When the doctor walks up, the computer all but says hello

Strong network authentication can be enough of a problem in an office, but it's even more of an issue in hospitals.

In hospitals "and particularly in our emergency departments -- where clinicians are constantly moving between terminals outside of rooms and patients in them and where terminals may be shared by as many as 50 clinicians in a 24-hour period -- authentication has become a major pain-point for us," says Mick Murphy, chief technology officer at Sisters of Mercy Health System.

The situation is made more complicated because patient information is divided among three separate major systems -- a medical information system from Cerner, a McKesson financial system that holds demographic information, and a picture-archiving and communications system for medical images -- and because each one requires a separate password.

"Logging onto each of these [systems] and searching for the records of a specific individual every time a clinician moves to a new patient is completely untenable," says Murphy. "Our users would revolt. And, in the background, we have to maintain multiple separate user identity files for each user's access to each application."

But the privacy portions of the Health Insurance Portability and Accountability Act require strict accountability for every access of an identifiable medical record. This means that even in a physically secure environment, where only accredited clinicians can enter, everyone accessing the information must be separately identified in an audit trail. In a busy emergency department (ED) with shared terminals, that means that doctors need to log off each time they leave the terminal and each time they need to see a patient record.

And the public nature of hospitals, particularly crowded ED hallways, creates unusual security issues of its own.

"One thing we wanted to do was blank the screen whenever the clinician moved a certain distance away, to avoid leaving sensitive information on display where unauthorized people could see it," says Michael Gutsche, director of information security at the five-state, 18-hospital Catholic health care system.

At the same time, Mercy struggled with the usual problems of provisioning, deprovisioning and reprovisioning that plague many organizations. In recent years, manual methods have become a major productivity roadblock, forcing new hires to wait weeks for access to the data and systems they need to do their work, while behind-the-scenes IT staffers run through checklists, creating user accounts one at a time.

Mercy needed a role-based provisioning system that would let it associate each new hire with the appropriate role, such as "surgical nurse," and automatically generate the needed accounts. And, when someone leaves, allow the hospital to remove that person from the central provisioning system and automatically delete that person's access to background systems. This need is complicated by the typical hospital IT environment, with obsolescent, proprietary systems still playing central roles, because the budget has never allowed their replacement.

With these diverse needs, Murphy went shopping for three separate applications. He chose Sentillion's Vergence, which integrates role-based provisioning, advanced biometric and proximity-based security, single sign-on and front-end integration of diverse back-end systems based on a common identifier, such as the patient's name.

The good news, says Murphy, is that it does all these diverse but interrelated things, plus maintaining a fully auditable electronic record of each access to sensitive data showing who accessed it, when, from what terminal and what that person did. The bad news is that while this set of integrated requirements is certainly applicable to other industries using highly regulated data, Sentillion is focused solely on health care providers.

This focus has proved an advantage for the vendor. "We had a two-week bake-off with our five short-listed vendors for the access project," Murphy said. "Because Sentillion started with a greater understanding of such concepts as a shared workstation in a clinical environment and what a nurse does, it created a complete system in those two weeks rather than a work in progress." This was critical to Mercy's purchase decision.

A closer look

Although they use the same software, the biometric/proximity authentication project is separate from the provisioning; it serves two distinct populations. In both cases, this includes a single sign-on for Windows and all background applications for which the user has legitimate access. Office-based employees simply log onto the network as they always did, except they use a fingerprint scanner and a password.

Clinicians using shared terminals, however, will carry Xyloc proximity badges, which Sentillion had integrated into its system before delivery. The first time the clinician uses a terminal, he logs on using a single password and fingerprint scan. When he walks away from the terminal, it blanks the screen to preserve privacy, but the background applications continue running. When he comes back, if no one has used that terminal in the interim, it will recognize him from the card and return to the place before he left. If someone else has used the terminal in the interim, he must reauthenticate with a fingerprint scan, but because the applications continue running, access takes only a few seconds rather than several minutes.

"We have been working with the Vergence platform for approximately 10 months," says Murphy. The first pilot of the proximity security system went live in July 2005. Today, the rollout is just starting, with the ED at St. John's Mercy Hospital in St. Louis, involving 50 workstations and 250 clinicians, plus an additional 50 workstations in the IT department. After that, the rollout will spread through the system in conjunction with a desktop refresh.

The data access project goes beyond basic single sign-on to automatically integrate information on each patient from multiple background applications on the terminal. The clinician needs to search only once for the patient's name to see everything about that person that he is authorized to know. Behind the scenes this is accomplished using a combination of industry standards applications incorporating Health Level 7 (HL7) and bridges that Sentillion developed for older, proprietary applications. As a result, the clinician is unaware of the background systems, reducing the complexity and time needed to access patient information to a few seconds, allowing medical personnel to forget the complexities of getting to patient data and concentrate instead on patient care.

User provisioning

The user provisioning is now live at Mercy's largest facility, managing 8,000 users. Later this month, it goes live in the second-largest facility, bringing the total number of employees and contract workers under the system's management to 15,000. Again, it works with a combination of HL7 standards and bridges to proprietary systems. It is particularly important because of the heavy use of temporary and contract workers at virtually all levels, including nurses and other clinicians, in heath care. The relatively fast turnover of these workers makes provisioning and deprovisioning more demanding of staff time than at similar-sized organizations.

The ability to use the same integrated software package for both projects obviously offers Mercy advantages. One major dividend is that Sentillion creates a full audit trail. "If we suspect that a record has been accessed fraudulently at any time," says Gutsche, "We can see exactly who accessed that record, from what location, at what time and what that person did with the record."

The next step

Sentillion has not yet solved all the access issues. Even as it rolls out the proximity/single sign-on offering, Murphy's office is looking at extending it into a systemwide federated identity program, so that if a patient from one part of Mercy's system turns up in a hospital in another area the clinicians treating that patient can access his medical records.

Right now, says Gutsche, network authentication works statewide through the five-state medical institution, "so if a patient from one part of Arkansas arrives in an ED in a hospital in another part of the state, the doctor can access his data directly through the network." But, if that patient is in an auto accident in St. Louis, "the doctor basically has to get the information over the phone from Arkansas."

While Mercy does not see a lot of cases of this type, this is less than a perfect situation. It's in the beginning stages of developing a solution that will allow clinicians authenticated in any of Mercy's facilities to access patient records across the entire health network.

"Our first value is to treat every person as a valued individual," Gutsche says. "We can't deliver on that unless when someone shows up at any hospital or clinic in our system, we know them and can provide the best health care possible."

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon