|
From the January 2003 Issue 11th-Hour HIPAA: How Can You Meet the Deadlines? |
Rx for Password Headaches Biometric authentication solution lets physicians be their passwords. By Bruce Peck Here’s a familiar scenario: A physician with a hospitalized cardiac care patient wants to review the patient’s vital statistics prior to prescribing medication. He attempts to logon to the hospital’s network to review the electronic patient record. This is the third hospital the physician has visited today, and he has forgotten his network password. The physician then places an urgent call to the hospital’s IT help desk for assistance. After the help desk verifies the provider’s identity and establishes a new password, the patient record is finally accessible—often 30 minutes later. In an industry where minutes mean the difference between life and death, measures taken to secure patient records and a hospital’s data network can be interpreted as roadblocks to responsive healthcare. When Indianapolis-based St. Vincent Hospitals and Health Care Center Inc. conducted a physician satisfaction survey in early 2000, we learned that the need to remember passwords was a key frustration for our healthcare providers. We were determined to find a better solution. Physician Preference One of the largest healthcare providers in the Midwest, St. Vincent Hospitals and Health Care Center is a network of eight hospitals and ancillary health services facilities in the Indianapolis area. The main hospital includes a major tertiary and acute care center and is home to the Indiana Heart Institute, the state’s largest cardiac care center. The hospital’s computer network services more than 8,000 users and operates 24 hours a day, seven days a week. We launched the physician satisfaction program in an effort to improve the overall experience of local physicians who admit patients to St. Vincent’s. Our business goal was simple: We understand that local healthcare providers have many options when they need to admit a patient. We want St. Vincent’s to be their facility of choice. Hospitals with legacy networks usually have dozens of secure applications, and each may have a unique password. Passwords are changed frequently, sometimes every other month, in an attempt to provide better security. After extensive research, the IT department determined that a single sign-on solution, in combination with biometric authentication, would enable us to completely eliminate the biggest headache for our healthcare providers and IT help desk staff alike: lost or forgotten passwords. We conducted a competitive pilot program to fully test a variety of available solutions before selecting SAFLINK’s SAFaccess™ software, in conjunction with Computer Associates’ eTrust™ Single Sign-on and LifeView’s fingerprint scanner with the AuthenTec sensor. Multiphase Enrollment As a result of the physicians’ survey, we knew we needed to simplify and accelerate access to the hospital’s electronic medical charts and other key applications. However, we needed to be absolutely sure that a rollout would be successful at every stage, as nothing is more critical than timely access to a patient’s electronic medical record. In the summer of 2001, we began the project’s primary phase at the nursing stations on the oncology floor. One of the first problems that we needed to address was the enrollment process. Nurses cannot be removed or absent from the floor, and physicians come and go depending on patient rounds and surgery schedules. We eventually settled on a multiphased enrollment program that capitalized on the places within the hospital that staff and physicians tended to frequent, such as the cafeteria and lounges. One-on-one enrollments were held at a variety of times to catch healthcare workers on swing and night shifts. We found that this personal interaction between an IT staff member and the physician or healthcare worker helped advance the project, because we could immediately address any questions on privacy or safety. When we initiated the project, we were fortunate to have strong support of the nursing director—hence the decision to begin with the nursing stations. Once the rollout was under way and other clinical areas saw the benefits of biometric authentication, the IT department had difficulty keeping up with inquiries. Many hospital units began demanding the biometric authentication installation. Thankfully, our entire team is very responsive, and SAFLINK’s software is user-friendly, so the enrollment process is relatively painless. Meeting Challenges Today, St. Vincent’s has successfully passed the 2,000-user mark, but implementing biometric authentication solutions within the hospital setting has presented a few challenges. A key component of our success has been the group of partners we have assembled for the project. Having a dependable team is especially critical when the IT department is already stretching to meet user demands. We felt that vendors and staff alike comprised a team that was committed to doing whatever it took to keep the implementation moving forward. One of the more interesting challenges we encountered was that our nursing stations are kept as sterile as possible, and hospital policy requires nursing areas to be wiped down periodically. The cleaning solutions we regularly use are not normally compatible with computer keyboards or fingerprint scanners. As a result, SAFLINK, LifeView and AuthenTec developed a silicon seal for the scanner to prevent liquid from seeping inside the casing. AuthenTec also worked to ensure its chip coatings would stand up to cleaning solvents used in the hospital setting. We anticipated problems implementing biometric authentication security measures in clean rooms such as the surgical areas, where protective clothing is required. Surgical personnel could not use fingerprint scanners while wearing latex gloves. The design of certain intensive care areas requires us to use special wall-mounted PCs, another challenge in implementing biometric scanners. Because SAFLINK software is “biometric-agnostic,” we have been able to develop a new strategy for these areas that utilizes iris scanning for clean rooms and special keyboard integrated scanners for wall-mounted PCs. This phase of the program will enter its pilot test in the near future. With the government’s Health Insurance Portability and Accountability Act (HIPAA) privacy rules scheduled to become effective in 2003, it is an added bonus that biometric authentication solutions provide our staff with a more efficient and more highly secure system for accessing patient electronic medical records. We view it as a happy convergence, marrying St. Vincent’s project objectives with HIPAA regulations. Moving Forward According to industry analysts IDC, password management costs between $200 and $300 per user per year. Additionally, market analysts at Giga Information Group in 2001 found that more than 30 percent of IT help desk costs are password-related. By selecting a biometric authentication solution for St. Vincent’s, we meet our objective of making the hospital’s computer networks more user-friendly for physicians. At the same time, we believe we will receive an immediate return on investment through higher productivity and lower IT costs. Our goal is to complete the primary phase of the rollout by the end of the year. In 2003, we hope to initiate the second phase by introducing biometric authentication and single sign-on to our administrative areas such as accounting and human resources, and to begin outreach to our satellite facilities. When the project is finished, approximately 5,000 users will enjoy a faster and easier way to share and use critical patient information. For more information about SAFLINK’s security solutions, www.rsleads.com/301ht-197 Bruce Peck is information security manager at St. Vincent Hospitals and Health Care Center, Indianapolis. Contact him at bapeck@stvincent.org. © 2003 Nelson Publishing, Inc |
