Signing Up for Single Sign On

Jeff Byers | | Digital Transformation

By assigning one password for all applications, single sign on (SSO) technology gives clinicians speedy access to the apps they need. Armed with SSO, users needn’t write down (then lose) passwords. So what’s the catch? These techniques won’t streamline access if all necessary apps aren’t included under the SSO umbrella, and health IT leaders must make sure their organizations’ password protection and security policies can accommodate an SSO framework.

Time-saving touch

Clinicians at Holy Spirit Hospital, a 316-bed community hospital in Camp Hill, Pa., began using a biometric SSO system from Imprivata in 2008 to access applications in the hospital’s Eclipsys EMR. Roughly 300 to 500 clinicians work in the facility on a regular basis, making secure, easy access to EMR apps a necessity, says Richard Schreiber, MD, FACP, CMIO at Holy Spirit.

“SSO definitely saves time logging in to the network, and subsequently into individual applications,” says Schreiber. The Imprivata system uses a fingerprint reader to identify a clinician, which automatically logs the user into the network, and subsequently into selected applications without the need for further authentication. “There is no doubt that going up to an SSO machine, putting my finger down and getting into the network to quickly jump into an application within a few seconds is clearly an advantage,” he says. “As a general tool, it’s superb.”

However, SSO is not infallible, as Schreiber learned. “Different types of authentication recognition complicate the configuration,” he says. Because Imprivata functions differently within Microsoft Windows at the network level than at the application level, an organization must precisely understand what information the system is providing to the network, he says.

“We have automatic settings that log off users, which we have set to shorter time limits on the SSO devices because it is so easy to log back on to the system. This gives us some enhanced security, and certainly better protection of protected health information,” Schreiber says. “However, the security behind SSO introduces special problems with faxing and e-prescribing. At the moment we don’t have the correct configuration to allow for that feature using SSO.” The lack of fax capability could become a bigger problem if proposed Drug Enforcement Agency (DEA) regulations concerning e-prescribing of controlled substances are approved, he says. “We are actively looking for a solution to this. All of our other applications work smoothly with SSO.”

Passwords and policies

In addition to a traditional username/password authentication system deployed in 2005, the University of California San Francisco Children’s Hospital began piloting an RFID-based technology early this year. Clinicians carry an RFIDeas passive proximity badge that enable them to “tap and go” into the hospital’s Epic EMR application via Microsoft/Sentillion Way2Care software, says Seth Bokser, MD, MPH, medical director for IT.

SSO has allowed the facility to mitigate user authentication problems, says Bokser. “Our help desk gets 8,000 to 10,000 calls per month [and] 15 percent of those calls concern user-authentication problems,” he says. “There would be even more if we asked our users to remember five username-and-password combinations instead of one.”

Users were generally pleased with the convenience of all-in-one access, but they were challenged because UCSF Children’s did not change the requirement to update passwords for the individual applications under the SSO umbrella, says Bokser. UCSF recently changed the password-update policy from 90 to 180 days, and “we’ve now managed to auto-populate expiring application passwords to make this password-update process easier,” he says. “But it still seems like extra work for users to update passwords for individual applications when they are accessing them through SSO.”

Nevertheless, SSO technology is gaining ground in healthcare. “The goals of security and user efficiency were at one time perceived as being opposed. What we’ve seen is a rapid and exciting evolution of our thinking and our technology, including SSO, that empowers us to bring these two goals much closer together,” says Bokser.

Jeff Byers

Related Content

AdvaMed itemizes AI imperatives for ‘the entire healthcare ecosystem’
6 things high-achieving orgs do to wring real value from AI
A modest proposal to rally AI regulators around a simple game plan
4 points crucial to the nimble regulation of GenAI
5 tips to learn AI from scratch and for free
Good AI governance can spell the difference between smashing success and mere learning experience

Around the web

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

Cardiovascular Business
FDA commissioner urges clinicians to join fight against medical misinformation

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Design by Adaptive Theme
Trimed Popup
Trimed Popup