Key solutions to addressing healthcare security concerns faced by healthcare organizations regarding shared access versus individual access to group accounts
A major concern for hospitals and healthcare facilities is the security and accessibility of their computers, applications and data. Clinicians, especially nurses, frequently share a common user name and password with several of their peers in an area of the hospital to make it easier to sign onto the computer and not waste additional time switching between users.
The trouble of doing this for the hospital or healthcare organization is that with several users logged into one machine at once, it is impossible to track how each employee is using the system in case they ever need to construct an audit trail.
Recently, the U.S. Office of the Inspector General recommended changes to this practice as a way to reduce the security risks of organizations allowing employees to operate their accounts in this manner. The Inspector General pointedly stated that it no longer wants user names and passwords to be shared, but instead wants each user to be identified in the system.
The first step in complying with this recommendation is to create user accounts for every person in the facility that needs to access the network. While this seems like it would be easy to accomplish, there are a number of factors that come into play: insuring accounts are created in a timely fashion; insuring proper access rights are given in the network, providing for appropriate access to required applications and making sure the account is disabled when the employee leaves.
In some cases it is feasible to link an HR system to active directory and other applications via the use of an automated identity management solution. In other cases, the organization wants more control over the account creation process and wants employees to sign documents, obtain department and systems owner approvals before having the account created. In either scenario, solutions like User Management Resource Administrator (UMRA) can help solve this initial aspect of the issue.
Another practical solution to this problem is the use of a single sign on (SSO) product. SSO allows each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials. Results from a recent single sign on pilot in the healthcare market revealed some concerns though with single sign on, including that the e-mail applications of the users might be available to others. Users voiced concerns that they felt very protective over their e-mail and wanted to make sure that no other people viewed their personal information. Of course, this issue also can occur if users have shared accounts on the same computer and fail to completely close a browser when logged into an email account, for example.
This concern can be easily alleviated though with two-factor authentication. Two-factor authentication asks a user to present a second form of identification in addition to their AD user name and password such as pass card, pin code or USB token to access the workstation which would ensure security of their e-mail accounts. The conjunction of single sign on and two-factor identification solves a HIPAA problem of security while also addressing the users’ concerns of privacy of their email accounts. The two-factor authentication also allows for fast user switching, thereby, reducing time spent by clinicians waiting on their profile to load.
To accomplish two-factor authentication, it is a pre-requisite that each user have an individual account as mentioned above. This individual account, when coupled with an ID badge and reader on a PC, can go a long way to insuring that Inspector General and HIPAA compliancy are achieved.
By utilizing automated solutions for identity and access management, the burden on the IT staff can actually be decreased while managing more user accounts as staff shared accounts are eliminated and replace with individual accounts. Password management solutions, such as single sign on and password self service, are also valuable tools to reduce the load on the IT and helpdesk staff.