To do their jobs, today’s clinicians face an ever-increasing number of applications:
- Electronic medical records
- Scheduling tools
- Health exchanges
- Supply ordering systems
And the list goes on and on.
Each of these systems typically requires its own authentication, which leads to a host of passwords that a doctor or nurse must remember in order to access the numerous systems they need to provide even the simplest of patient care. Naturally, each password has its own security parameters around it, further increasing the administrative burden to the end-users and reducing productivity.
To cope with the sheer number of passwords, many end-users try to create passwords that are similar to real words, and they avoid changing their passwords. This, of course, erodes the security of password protection, which in turn causes many CISOs to understandably tighten security policies around passwords. For example, passwords must be changed every 90 days and must use special characters and non-sequential numbers. Unfortunately, this exacerbates the password challenges for end-user clinicians, which increases the cases of forgotten passwords and ultimately increases the level of support needed to assist with forgotten password and potential new vulnerabilities.
It’s a never-ending cycle. But there is a solution. ▾
Single Sign-On for Healthcare Organizations.
To more tightly manage the access that users need, many organizations have introduced Single Sign-On (SSO) capabilities. Fundamentally, these tools allow an end-user to sign on once via an authentication tool. This tool then passes a token to the application to verify the user’s credentials. The end-user then only needs to remember a single password that gives them the appropriate access to all their applications. Voilà!
The benefits extend beyond just the ease of access. Because the authentication tool is the only system that needs to house the clinician’s password, password compromises in subordinate systems become less likely.
The hospital environment faces two key challenges when dealing with external users:
- managing access for
- handling authentication
Because hospitals tend to be large employers, they typically experience a healthy amount of turnover. This, combined with a large number of applications and application permissions, creates a significant volume of work to keep an authentication tool current. Additionally, external users such as independent practice physicians with admitting privileges might not have access to an internal authenticator. Without sufficient scope, the true value of a single sign-on tool cannot be unlocked. Yet, without a solid plan for managing a large volume of application and a variety of users, the implementation cannot succeed. Thinking through the supporting process and implementing automation where possible can help mitigate these risks.
Multi-Factor Authentication in Healthcare Organizations.
One major risk point with single sign-on is that if the password for the authentication tool is compromised, it can potentially expose a broader set of applications to a security breach. This risk can be mitigated, however, by pairing single sign-on with multi-factor authentication (MFA).
Multi-factor authentication, as the name implies, requires a user to validate who they are in more than one way. Typically, these methods authenticate based on factors unique to the user. A password may be something only the user knows while a badge may be something only the user has. Other factors include things such as biometrics or physical location.
A key facet of MFA involves the variety of the factors used. Having two user-defined passwords would not be considered true multi-factor authentication, nor would a combination of a key card and a one-time code sent to a smart phone, as both of these authentication methods rely on objects in the user’s possession.
Even without single sign-on, multi-factor authentication helps keep applications more secure, but the extra steps involved do create more work for end-users. Thinking through the end-user’s workflows is important to ensure authentication processes are optimized. For a nurse working on the floor, for instance, a badge combined with a simple pin may be the optimal route. For a medical coder who needs to also be able to work from home, a traditional user-defined password paired with a one-time code sent to a phone might work better. Pairing the right form of MFA for the clinical user ensures the optimal result.
Improving Clinician Access Improves Patient Care.
A combination of single sign-on and multi-factor authentication can improve the overall experience of clinicians as they navigate a large suite of application. Thinking through and appropriately designing supporting processes for access management, while looking for ways to automate helps bring simplicity to the daily routines of your clinicians. Selecting the right technology and designing multi-factor authentication procedures with those routines in mind ensures security improvements do not negatively impact productivity.
The right SSO and MFA strategy makes all the differences. Advizex can help. ▪