Friday, January 11, 2013

Two Proven Methods to Increase Network Security and Productivity

In today’s healthcare environment, two of the primary technology focuses are on increasing network security by restricting access to data and applications, as well as increasing employee productivity by deploying user friendly solutions. Several technologies are rapidly being adopted by healthcare providers to assist in these arenas.

In reference to the security component, employees need to be given the correct security permissions based on their job roles. Ensuring that employees have the proper access rights greatly improves security, though doing so requires setting controls that can take the IT department months to implement.

Consider using a role based access control (RBAC) solution to assist with this process. The RBAC matrix is populated with departments, titles, locations and other pertinent information. This allows for a proven methodology to define which employee should have access to what applications and data.

In many cases it is feasible to populate much of the required data by taking an extract from the HR application. Additional extracts from Active Directory, Lightweight Directory Access Protocol (LDAP) and other healthcare systems can provide a snapshot of the way access is currently configured. Reviewing this data and finding employees with appropriate access, in each role, can be the basis for propagating that access to other employees in that role. An access request system can insure that any deviations from the norm are approved by the appropriate managers and system owners.

As a predecessor to an RBAC implementation, it is critical that each user have an individual network account. A common practice in healthcare is the use of shared accounts – nurses or clinicians log into a shared workstation with a generic account and access any number of applications. Occasionally, these applications, such as EHRs, will require a second set of credentials, but employees often use a shared account for access, as well.

This makes it difficult to determine who viewed what data and when. An identity management solution, often linked with the HR system, provides an easy answer to creating individual user accounts and can insure they are kept up to date with any changes in titles and departments, for example, thus insuring access is modified when appropriate. Employee departures, also reflected in the HR systems, can easily be detected to insure all network and application access is revoked in a timely fashion.

One downside of switching to individual accounts is that employees will now need to remember credentials – user names and passwords – for a multitude of systems. A recent survey found that the average clinician spends nearly 10 minutes a day logging in and out of applications. When coupled with the need to remember six or eight sets of credentials, tremendous productivity gains can be accomplished by reducing or eliminating these factors. Implementing a Single Sign On (SSO) application in conjunction with Fast User Switching is a cost effective approach to resolve this potential downside.

Single sign on allows users to login once to the network and all of their authorized application credentials are cached and provided on an as needed basis. While on the surface this seems to present a security risk, a concept known as strong authentication – for example, providing a piece of information you know, like a PIN code, and using something you have, like possessing a card to scan -- can mitigate the risk. By using an access card – likely the same one in used for time and attendance or security -- users can log into computers with this card and by entering a PIN code, much like going to an ATM. Removal of the card can force an immediate log out of all applications and closes the network account.

Fast user switching takes this concept one step further. Imagine a resident making rounds, logging into several computers, usually the closest one to a patient’s room. Fast user switching allows the resident to utilize her access card and PIN code to access the machine and any open applications previously used are immediately available to her, at the same point as when closing out of the last machine. A similar solution is available for the Citrix and Microsoft terminal services environment and is commonly referred to as “Follow Me.”

In summary, using individual network accounts and defining access to systems and data using an RBAC matrix increases the overall security of the hospital information systems, while using an SSO solution allows users to painlessly access the network and have more productive time for patient care.

For ore information, please visit our website.

No comments:

Post a Comment