute report. Lohokare said that SSO should be part of a broad "security intelligence" plan a health care provider should be developing in light of stronger HIPAA regulations and new public postings of data breaches.

"Look at single sign-on as a piece in a broader security vision," Lohokare said. "There's an explosion of security events that are happening -- it's very critical for compliance, as well as for threat protection purposes, that you have a tool that you're able to plug into a security intelligence platform -- so that all this data related to access of [patient] data and applications is fed into a central reporting engine that you can use not just to prevent threats, but that you can use for your compliance and reporting purposes."

Lohokare and Gabriel Waters, territory manager for Harris Corporation -- who acquired Carefx's Fusion Desktop suite of SSO and associated workflow management tools last year, used by more than 800 health care providers and also is in Ponemon's top six  -- offered advice for CIOs embarking on their own SSO implementation plans:

Carefully consider the pros and cons of authentication mechanisms. Each method has its upside -- fingerprint biometrics eliminates badges and passwords, for example -- but they all have their downsides in health care, too. Fingerprints don't work so well in a fast-paced health care environment; many of the SSO users wear gloves. "Tap-and-go" passive RFID (think building ID badges) in conjunction with password authentication seems to be a popular choice among Harris customers. It also leverages what -- in many hospitals -- is existing IT infrastructure to beef up software user authentication.

SSO in health care can be thorny, with an overwhelming number of technology choices from simple Web single sign-on to full-boat enterprise single sign-on that can govern all software access.

Assemble a team to tackle it. Seek input from not only the docs and nurses to understand their needs and preferences, but also other stakeholders such as the compliance staff. That way, you will iron out potential snafus such as staff not liking RFID badges, or creating insufficient HIPAA audit trails for patient data access -- before you've used up your budget and must overspend on costly fixes.

Know your end points for access. Are your clinicians using laptops, iPads, shared workstations, kiosks or some mix of them all to access patient data and clinical applications? Understanding that topology will guide your vendor selection and method of SSO implementation as well as the ability to cover all those use cases.

Pilot the technology in high-volume areas. Emergency departments are a great place to test potential SSO systems, because if they work there -- and reduce stress involved with software access during action-packed shifts -- they'll almost certainly hold their own in other areas of a hospital.

Standardize the desktop environment as much as possible. SSO implementations fail regardless of vendor, Waters said, when the variance between desktops is "the wild west," especially in desktop-virtualized environments.

Ask prospective SSO vendors about their relationships with your application vendors. If an SSO vendor works with developers of most -- or all -- of the apps on your network, you probably have a better shot at SSO success than if they don't. Also, the more closely integrated an EHR application, for example, is with the SSO software, the less costly and complicated an SSO implementation will likely be.

Think about how SSO will affect your other systems. Lohokare points out that SSO is a component of a greater identity management program of policies and software. And while most SSO systems are compatible with human-resources data management apps like PeopleSoft and other ID management systems, it's important to keep those policies in mind during an SSO rollout, especially if you're planning on changing ID management vendors. Waters adds that desktop virtualization systems combined with HL7's emerging clinical context object workgroup (CCOW) interoperability standards are effectively reducing the "hopping" between apps a nurse or doc might have to do.

More about using single sign-on in health care

Single sign-on system key to successful, secure EMR deployment

Using single sign-on technology to transform health care

How role-based authentication can be used to limit access to EHR data

When combined with single sign-on, virtualization and CCOW-enabled apps can make caregivers more efficient than they are when they have to open all those apps and remember the logins to get in -- then navigate to determine they aren't mistaking the patient with one who has the same name. SSO systems can improve the application load times, too, in some cases ensuring an app loads in a quarter of the typical time for an EHR.

"The interesting thing is, a lot of the clinical [EHR] vendors -- Cerner, Epic and the like -- they've done their own CCOW enablement to support the standard," Waters said. "When [customers] turn that on, the authentication process is faster, the application loads quicker. These vendors aren't security companies, right? They're not good at authentication and it kind of shows when you go through their login event and see how long it takes. That's not their core business. The nice thing is, if you turn on the CCOW capabilities, the load time is shorter. For some [EHRs] it's 25% of the total time."

Dig Deeper on Organizing health care staff and networks