Under today’s strict Health Insurance Portability and Accountability Act (HIPAA) requirements, the average healthcare worker is now expected to use multiple different usernames and passwords to access multiple applications. Most users can’t remember more than three passwords, according to the Hurwitz Group, Framingham, Mass., yet are expected to remember six or more. Password management cost estimates today are as high as $200-340 per user per year, according to Forrester Research, Cambridge, Mass., which can add up to hundreds of thousands of dollars for a busy hospital system. The good news is that through single sign-on and biometrics, multiple passwords in healthcare are becoming a thing of the past.
HIPAA fines for ignoring a specific requirement can reach $25,000 per violation. Most at risk are large facilities that process hundreds of patient records. Access to records must also be customized per employee. For instance, a specialist in a hospital should have direct access to all patients within his/her care, but not necessarily to all the patient files in the facility.
Furthermore, keeping a clean audit trail of records access – a requirement of HIPAA – has led some facilities to require positive identification each time a record element has changed, making typed passwords particularly inefficient. In response, information technology (IT) organizations have spent aggressively on security precautions such as firewalls, virtual private networks and other devices controlling TCP/IP, as well as anti-virus software.
Despite all this, “security” remains vulnerable to a password that might be as simple as the user’s birthday, often written on a yellow sticky and stuck to the underside of the keyboard.
Dos and Don’tsOf course, the good news is that the computer industry has set standards on what constitutes a “good” password. As an example, Information Week, the computer industry newspaper, recently compiled the following list of rules:
When creating a password:
DO make your password at least six but preferably eight or more characters long – the longer the better
DO use different kinds of characters in your password – letters and numbers and upper and lower case. Or better yet, use extended ASCII characters
DO change your password every month to six weeks
DO use a password that is easy to remember
DON’T use any part of your user name, full name, address, birth date and so on (e.g. wife’s name, kid’s name, significant other’s name) since this information is readily available to an intruder
DON’T use English or even foreign words susceptible to dictionary attacks
DON’T recycle old passwords or use the same one for different applications
DON’T write it on a sticky note and post it on your monitor
Well, maybe that’s not such good news. The fact is that the easier the password is to remember, the easier it is to be hacked; yet, the harder it is to be hacked, the more likely you will see that infamous yellow sticky hanging in full view.
Applications Through A Single TouchDue to convenience and cost benefits, more and more healthcare organizations are turning to single sign-on (SSO) to manage access to multiple applications. Single sign-on is a password security application that manages the logging in and password entry and management for multiple systems and applications. With the entry of a single user ID and password, SSO applications automatically log users into all the various systems and applications needed to do their jobs. Think of SSO applications as the master key to all the workrooms in a building. Instead of carrying around several keys, you only need one to access all the rooms needed to do your work. These systems allow simple and easy access (including individualized security policies and permissions built-in) to corporate networks and save money on IT administration and help desks, as well as through increased productivity, improved compliance and some mitigated security risks.
But with single sign-on, a much larger world of data can be opened up at one time. Therefore organizations need to be very sure that the user is indeed the user and not someone with a stolen username and password.
Biometrics solutions bring the appropriate safeguard to the single sign-on approach. The most common are fingerprint-based biometrics solutions due in large part to their small size and low cost. Fingerprint sensors that read below the fingerprint surface will be the most useful, because they are the most accurate and because powder, skin cuts, abrasions and roughness should not be permitted to stand in the way of delivering timely patient care.
Computer Associates, Islandia, N.Y., for example, has begun implementing single sign-on solutions at several major hospitals. At St. Vincent Hospital in Indianapolis, for example, Computer Associates’ eTrust single sign-on met the needs of the mobile user while also rising to the challenge presented by shared workstations. When computer sessions are interrupted anywhere in this system of eight hospitals, the station locks automatically, with just a fingerprint required to re-open the session. Fingerprint authentication using TruePrint technology-based fingerprint sensors, from AuthenTec, Melbourne, Fla., further features clean sign-offs and sign-ons, allowing for a quick changeover of users.
St. Vincent has reported very few staff objections. As the various hospital units began to see the pilot units’ time and hassle savings, they demanded the single sign-on benefits for themselves. They have also noted the patient safety benefits reaped in eliminating the sometimes-lengthy time spent in accessing patient records. In an industry where a few minutes can mean the difference between life and death, the quickest, most secure access to records is key.
What Helps the Doctor, Helps the PatientHealthcare workers won’t be the only ones to benefit from single sign-on and biometrics. Consumers are expressing an increased interest in protecting personal property and content-rich material. In fact, a Harris Interactive poll shows that one in six Americans have bought identity-theft protection, in something of a self-help approach to identity theft. Consumers are concerned that most of their medical data is protected with not much more than a flimsy password – easy to lose to theft and easy to forget.
But again, convenience may make the ultimate difference. The same authentication that will make the healthcare professional’s life easier will also eliminate the paperwork hoops through which the patient must jump. With new HIPAA requirements, signatures are required more often, to permit the routing of patient records from doctor to doctor. Patients with fingerprint sensors built into their peripherals, or even directly into their laptops, will be able to digitally authenticate their permissions to records access, without the hassle of hand-delivering signed forms.
Biometrics and single sign-on provide benefits that are tough to argue from anyone’s viewpoint. With the security and convenience they offer, the HIPAA pill just got a whole lot easier to swallow.