Risk
9/4/2012
10:29 PM
Connect Directly
RSS
E-Mail
50%
50%

When Bad IAM Kills

How health care's urgent need for single sign-on could drive better identity and access management practices across all industries

In health care organizations, the log-in processes that give emergency care physicians access to critical information can be so unwieldy they can potentially lead to "death by clicking," where precious moments are lost due to inefficient IAM and patients die as a result. While this is case-specific to health care, no matter what vertical you're in, bad IAM leads to all sorts of detrimental effects on the business -- ones that technology like single sign-on (SSO) and good IAM practices can drastically reduce, IT experts say.

"The technology to simplify access really plays a role in saving you maybe five seconds up to three minutes, and in health care that's the difference between someone surviving or dying right there," says Frank Villavicencio, executive vice president for Identropy. "In many organizations, single sign-on is really a convenience element. But in situations like this, single sign-on is tested in a life or death situation."

Similarly, a complicated sign-in process could mean the difference between paralysis or full recovery when a stroke patient hits the ER doors, says Dr. Sean Kelly, an emergency physician for Beth Israel Deaconess Medical Center in Boston. In these cases, which Kelly says he sees once or twice a shift, a doctor has to decide quickly about what kinds of medicine to give. Many of the options have a lot of benefits, but could pose significant risk of things like bleeding in the brain if the patient has other pre-existing conditions. What's more, the patient is likely to be confused or unable to talk, so there's no way for the doctor to find out whether the person has an allergy or is already on blood thinners.

"That diagnosis and treatment is very time-dependent. If I have a good system in place, I can very quickly access my medical record," says Kelly, who also works as chief medical officer for IAM firm Imprivata. "I need to log on quickly to the EMR system, and I may need to do some orders and get into the computerized provider order entry system, and all those things take time. If during any step along the way I'm unable to log on or I log on under someone else's name, that has some major ramifications."

To give the problem context, Villavicencio explains that health care is still struggling with managing the migration from paper to electronic records. Sign-on problems are a bit of an offshoot from that root issue, he says.

"A lot of them end up with a whole bunch of disparate systems that are not compatible and don't integrate well," he says. "To provide care to a patient, they need access to all his records, so many cases you're looking at up to 17 accounts that a person might need to have to do their job. When you look at that, the chances of someone forgetting their password is extremely high."

[ Connections with suppliers, partners, and contractors should all be part of IAM planning. See Third Parties Are IAM's Third Wheel. ]

That's where SSO comes in to simplify user interaction. When done right, it can also act as a catalyst to improve workflow, documentation, and billing -- all key factors no matter what vertical you're in, says David Sheidlower, CISO of Health Quest, the largest healthcare system in the Mid-Hudson Valley. He says his SSO deployment was driven by workflow issues and the need to tighten accountability as things like authorizations for prescription drug orders move from wet ink signatures to computer terminal button clicks.

"You really need to know the person who enters whatever on the computer was really the same one named on the account that signs on, so you have to make that sign-on as effortless as possible," he says. "Single sign-on does that."

Health care demonstrates one of the big use cases of SSO, which is the enablement of easy, role-based access control on machines used by multiple people throughout a workday. According to Ed Ricks, it is only one part of an overall solution he likes to call the "invisible computer" approach he has taken as CIO of Charleston-based Beaufort Memorial Hospital.

During the past year-and-a-half, his team has built out a virtual desktop infrastructure that ties cloud applications and each doctor's network-connected home computer to an account that allows them to sign in at terminals throughout the hospital by tapping an SSO-enabled badge to the terminal reader.

"Regardless of where they are, they've got the same screen as the one on their actual PC at home," he says. "When they log out and then log back in from a different machine, they're right at the same place in the application as they were before."

These kinds of follow-me features have crossover appeal in other industries as well, says Sheidlower, an experienced CISO who's also work in the financial industry as well.

"For example, at the airport the people who are directing you onto a flight are moving from terminal to terminal," he says. "When they're done with one, they're going to go somewhere else and check in another flight."

Villavicencio explains how in one case a high-end jewelry retailer managed to pump up sales through SSO simplification at sales terminals. The sales process had been frequently gummed up by sign-on problems because salespeople who were very concerned about commission credit were taking a long time switching accounts on terminals during short customer interactions. Just logging in to the mainframe application took them about 30 seconds, and then it was a chore to sign into an inventory application to simply look in a catalog.

"Often the person before them had something going on and would have to shut it off and switch," he says. "All of this would take a minute or two. During the holidays, by the time they're signed in, there could be 100 people coming in and out of the store, and the first customer has already walked away."

No matter what industry an organization new to SSO works in, Sheidlower suggests that, first and foremost, the IT personnel work to clean up their user databases.

"I've talked to other people who've done this, and they all have the same experience," he says. "More than half of the obstacles you face in the first couple of months is from dirty data: duplicate logons, usernames that don't quite match, and things like that cause glitches."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.