SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers. Download the webinar today!
Identity 360 - An Imprivata Blog
 | filter by tag: secure authentication |
User Access Relevance in a HITECH Age
June 3, 2010 at 9:24 AM by David TingThe National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today.
The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.” This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.
From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out. Specific Key Activities within these technical safeguards criteria you should review include:
4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so. Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.
4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.” There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system. In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence. This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return. It combines compliance with this Key Activity and real-world workflow for the best of both worlds.
4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk. Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule. The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds. To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.
4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI
These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems. These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.
4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches. Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems. Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.
There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices. It’s a tremendous guide to a significant HIPAA compliance requirement. With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role.
Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance. It’s a great asset out there for public consumption, and can help drive best practices worldwide.
Share
FACEBOOK
LINKEDIN
DIGG
DIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUSFast Access for Clinicians and Secure Patient Data for IT: Can You Have Both?
May 19, 2010 at 2:00 pm by Dr. Barry ChaikenA couple of weeks ago I moderated a Healthcare IT News webinar session that examined how hospitals today make patient data easily and securely accessible throughout the clinical workflow. I was joined by Dr. Zafar Chaudry, CIO of Liverpool Women’s NHS Foundation Trust & Alder Hey Children’s NHS Foundation trust and Dr. Lawrence Losey, Pediatrician, Chief of Pediatrics and Chief Medical Information Officer (CMIO) for Parkview Adventist Medical Center. The session addressed the clinical workflow, process and technology behind providing fast, secure access to patient data, touching on all the areas within a hospital where a workstation sits and from anywhere a clinician may need access.
Dr. Chaudry and Dr. Losey shared their experiences providing fast access to electronic medical records (EMR) for clinicians as well as strategies and processes for ensuring patient privacy. Dr. Losey highlighted finger biometrics and remote access as huge draws for physicians and by providing doctors with laptops loaded with the applications they need to do their job from anywhere, it drove EMR adoption for the Parkview team.
Dr. Chaudry discussed how his team organized their approach to streamlining secure access to applications. By conducting workshops to effectively map workflow of clinicians, they were able to measure the before and after effect of what the clinical staff did each day to understand if there was indeed a performance improvement. Findings were telling, as different clinical roles utilized different processes and workflows which showcased how important it was to take people’s real-world daily activities into consideration when planning any type of shift that impacts clinicians. As such, healthcare access management and secure authentication such as proximity cards and fingerprint biometrics play integral roles in enabling effective, efficient workflows.
The move to electronic systems, as Dr. Losey noted is “a wonderful opportunity to re-engineer your processes.” It’s not enough just to computerize a process, but to step back and ensure the process is the right one in the first place. Again, it all gets back to clinical workflows. The points made in this session were quite prescriptive to deliver not only a successful EMR experience but a successful clinical workflow experience that encourages widespread adoption.
The panel also examined the impact of new patient privacy mandates in both the U.K. and the U.S., the role of patient data security, the auditability needed to ensure compliance and the impact on clinician workflow. Dr. Losey provided some good anecdotes that illustrated how a complete audit trail is the most powerful way to remind clinical staff that they shouldn’t be ‘snooping’ on patient data records that they weren’t involved with.
The session closed with a number of great questions from the audience that sparked continued knowledge sharing from the panelists. If you weren’t able to attend the live webinar, I suggest checking it out to hear useful insights from some smart medical executives: http://www.imprivata.com/fast_access_for_clinicians_hc_it_webinar
Barry P.Chaiken, MD, FHIMSS
Guest Post: The New Need for Auditing: Privacy and Breach Notification Mandates
March 25, 2010 at 7:57 AM by Ali PabraiThe HITECH Act, HIPAA, as well as mandates from State regulations (e.g. Massachusetts 201 CMR 17.00), are raising the minimal requirements that organizations such as healthcare-covered entities and business associates must implement to prevent unauthorized access. Further, the Connecticut Attorney General’s lawsuit against Health Net of Connecticut for failing to secure approximately 446,000 enrollees’ Protected Health Information (PHI), and to notify State authorities and enrollees of a security breach, is a reminder that breaches are not just a risk to information, but a risk to the organization.
HITECH Audit Preparedness
Organizations need to take compliance mandates for HIPAA, HITECH and State regulations seriously. Compliance requirements establish the minimal capabilities that organizations must manage and maintain. To be audit-ready, organizations must at a minimal:
- Ensure a robust life cycle is maintained for account access, modification and termination
- Enable proactive audit and monitoring capabilities are used to track and detect unauthorized access
- Establish Role-Based Access Control (RBAC) to manage job roles and associated access rights (this requires Human Resources to work closely with the Information Technology department)
With the new world order in healthcare driven by privacy and data breach mandates, secure authentication to access patient information is directly in the sights of state AGs and Federal agencies across the country in a concerted effort to tighten data security and ensure patient privacy. As such, effective user authentication is a critical component to avoiding potential breaches and it should enable quick reporting capabilities to prove compliance and appropriate actions taken should anything happen.
More than ever, the Boards of Directors at hospitals, health systems, business associates and others are taking notice and asking an important question – “is the organization compliant with HIPAA and HITECH mandates?” Are you?
Ali Pabrai, chief executive of ecfirst is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.
Guest Post: ecfirst CEO, Ali Pabrai, on HITECH’s Meaningful Use and Compliance
February 23, 2010 at 12:35 PM by Ali PabraiThere’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.
For instance, the Centers for Medicare & Medicare Services (CMS) will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved. At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve. For example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use” of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.
In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Specifically, the investigation includes a review of IAM processes related to:
- Establishing user access for new and existing employees
- List of secure authentication methods for users authorized to access EPHI
- Monitoring systems use - authorized and unauthorized
- Granting, approving, and monitoring systems access (for example, by level, role, and job function)
- Termination of systems access
Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated.
Ali Pabrai, chief executive of ecfirst, is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.
SSO and Password Management Best Practices
December 9, 2009 at 7:27 AM by David TingImprivata’s Geoff Hogan authored an article for Security Technology Executive last month titled, “Passwords in Peril” that delves into the password management conundrum that organizations face with the growing number of applications that employees use daily. While the article summarizes succinctly the helpdesk costs issue, employee productivity and the data security vulnerabilities that a runaway password management problem causes, it also highlights effective single sign-on (SSO) strategies and tactics to overcome these challenges.
I wanted to take this opportunity to pull out a couple of SSO and Password Management best practices that Geoff covered, while adding a couple more.
When Choosing an SSO Solution:
• Scrutinize your real business issues before engaging. Technology can only truly help if it is guided to solve the right problems; an undirected experiment without clear goals won’t lead to long-term benefit for vendor or buyer and will result in wasted cycles.
• Choose a solution that is easy to deploy without modifying your existing infrastructure. If anything goes awry, there is no “Easy Button” to undo expensive custom code or change policies without severe headaches or business interruption. Be sure the undo is as easy has the deployment.
• Make sure an SSO solution fully supports the management of multiple strong authentication methods. This provides the flexibility to segment employees and empower them with the specific user authentication they’ll quickly adopt while ensuring the appropriate levels of security.
When Deploying an SSO Solution:
• Don’t recreate the workflow wheel. Making employees change their daily behavior and jump through security hoops is a surefire way to stifle adoption, and you’ll find users trying to circumvent the system. Make SSO easy for employees to embrace by minimizing change.
• Regularly conduct educational sessions. While SSO should be inherently easy to use, educational sessions for employees around company polices and the technologies that support them are key to getting buy-in and making secure authentication the new status quo.
• Find the internal influencers. Every organization has people that set the tone, regardless of level. Get them on-board with how easy SSO is and how it improves productivity, and the rest will follow their lead. Understanding the social influences within a business can help affect positive change.
These are just a few tips. What other best practices do you follow?
--David
Five Security Considerations when Deploying EMR
November 17, 2009 at 8:22 AM by David TingEMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.
· The User’s Perspective is Vital
o Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data. It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security. Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.
· Strong Authentication Remains a Secure Priority
o Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized. Readers of this blog already know the importance of strong authentication—its role and value to the healthcare sector will be vital to data security as EMRs become more widespread.
· Auditing of Access is a Patient Right
o Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information. Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.
· Compliance is Still King
o Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance. Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information. Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage.
· Federation of Identities Equates to a New Level of Required Trust
o Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access. This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance. This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.
Tunneling into a Data Breach: The Problem with Remote Access and the Terminated Employee
July 21, 2009 at 1:48 PM by David TingAnother insider unauthorized access incident came across my radar just as I put the finishing touches on my most recent blog post highlighting Lesmany Nunez’s case being the latest example of a disgruntled employee breaching a network. As of today, the most current remote access security breach involves Danielle Duann, an IT director of a nonprofit organ and tissue donation center.
According to the Department of Justice’s press release, the LifeGift Organization Donation Center claims that Duann’s access had been revoked when her employment had been terminated. However on the evening she was fired, not only was Duann able to access and delete sensitive information such as organ donation database records, but she also tampered with the computer logging function on LifeGift’s servers to mask her actions.
The DoJ’s also states that Duann plead guilty to the charge of unauthorized computer access and was sentenced to two years in prison, three years of supervised released and ordered to pay more than $94,000 to her former employer as compensation for this incident.
In my perspective, the two key takeaways from this incident are:
1. The organization thought it had enough security measures in place to prevent a malicious insider attack from occurring
2. Duann was able to remotely access the system after her termination
As mentioned in a blog post last month, using the summer months to check for ghost or orphaned accounts is a worthwhile endeavor. Remote access continues to be a common vulnerability with recently-terminated employees holding the keys to the castle from afar… it happens over and over. How many times have we heard about ex-employees who boast they still have remote access to their former place of employment? This incident should underscore how prevalent security breaches are as layoffs increase, and serve as a reminder to survey and close off every potential entry point to an organization through a sound identity management strategy that ensures secure authentication and access.
What do you think are the key points here?
-David