Single Sign On access to the electronic health record (EHR)
Lately, numerous healthcare organizations have shown interest for Single Sign-On. With several audits and regulations in mind, the healthcare market is working hard to improve access security. Group accounts are replaced by individual accounts and password complexity requirements are tightened. Passwords must now meet increasing demands, such as a minimum length, contain a strange character and sometimes exclusion of known words such as the department name or the name of the institution. In addition, passwords must be changed regularly and simply increasing a digit is not allowed.
Privacy and access control
The enhanced access control is a good thing to ensure patient privacy and potential abuse of data. Unfortunately, these measures have a downside. Stronger access control not only makes it more difficult to gain access to systems and applications but access becomes more difficult for the care giver. The care giver is frequently required to access data quickly from multiple applications and multiple workstations. If all of these applications need a complex / strong password and these passwords are all different, it quickly results in frustration among the users! The IT department is quite often blamed and can become overwhelmed with password reset requests. To be able to quickly access the desired applications, users often place a note under the keyboard or on the side of the monitor with the passwords. It goes without saying, that from a security perspective this highly undesirable!
Access with Single Sign In
Fortunately, there is a strong security solution that combines a high degree of usability for the above problems. Enterprise Single Sign-On (SSO) allows care givers to quickly access applications and systems yet guarantees a level of optimal security. Enterprise SSO allows users, after logging in once, to access all applications and systems where the user is authorized. The SSO software then captures the login screen and provides quick access to data. The user now only needs to remember one password or in case of a secure card system, only use the card with code and skip the password altogether.
Authentication
At first glance, it appears that this solution might weaken the security since all major applications are now are behind a single access. In practice, the access security with SSO has greatly improved. The condition is that the user authentication is very well protected. Think of a strong password that should be changed regularly or the use of access cards (UZI card, RFID pass, smart cards, tokens or biometrics) and possibly combined with a code. If this card can also be used to log on to the computer and access to the EHR and other healthcare systems, the user friendliness for the healthcare market is optimal. Of course a high level of user friendliness also means a higher price tag. Authentication via a token card or biometrics takes a significantly higher investment than implementing single sign-on through a complex password. With the cuts in healthcare market and increasingly tight budgets, often the choice is made for single sign-on through a complex password. This still results in very fast access to data and provides significant user friendliness without high investments and long implementation times.
Technically, both offer a strong access security solution that fully meets the requirements of most auditors and regulations. The purported weakening of the security access brought on by implementing Single Sign-On appears unfounded in practice. Because the users only need to remember one password or even just carry a card, having to have the characteristic post-it style notes under the keyboard or monitor disappear and attackers can no longer easily access vital data. Also, the IT department can now implement a strict password policy without fearing major resistance from users.
Fast-user switching
In relation to Single Sign-On, the term fast-user switching is frequently used. Through fast-user switching, it is possible that users can quickly log on and access information, such patient data, in the Medical Records systems. The delay caused by logging on and off the Windows operating system is bypassed. In some networks, this log off/on can take several minutes and this is very discomforting, especially in the healthcare market. With Fast User Switching in combination with SSO, changing the user context is handled within the SSO environment and therefore a user can change from one account to another within 10 seconds. This functionality is appealing to doctors who, while performing their rounds, often have to logon to multiple workstations. For many hospitals, a long standing fear was that the abolition of group accounts would result in long delays while logging on shared computers. After all, the employees must identify themselves with their own username and password before they can access medical records. With fast user switching, there is no longer the long delay. Users can log in quickly on different systems -especially in combination with a card system, the user can access the information in various systems and applications within a few seconds.
Monday, October 18, 2010
Tuesday, October 12, 2010
HR link with Lotus Notes Address Book
With UMRA we create a lot of links from HRM systems to Active Directory in order to automate user account management. UMRA is capable, with one of the 130+ connectors, to collect data that is important for creating, updating and disabling user accounts. As an example, we can read from an HR system when new users are employed or changes occur in titles, transfers to other departments and other associated contact data.
Besides user account management in Active Directory, UMRA can also be applied to update the Lotus Notes. We are regularly in contact with clients who have a Lotus Notes address book containing outdated information about staff. Phone numbers are no longer correct or manually completed titles and department names contain spelling errors.
Through UMRA we can easily and quickly – typically within 1 to 2 days - connect the Lotus Notes address book to the HRM systems, such as SAP or PeopleSoft. These systems include the most up-to-date information for employees, which UMRA can rapidly synchronize to Lotus Notes Address Book. On the Lotus Notes side, nothing needs to be changed to accomplish this. UMRA can intelligently decide which data needs to be modified and then update only those specific details. For the IT organization, UMRA can provide detailed reporting about what data on what people has been changed and at what time. It is also possible to configure UMRA so that certain data will not be transferred on a one-to-one basis to Lotus Notes. UMRA offers full support for Lotus Notes, including complex operation and account management.
Besides user account management in Active Directory, UMRA can also be applied to update the Lotus Notes. We are regularly in contact with clients who have a Lotus Notes address book containing outdated information about staff. Phone numbers are no longer correct or manually completed titles and department names contain spelling errors.
Through UMRA we can easily and quickly – typically within 1 to 2 days - connect the Lotus Notes address book to the HRM systems, such as SAP or PeopleSoft. These systems include the most up-to-date information for employees, which UMRA can rapidly synchronize to Lotus Notes Address Book. On the Lotus Notes side, nothing needs to be changed to accomplish this. UMRA can intelligently decide which data needs to be modified and then update only those specific details. For the IT organization, UMRA can provide detailed reporting about what data on what people has been changed and at what time. It is also possible to configure UMRA so that certain data will not be transferred on a one-to-one basis to Lotus Notes. UMRA offers full support for Lotus Notes, including complex operation and account management.
Monday, August 23, 2010
A flying start with Role Based Access Control (RBAC)
RBAC or Role Based Access Control is hot! With increasing frequency, organizations that I meet see the importance in a structured way of managing and granting authorizations in the network. The situation is often, in granting authorization, a copy is made of a colleague who has "about" the same function. This results in many new employees gaining access to systems and applications that they do not need. There is rarely attention paid to the withdrawal of authorizations after copying a user and that has consequences for licensing costs and information security.
RBAC is one of the possible ways to solve this problem. RBAC consists of a matrix of roles, functions and specific access rights. For example, if a new employee joins the organization, utilizing the RBAC matrix determines what the new employee will be allowed to do in the network. That's the theory. In practice it appears the population of such a matrix brings many problems. Because people often feel their needs are one of a kind, this often leads to as many roles as there are employees. Ultimately, that results in an infinite and unworkable matrix. Companies are therefore afraid to implement RBAC within their organization. However, there are organizations that get started and strive to get 100 percent of the employees in the RBAC matrix. I think this is improbable and may takes years of both management’s and the Security Officer’s time to implement.
Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix immediately - . all within a few days! Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.
It may be years before the RBAC matrix is completed 100 percent, but by incorporating existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix is a manageable process with direct result. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents.
How to deal with Role Based Access Control (RBAC) in relation to Identity Management
RBAC is one of the possible ways to solve this problem. RBAC consists of a matrix of roles, functions and specific access rights. For example, if a new employee joins the organization, utilizing the RBAC matrix determines what the new employee will be allowed to do in the network. That's the theory. In practice it appears the population of such a matrix brings many problems. Because people often feel their needs are one of a kind, this often leads to as many roles as there are employees. Ultimately, that results in an infinite and unworkable matrix. Companies are therefore afraid to implement RBAC within their organization. However, there are organizations that get started and strive to get 100 percent of the employees in the RBAC matrix. I think this is improbable and may takes years of both management’s and the Security Officer’s time to implement.
Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix immediately - . all within a few days! Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.
It may be years before the RBAC matrix is completed 100 percent, but by incorporating existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix is a manageable process with direct result. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents.
How to deal with Role Based Access Control (RBAC) in relation to Identity Management
Subscribe to:
Posts (Atom)