Daily headlines seem to have a soft spot for healthcare data breaches these days. As such, healthcare technology seems to have two primary areas of focus right now - increasing network security by better restricting access to data and applications, and increasing employee productivity by deploying user-friendly solutions. Several technologies are rapidly being adopted by healthcare providers to assist in these areas.

When it comes to increasing network security, employees need to be given the correct security permissions based on their job roles. Ensuring that employees have the proper access rights greatly improves security, though doing so requires setting controls that can take the IT department months to implement.

Consider using a role-based access control (RBAC) solution to assist with this process. The RBAC matrix is populated with departments, titles, locations and other pertinent information. This allows for a proven methodology to define which employee should have access to what applications and data.

In many cases it is feasible to populate much of the required data by taking an extract from the HR application. Additional extracts from Active Directory, Lightweight Directory Access Protocol (LDAP) and other healthcare systems can provide a snapshot of the way access is currently configured. Reviewing this data and finding employees with appropriate access, in each role, can be the basis for propagating that access to other employees in that role. An access request system can ensure the appropriate managers and system owners approve any deviations from the norm.

As a predecessor to a RBAC implementation, it is critical that each user have an individual network account. A common practice in healthcare is the use of shared accounts - nurses or clinicians log into a shared workstation with a generic account and access any number of applications. Occasionally, these applications, such as EHRs, will require a second set of credentials, but employees often use a shared account for access here, as well.

This makes it difficult to determine who viewed what data and when. An identity management solution, often linked with the HR system, provides an easy answer to creating individual user accounts and can ensure they are kept up to date with any changes in titles and departments, for example, thus ensuring access is modified when appropriate. Employee departures, also reflected in the HR systems, can easily be detected to ensure all network and application access is revoked in a timely fashion.

One downside of switching to individual accounts is that employees will now need to remember credentials - user names and passwords - for a multitude of systems. A recent survey found that the average clinician spends nearly 10 minutes a day logging in and out of applications. When coupled with the need to remember six or eight sets of credentials, tremendous productivity gains can be accomplished by reducing or eliminating these factors. Implementing a single sign on (SSO) application in conjunction with fast user switching is a cost-effective approach to resolve this potential downside.

Single sign on allows users to login once to the network, and all of their authorized application credentials are cached and provided on an as-needed basis. While on the surface this seems to present a security risk, a concept known as strong authentication - for example, providing a piece of information like a PIN code, and using something like a scannable card -- can mitigate the risk.

Fast user switching takes this concept one step further. Imagine a resident making rounds, logging into several computers, usually the closest one to a patient's room. Fast user switching allows the resident to utilize her access card and PIN code to access the machine - any open applications previously used are immediately available to her, at the same point as when closing out of the last machine. A similar solution is available for the Citrix and Microsoft terminal services environment and is commonly referred to as "Follow Me."

In summary, using individual network accounts and defining access to systems and data using an RBAC matrix increases the overall security of hospital information systems, while using an SSO solution allows users to painlessly access the network and have more productive time for patient care.


Dean Wiech is Managing Director at Tools4ever, which supplies a variety of software products and integrated consultancy services involving identity management.