The internal IT resources required by OhioHealth to
support security tokens really added up. Tokens were lost by physicians who did not access the system on a regular basis and had to be reprovi- sioned by IT. Some physi- cians had multiple tokens from different healthcare
For more information on PhoneFactor solutions: http://www.phonefactor.com/
systems, which made it difficult to keep track. They also discovered that a few physicians were leaving the secu- rity tokens next to their computer, which defeated the purpose. Just like Upstate, OhioHealth
decided to switch from security tokens to phone-based two-factor authentication because it required less overhead and provided a much better user experience at a drasti- cally reduced cost. The solution, provided by PhoneFactor, resulted in a significant savings over the organization’s token-based authen- tication system. OhioHealth was also able to reduce internal costs because the new system required less end-user support and credential management. “We decided to switch to Phone-
Factor’s two-factor solution from tokens because it’s a ‘one and done’ solution. It’s simple to use and sim- ple for the help desk to add a new member or adjust the information for a lost cell phone. PhoneFactor requires fewer resources, reduced management overhead and overall improved customer satisfaction,” says Jim Lowder, vice president, technology for OhioHealth. In addition to being viewed as
an industry best practice, two- factor authentication is a recom- mended method to meet HIPAA requirements. Many state phar- macy boards are following suit, requiring two-factor authentication for verification of electronic medical prescriptions. The Ohio State Pharmacy Board is one such entity, requiring two-factor authentication to secure access to ePrescribing systems. “We need to ensure that the person who is accessing
a patient’s records or prescribing treatment is the person who is authorized to be logging into the system and not someone across the world,” Lowder says. “While a log-in and password can be stolen, people are very protective
(L. to r.) R.J. Dollard, Mike Tubbs and Mark Zeman, part of the technical team responsible for installing, implementing and supporting PhoneFactor authentication at their organization, Upstate Medical University.
of their phones and would quickly realize if it was lost or stolen. With PhoneFactor, the phone is that second factor that ensures privacy of patient records.” Upstate rolled out PhoneFactor’s two-factor au- thentication platform in February 2009. Installation of the service was simple and straightforward, and the IT department did not need to change anything on their systems to make it compatible. They were able to use one of the pre-configured settings, and the PhoneFac- tor security platform was up and running right out of the box. The IT department was able to start testing successfully within an hour of installation. Setting up new users is just as
easy. PhoneFactor integrates with a company’s existing LDAP server, so new users are added automati- cally, and a simple training e-mail is sent out to teach users how to get started. If they need to make any changes, users can securely do so using a self-help menu. In addition to simplicity of use
and installation, the system also of- fers built-in fraud protection since the user receives a phone call any time someone tries to use their credentials to log into the system. If a user’s phone rings and they are not trying to log into the system, they have the option to alert ad- ministrators and have the access temporarily disabled for those user credentials. Mike Tubbs, a network engineer
at Upstate who installed and de- ployed the PhoneFactor solution for the hospital, offers his perspective, “If the solution is simple enough, it will discourage users from cir- cumventing the system by putting patient records on a jump drive and walking away with confidential information.”
Securely authenticating users will become more important as electronic medical records become more prevalent and IT security threats continue to evolve. However, as demands on our healthcare providers con- tinue to increase and budgets continue to tighten, making this both easy and cost effective is critical to success. Both Upstate Medical University and OhioHealth found PhoneFactor’s simple, strong authentication solution to be just the right prescription.
HMT HEALTH MANAGEMENT TECHNOLOGY September 2010 21