eWEEK Labs senior analyst Cameron Sturdevant recently discussed identity management and single sign-on, especially as the technologies pertain to the health care industry, with Nelson Ramos, an eWEEK Corporate Partner and vice president and regional CIO of Sutter Health, in Modesto, Calif.
eWEEK: What were the business drivers for single sign-on at Sutter Health?
Ramos: The emergence of more common core technologies among vendors has made enterprises more open to the pursuit of "best of breed" vertical-market applications. While that has made data interfacing easier, there has been only marginal progress in security interoperability. The user then becomes the loser, as they have to balance among multiple sign-ons, menu timeouts and network revalidations.
eWEEK: How does technology help your organization balance patient privacy with "need now" physician access?
Ramos: We are hoping that we can find a single-sign-on solution that will provide us with a consistent and expeditious approach to ensuring user security.
Physicians represent one of the most mobile and time-pressured users, yet we ask them to keep the widest variety of sign-on protocols in their heads. It may be the same underlying application, but, today, if they log on from within the hospital, their offices or from their homes, its all done differently.
eWEEK: What other benefits do you expect from implementing a single-sign-on system?
Ramos: We still are in the product review phase but are looking at increased network security due to the reduced burdens of individualized password resets and maintenance. With most users today being required to know four to five passwords just for business purposes, passwords often become rotations of personal word lists that are often not that hard to decipher. Front-end single sign-on does not totally eliminate back-end password maintenance but allows it to be done less frequently, with longer and more randomized and depersonalized passwords.
eWEEK: Identity and access management takes time and attention to detail. As a percentage of contract cost and/or in terms of a full-time equivalent staff position, what will it cost you to maintain the single-sign-on system?
Ramos: User security and authentication is a business process that we have long been involved in and that has required us to develop the position of enterprise security officer, as well as supplemental resources during special efforts.
eWEEK: Whats the next step?
Ramos: We still have not finalized vendors yet. The final selections need to represent a joint concurrence between those who manage security and those who will deploy it during their everyday activities.
In the past, some one-sided selections have been made, with the result that they have become short-lived solutions.