By switching to single sign-on and improving passwords and provisioning, Cottage Health System vaccinated its network against the risk of data theft.
The Santa Ynez Valley Cottage Hospital has seen the media circus perform its acts, having treated Michael Jackson for back pain during his 2005 trial for child molestation. But the hospital—which often treats other celebrities in the area—knows it can’t afford to clown around with client confidentiality. To ensure that records will be safe from would-be National Enquirer contributors, the hospital secures its network with the Vergence suite, a series of software products made by Sentillion. They are designed to help healthcare organizations guard their systems and the patient records residing on them. Located in Santa Barbara County, north of Los Angeles, Cottage Health System consists of four hospitals that provide the only hospital care in the area. Together, they handle 55,000 emergency visits and admit 20,000 patients annually.
The four facilities’ combined computing systems, which house information on some 100,000 patients, weren’t always as secure as they are today. “People abused the old system,” says Tammy Johnson, project manager in the information technology department at Cottage. “They could get into places they weren’t supposed to. They would go in with a generic password, and could access information on patients in other units, and we wouldn’t know who the real user was.” Part of the reason for the generic password—one that everyone on a unit would share—was that there were too many separate sign-ons that would have each required a password.
Sentillion’s Vergence SignOn Manager software eliminated that problem with its single sign-on element. Entrance into the system is now granted via a username and a password. Each user now needs only one password, so the system administrator can make sure that it is a strong one.
The use of generic passwords has been eliminated. Now the hospital assigns employees passwords that are randomly generated using an online tool. The passwords are alphanumeric, but pronounceable so they can be easily remembered. They avoid the use of common dictionary terms that can be cracked by simple hacking tools.
Cottage dictates user IDs composed of the first initial of the employee’s first name and the first seven characters of the last name. Numbers are added if there are duplicate names in the system. Employee numbers are not used in user IDs; they are used for payroll and other internal functions, and therefore are best not made public. Once users’ credentials are verified and they have a password, they can be rapidly signed into applications to which they are granted access.
As noted, they can get into these multiple applications through single sign-on. Password management is thus streamlined, and access is simplified. At the same time, because each person has a separate password and no multiple-user passwords are allowed, personnel can be shut out of applications unauthorized for their use.
Vergence Provisioning Manager is another component of the new security system. It gives security officials the ability to grant new users quick, authorized access to all applications and system resources they need. But just as rapidly, when users leave the organization or change roles, their access privileges can be changed or disabled. The provisioning software helps to alleviate the redundant data entry that had to be done in the past, says Johnson.
“We’ve had customers tell us that although they have 4,000 active users, they have 8,000 accounts lingering in their system, because they don’t have an easy way to deprovision people as they turn over or leave that healthcare system,” says Nancy Ham, president of Sentillion.
“Obviously, from a security perspective, that is a serious problem in an age when patient privacy is not only the law, but really paramount public policy,” she says.
Massachusetts-based Sentillion built its Vergence product suite specifically for the healthcare industry. Cottage chose Sentillion in part because the system was compliant with the Health Level Context Management standard, known as the Clinical Context Object Workgroup, or “CCOW,” which Sentillion helped to develop. CCOW allows multiple clinical applications to be coordinated and synchronized according to the user’s specific needs. It is the only healthcare industry standard for single sign-on and context management.
“Sentillion came in and proved to us the system could work and was geared towards the shared workstation environment typical in the healthcare industry,” says Johnson, noting that at the time that was a critical factor given that there were only two vendors for such a product. Also important was that the system was standards-based and intuitive; another plus was that training physicians on how to use the single sign-on and provisioning tools took no more than an hour and a half. But the transition to the new system did take some preparation. Cottage had to work with various vendors over a period of about six months to make its applications compliant with CCOW. In order to accommodate Vergence, applications have to be written to the CCOW standard.
Sentillion creates adaptors, or “bridges,” that connect to the application. In Cottage’s case, Sentillion wrote a series of bridges that enabled the health system’s applications to take full advantage of the Vergence product suite. Other than that, Paul Roscoe, Sentillion’s senior vice president of field operations, says implementation of the system was “perfunctory” and took only a few days. “When one of our customers has a vendor who has adopted the [CCOW] standard, it’s plug and play,” says Roscoe. “There are lots of vendors who have not adopted it, so then we use the Vergence bridges.” (For more information: Jennifer Haas, marketing communications manager, Sentillion; phone: 978/749-0022; fax: 978/749-0023; e-mail: firstname.lastname@example.org. )