The biggest challenge facing health care giant Kaiser Permanente when it was considering options for rebuilding its IT authentication system wasnt related to integration or total cost of ownership. Rather, it was finding a technology that would not stand in the way of its employees.
Serving as the central nervous system for a network of over 400 North American hospital and health care facilities that employ over 150,000 people, Kaiser was looking for a way to lock down access to its sensitive patient data that didnt prevent doctors and nurses from doing their jobs at full speed.
There are many tales of authentication systems that have failed to find favor with health care workers, with industry professionals citing examples of caregivers finding low-tech solutions to circumvent technologies that get in their way. These include methods as simple as leaving passwords written on post-its stuck to shared workstations, or allowing two-factor USB fobs to remain plugged in around the clock.
With the regulatory requirements of HIPAA (Health Insurance Portability and Accountability Act) hanging constantly over their heads, Kaisers IT executives needed a more secure way to log workers into protected databases, but the project couldnt be perceived as a roadblock by its users or it would be much harder to make the system do its job.
"We have all the usual password management challenges that are so notorious, but we also had an even more significant business problem, as every request to sign-on reduces the effectiveness of the care our doctors and nurses are able to provide," said Nathan Harris, enterprise architect at Kaiser, which is based in Oakland, Calif.
"Our primary driver wasnt password management, but improving the workflow for care delivery providers in order to improve the quality of care for customers while facilitating better security."
Adding even more complexity to the project is the fact that Kaisers hospitals operate almost entirely as independent businesses, and traditionally made their own decisions when selecting authentication tools, leading to a patchwork of many different technologies that the firm would be forced to replace or integrate.
After considering a number of different alternatives, Kaiser decided in December 2005 to employ a system that pulls together two specific technologies, an enterprise single-sign on application made by New York-based Passlogix, hitched to active RFID proximity cards designed by Ensure Technologies of Ann Arbor, Mich.
Using the system, initially installed on all of Kaisers shared and clinical workstations, users sit down at a machine which automatically detects the presence of the Ensure card via its wireless RFID transmitter and prompts them to enter their password.
When a user walks away from a machine armed with the system, it automatically locks itself, providing increased security in the event that end users forget to sign-off, or get pulled away by some pressing medical situation.
The authentication technologies have also been tailored to demand additional passwords for specific applications, adding a third layer of protection for Kaisers most sensitive files.
"Theres no question that this combination has substantially improved security over our previous systems, and its also significantly reduced costs related to support of traditional passwords," Harris said. "Enterprise single sign-on was the only thing that could give us complete coverage in regards to authentication, and proximity cards were the only technology that met our strict log-off scenario; and both systems have additional benefits in terms of supporting workflow."
Harris said that Kaiser considered SSO (single sign-on) technologies, which allow users to log into multiple systems using one password, made by a number of larger vendors, including IBM and CA. However, the company found that those technologies required manual production of individual account scripts, making them labor intensive and expensive to maintain.
Ensures RFID card technology was the best the health care firm encountered, Harris said, but its SSO tools were too immature to be used in such a large, distributed environment.
What helped Passlogix win the deal with its v-Go SSO package was the products ease of integration, and the fact that the software maker already had the system up and running at other massive, distributed customers, according to Harris. The installation went relatively smoothly, he said, with integration with Microsofts Active Directory providing a crucial manner of blending the Passlogix software with the firms existing user databases.
The only serious headache experienced during the projects roll out was integrating the system with Kaisers patient records applications, made by Epic Enterprise Software, which are notoriously tough to work with.
"Weve experienced the challenges youd expect in any large enterprise deployment of SSO. A certain percentage of applications are programmed oddly and hard to integrate, and some software makers have better solutions for that than Passlogix, but those were too small to scale," Harris said. "Overall were very pleased and impressed with the technologies used in this project.
Harris said that various Kaiser business units that are not yet up and running on the new authentication system will continue to install it, and he said the company has additional projects planned for the first half of 2007.
Passlogix officials said the Kaiser project serves as a great example of the manner in which its tools can help large, complex organizations tackle their authentication problems.
"In the health care industry HIPPA is a driver to a certain degree, but the biggest driver as in this case is ease-of-use, and weve worked hard to make things as simple as possible for end users," said Scott Bonnell, vice president of business development at Passlogix.