OneSign for Healthcare: Your Questions Answered

Each quarter, we host a webinar, “Introduction to Imprivata OneSign for Healthcare” to provide hospitals and other healthcare organizations with an overview of the OneSign platform and how it can help save clinicians more than 15 minutes per day and improve the efficiency of the organization.

During the webinar, we review how OneSign can help:

• Increase EMR and CPOE adoption with what we call No Click Access®
• Secure PHI and comply with HIPAA requirements with strong authentication
• Support BYOD initiatives and give physicians fast, secure access to patient information from anywhere, on any device

You can watch the on-demand version of the webinar here. A transcript of the live Q&A from the webinar is below.

Q: What biometric solutions work with OneSign?

A: We have a broad range of the fingerprint readers that OneSign supports. As mentioned during the webinar, we have a unique capability with biometrics. There are other vendors that can do fingerprint authentication, which is where you type in the username and it uses the fingerprint as the password but we’re able support fingerprint identification as well as authentication. OneSign can identify the user by their fingerprint, so they don’t have to type in the username.

We support all of the leading biometric vendors out there, whether it’s the swipe sensors that are built into the laptop and tablet devices or the external USB touch sensors.

Q: Can you provide more information about how OneSign integrates with Epic?

A: The Epic EMR system is fairly unique in that it provides an authentication interface that Imprivata OneSign uses to authenticate users. So it does it programmatically; we do not use screen scraping or scripting or custom scripts to authenticate users into Epic. It has the advantage of being backward-compatible with new versions of Epic as they release them. It doesn’t require you to update and modify scripts to make sure those things continue to work over time, so it is fairly unique. That includes both authentication into Epic for the sign on into Epic, as well as any secondary authentication workflows such as signing transactions, like when a physician has to sign a patient chart or close out a patient encounter. We also support ePrescribing and other signing workflows all handled out of the box through our integration with Epic.

Q: Do you support Citrix’s XenClient Enterprise?

A: It’s not something that we have seen demand for yet.  There should be absolutely no reason why SSO and authentication shouldn’t work into the virtual machine and the operating system. Please email James Millington at if you’ve got plans to go down that route, or if you’re looking at that as a BYOD solution potentially; we’d love to hear about it.

Q: Does Imprivata have a solution that supports the MEDITECH 6.x platform?

A: Yes we do. We have been part of MEDITECH’s identity and access management partner ecosystem for seven years now through our partner Forward Advantage. Through that partnership, they provide API-level authentication into MEDITECH for both sign-on into MEDITECH as well as for various signing workflows within the MEDITECH system.

Q: How is the badge data protected from unauthorized capture?

A: If you’re talking about just a standard passive proximity badge, the only data on the badge is just the serial number. We support both HID and RF IDeas proximity card readers as well as HID iClass format cards, which are quite popular for building access cards, that does provide an encryption. It’s a proprietary HID encryption between the card and the reader. If you want that encrypted channel iClass is the way to go.

Otherwise it’s just the serial number that is getting transmitted across and most providers rarely just require only the card to access the EMR system. They usually combine it with a second authentication factor which is typically the user’s network password or EMR password.

OneSign lets you set up that grace period so that they don’t have to type the second factor of the password every time. So at the start of their shift, they just tap their badge and enter their password once, and then for the next 4-8 hours as needed they can just tap in and tap out until the grace period expires. This way, if they lose their badge it will only work until the grace period expires or the account is reset. Someone finding the card would need to know their password as well to get access to the system.

Q: Do you have any tools to help migrate from another SSO solution over to Imprivata?

A: Imprivata OneSign has a user account provisioning interface so if you do have a user provisioning system in place, for example from Courion or Tivoli or something similar, users can reset their passwords or get re-provisioned in your system. Those accounts can then get pushed automatically into the OneSign database.

Q: Is CDW an Imprivata reseller?

A: Yes they are, absolutely.

Q: Is there any scripting involved for applications? We currently use an SSO product today that requires scripting to SSO enable apps to enter usernames and passwords.

A: There is no programming or scripting involved. Most SSO product out there require some level of custom scripting, even if they have some wizard based tools. The wizard based tools out there usually can’t take it far enough so there is Java scripting or other type of scripting involved. OneSign is a fully drag and drop tool. There is no scripting at all and it provides a lot of different little mechanisms to deal with more difficult applications to single sign on enable.

Over time with these other systems, if you can create a script or a bridge that can do the SSO it makes it very hard to update those and maintain those because those applications are constantly being updated and upgraded. It breaks the scripts and it can cost a lot of money and a lot of time to go and tweak and script the new versions of these.

OneSign has a nice little wizard. You can go in there and click in a few buttons and make the changes very quickly and as soon as you hit “save” in our administrator console it automatically pushes the changes out to the workstations. In fact, there is a nice little mechanism so you can run the new version of the application, the EMR and your target application, and the old version at the same time because you may not want to do a quick cut over. Our system will allow you to have SSO profiles for both and have the credentials, essentially shared between those two programs.

Q: Does Imprivata work with applications including gMed  and gGastro, and the specialty EMR systems medFlow, VeraSuite, medSphere, and Open Vista?

A: Our OneSign technology is designed to handle any application that is out there, whether it is Java or HTML or some of the newer technologies whether it’s standard Windows applications, whether it’s running on Citrix hosted systems, whether it’s old legacy green screen applications. We’ve pretty much SSO-enabled just about every application under the sun over the last ten years.

Q: Would there be other ways to control access via the cards? So for example if an employee lost their badge, how would that be handled?

A: If an employee loses their badge, OneSign has a policy option in there that allows them, if they get a temporary badge or a new badge, they can just tap the badge and re-enroll the new one. OneSign will automatically un-enroll or deactivate the previous badge for them. So you can set the policy in OneSign to only allow one badge per user and it will do that deactivation of the previous badge for them. They don’t have to call the help desk to get that done.

Do you have any outstanding questions about how OneSign can help your organization? Ask us in the comments section below.