SWMC is a community-owned, not-for-profit medical institution located in Vancouver, Washington that provides a full range of outpatient and inpatient diagnostic, medical and surgical services to Clark County residents. The region's health care leader and steward for nearly 150 years, SWMC is one of its largest employers and a six-time winner of the Solucient Top 100 Hospitals award. SWMC's employees help support dozens of medical specialty services and programs, focused on cancer, heart, emergency, trauma, neuro-musculoskeletal, family birth and primary care.
The healthcare industry in general presents a significant challenge for internal IT organizations. In the healthcare setting, there are far more users than workstations; the workforce is highly mobile; every worker needs to be able to access an IT workstation from just about anywhere-and be able to securely access a wide variety of applications from it. The challenge for SWMC was to figure out how to both protect patient information and at the same time, find a way to securely provide acute care clinical staff the ability to walk up to any workstation and log into the network to access applications and information that enable them to provide timely care and service to patients.
The password policies in place required staff to use-and therefore remember-a different password for each application. This added strain was compounded by help desk calls to reset forgotten passwords and "adhesive" memory tactics (using sticky notes to remind users of new passwords) that hurt patient privacy far more than the new security programs helped. To make matters worse, even successfully executed logins were taking an average of 30 seconds, adding up to an average of five minutes per day, per employee. For SWMC's more than 3,000 employees that's 25 hours wasted per day, or 150 + hours per week - assuming zero password-related problems that week. With the average hospital cost at $17.00 per hour, the total comes to $2,500 per week, or $130,000 per year-time and money lost to the login process. The system also supports 2,800 clinical and medical support staff of partnering community clinics, making this a cost issue outside the hospital's walls.
It was easy to see that this was something that needed to be fixed quickly, as it was becoming a huge frustration for staff and had the potential to become something that could both hurt retention efforts and ultimately take time away from providing patient care.
As issues around frustrations with the electronic record/information systems came to light, the organization was also dealing with two other concerns: compliance with the Health Insurance Portability and Accountability Act (HIPAA); and staff and physician retention in the highly-competitive healthcare industry.
After thoroughly researching various technologies and options, the IT leadership team determined that a comprehensive single sign-on (SSO) implementation could solve several of these issues: eliminate the password problem, producing significant efficiencies for both the IT team and hospital staff; reduce costs; increase the time spent on patient care; help satisfy HIPAA regulations on patient information protection, user login requirements and workstation time-outs; and enable the IT staff to gain organization-wide, centralized control over all IT access control management.
After looking at companies such as IBM, Novell, CA and Sentillion, SWMC chose to go with Imprivata's OneSign Single Sign-On solution, an appliance-based product that provided an intelligent and affordable solution for password management and user access. In evaluations, the team agreed that there were two major features that set OneSign apart from the other solutions:
(1) It was easy-to-use, meaning care staff would have no problem learning how to use it-and it would not force them to change the way they work, other than limiting the time spent on password logins and logouts; and
(2) It could easily be integrated with existing systems and with a zero-server-footprint. This was especially important for SWMC's situation, as it had information stored in dispersed and different locations, across 160 applications, with multiple authentication schemas (Novell NDS, RADIUS, MS Active Directory)-and were in the process of migrating over to Microsoft Active Directory as the new source of all access authentication. SWMC needed a solution that could easily take information from and seamlessly interface with all of these areas-and OneSign was it.
With more than 3,000 users, 125 departments and 160 applications, the IT staff decided to break the project down into two phases: phase I, the full deployment of SSO with fifty core applications; and phase II, the deployment of the balance of critical applications. Because of the success of phase I, phase II was quickly undertaken and the whole system was up and running within three months.
At SWMC, the Microsoft Active Directory group policies manage all role-based-access-control at the enterprise level-including internal use, outside vendor access and remote VPN access by coders, transcriptionists and "road warriors." The SSO product then manages the initial application-layer access-which has its own access controls, especially within the clinical systems. Access to Protected Health Information (PHI) is managed down to the screens or menus within the PHI-enabled applications. Each workforce member's access rights are set within an enterprise standard-via a Human Resources job code-which is then mapped to access control groups at the application layer.
Because of this, any user can use any workstation within the network - the security now follows the user. Every workstation is what we call a "fast user switching" workstation that can log a user off of a machine, close all applications and get the machine ready for the next user login in about 15 seconds. This approach gives the needed security to protect patient data-but at the same time eradicates the old hassle of locked workstations and prevents the use of the power switch to unlock the machine, a process which can potentially cause hard disk corruption.
Imprivata's solution provided SSO access, enabling users to get a common log-in across all applications, using either a password or a finger biometric to authenticate. The solution allowed SWMC to create one consistent user interface, one security posture for policy management and one principal authentication store for HIPAA-and did so without requiring any code changes to internal or external applications.
In short, SWMC's SSO initiative has transformed its ability to provide quick access to applications and information for the clinical staff, while enabling them to provide more timely and therefore better care to patients-all while helping the organization meet strict HIPAA guidelines. SSO saves staff 15 to 30 seconds per logon-or roughly five minutes per day, per employee.
The security improvements that the SSO implementation has brought about cannot be overstated. Before, it was difficult to get users to adhere to password policies and change their password every six months or so-especially when the number of passwords grew as more and more workflow at the organization was done electronically. Now, password changes happen when they are supposed to-and the team can easily tell when staff is not adhering to policy and make them change their password.
Feedback has been resoundingly positive. The use of single sign-on is appreciated every time a user walks up to a workstation, which happens thousands of times each day. The staff loves SSO-and now wants it on all of their other (non-core) applications.
SWMC has a new competitor hospital just eight short miles away, so keeping staff happy is more essential than ever. As I alluded to earlier, physician and medical staff satisfaction with their work environment has become a crucial part of staff retention. Providing a positive environment that limits mundane tasks-like repetitively logging in to several applications throughout the day-and freeing up time for patient care are critical components of our organization's retention efforts.
Imprivata, Inc.
10 Maguire Road
Building 4
Lexington, MA 02421-3120 USA
phone: 781-674-2700
fax: 781-674-2760
toll-free: 1-877-OneSign
No comments:
Post a Comment