|
From the May 2002 Issue |
Security Savvy Midwest healthcare system secures patient information with two-factor authentication. In the realm of IT solutions, nothing satisfies like the successful joining of Web-based technology with systems that were meticulously developed and nurtured in-house to meet specific needs. Mercy Health Partners–Western Ohio (MHPWO) is in that enviable position. Headquartered in Springfield, OH, MHPWO is part of the 10-region system of Catholic Healthcare Partners that services multiple midwestern states. MHPWO has a 248-member medical staff and 1,696 employees, provides more than 850 licensed acute and non-acute beds, and encompasses acute care hospitals, long-term care facilities, retirement communities, a managed care organization, urgent care centers, outpatient surgery centers, home care and hospice services, and chemical dependency programs. Recently, MHPWO took a significant step to augment its protection of confidential patient data by adding a two-factor authentication solution to its cadre of healthcare IT. “The most important asset we protect are patients and their personal medical data,” says Dave Slabodnick, the organization’s CIO. “Long before HIPAA, we were dedicated to safeguarding patients’ confidential information.” PhAST Forward Ten years ago, before “browser” was a household word, Mercy Health Partners developed an internal text-based system to allow medical staff access to computerized clinical information, and called it PhAST for Physician Access System Terminals. It ran on the AS400 for MHPWO’s intranet and was part of the “green screen” era. “At the time, it was well ahead of its time,” says Slabodnick, “fulfilling a need to get real-time information to physicians.” With the advent of the Internet and browser-based technology, MHPWO’s IS staff, in conjunction with Perceptus, Ltd., Web-enabled PhAST to make it available to a broader range of employees using different access modalities. PhAST became e-PhAST, with greater functionality and increased access to data by physicians using a browser on-site, at home or from their offices. Commensurate with the enhancement was MHPWO’s concern for flexible, user-friendly, dependable and hack-proof security—especially a single solution that could be used by medical staff as well as business, administrative and IS staff. Several months ago, MHPWO turned to CRYPTOCard Corporation and adopted its CRYPTOAdmin Secure Password Technology, employing both hardware and software tokens and considering future use of smart cards as well. Slabodnick was impressed with the two-factor authentication system that sits on top of and works in conjunction with existing security applications, and relies on “something you have and something you know” to authenticate internal users. The CRYPTOCard choice was, in fact, adopted by MHPWO after the organization tried, deselected and de-installed another security option—so the main players knew exactly what they wanted this time around. Enterprise Systems Manager Roy Cosby, Manager of IS Operations Roger Holmes, and Senior Network Administrator Lee Chamberlain all say that flexibility, ease of installation and administration, scalability and cost were the deciding factors in favor of CRYPTOCard. “We need different authentication methods for different staff,” says Cosby. “Physicians use hardware tokens for anywhere/anytime access, but administrative and office staff receive software tokens for network access only on-site and only during work hours. Yet, we have one authentication server and one point of maintenance. That combination of token flexibility for multiple users with ease of administration for us was very significant.” Centralized Authentication The CRYPTOAdmin server enables an authorized user to dial into a remote access server or via the Internet from any location to access the network. A one-time password is displayed on the hardware token, which is keyed into the dialog box on the user’s PC or laptop. Because the password is valid only for the current logon session, it prevents would-be hackers from assuming a valid user’s identity with a guessed or stolen password. The user’s one-time password is validated by the server, and the user’s session begins. MHPWO network managers can identify a specific user accessing the network from any location, and not just which computer logged on. IS management also wanted a solution that would work with existing security applications. Utilizing RADIUS authentication, the secure password technology can be applied to any situation. The solution enables remote users to connect with the network through firewall, RAS/NA, or virtual private network (VPN) while local users can logon via Windows NT, Windows 2000, Windows 98, Windows 95, Unix logon or Web server access. Users can communicate via any combination of dial-up, Internet, ISDN, leased lines or VPN. It’s important for MHPWO to have centralized authentication control over an increasingly decentralized user environment. The product enables network managers to add or delete a new user, no matter where he is, in about two minutes. One-time passwords eliminate the need for users to remember multiple passwords and for help desk staff to continually reset them. The CRYPTOAdmin server platform, included in MHPWO’s own Web administration system, supports both hardware and software tokens, and will support smart cards if they are added later in the implementation. The token-authentication system, including the server and software, cost MHPWO about $30,000 for 300 users. The hardware tokens were $50 to $75 each, and Slabodnick says this was considerably less expensive than the system previously used. Mercy Health Partners is deploying the security solution incrementally and expects to expand its user base throughout the calendar year and beyond. For Slabodnick, essential in the implementation process is assurance that his organization has a security solution that can expand and develop as MHPWO migrates to a new clinical information system and adds new nursing documentation apps in the future. SOURCE David Slabodnick PRODUCT/COMPANY
© 2002 Nelson Publishing, Inc |
