InformationWeek 500: Secure Authentication is Good Medcine For Cincinnnati Children's Hospital Medical

Fingerprint readers and pass code generators save caregivers time while complying with state laws.

Mike Fratto, Former Network Computing Editor

September 10, 2008

7 Min Read

In 2007, Cincinnati Children's Hospital Medical Center began a large-scale migration from paper forms to an application suite from Epic Systems, which makes software for managing patients' health data, prescription processing, billing, and other such tasks. The goals of the project are to streamline patient care management, increase the accuracy and accountability of caregivers treating patients, and support the clinical informatics group. The hospital estimates it's about 18% through the Epic deployment and says it's on track to complete the rollout by 2011.

A critical part of the project is called Secure Authentication, which is the authentication and authoriz- ation component that regulates who can prescribe medication and creates an audit trail of who administers the medication. The hospital estimates it has spent approximately $120,000 on Secure Authentication to date--in line with its expectations--to meet authentication and authorization requirements driven by Ohio State Board of Pharmacy regulations. The board is responsible for enforcing the legal distribution of drugs, and its regulations call for positive identification of a user though some means other than a password.

On the continuum of authentication strength, user name and password methods are relatively weak and subject to any number of social engineering attacks. In contrast, biometrics and hardware tokens, which require a personal identification number and a number generated by the token, are stronger. Tying the sensitivity of the transaction to an authentication method provides greater assurance that the transaction was carried out by an authorized person.

InformationWeek Reports

In complying with the regulations, Cincinnati Children's design went beyond the board's strict security requirements, allowing the hospital to gain approval for its authentication plan on the first try. It was the only hospital in the state to receive immediate approval, according to Cincinnati Children's.

"Secure Authentication added an additional level of validation of the identity of the system user," says Tony Johnston, assistant VP and CTO of Cincinnati Children's. "We have always had secure access to all of our systems, both clinical and financial--the guiding principle being that users have the security level to access all of the information and functions they need to be able to do their jobs in compliance with all licensing and regulatory requirements."

Rolling out a game-changing system, where processes move from a paper world to an electronic one, can be a difficult proposition. To ensure that employees felt they had a stake in the decision, project leaders at Cincinnati Children's involved more than 300 people from all levels of the organization during the Epic selection process, getting user feedback and defining requirements according to departmental needs. Actively involving staff helped ensure that the project would be successful and minimized disruptions during rollout.

Once the Epic system was selected, it was up to the hospital's IT department to implement the application suite. The project staff incorporated initial training on the biometric and token authentication system into the training on the Epic platform. This integrated training allowed staffers to familiarize themselves with the new authentication process while learning the software.



For the complete data from our InformationWeek 500 research, download this
InformationWeek Analytics
free for a limited time.

>> See all our Analytics <<

Communications were also essential. Like any large organization, Cincinnati Children's has built a robust internal communications strategy to keep employees informed of changes to hospital procedures. Cincinnati Children's generated newsletters and updates specifically aimed at the Epic rollout, as well as providing demonstrations of the Secure Authentication products under investigation. The project team solicited input and responses. All of that data was folded into the decision-making process, ensuring that no facet of Secure Authentication was overlooked.

Requiring multiple authentication methods to authorize transactions is not new or unique to Epic Systems, Ohio Board of Pharmacy, or Cincinnati Children's. Tiered authentication has been used in many vertical markets to authenticate individuals engaging in high-value or highly sensitive transactions.

In tiered authentication, the authentication method becomes an authorization factor in the process. A user name or password can be easily shared or stolen without the user's knowledge. However, systems based on biometrics or hardware tokens are harder to crack. Users will quickly notice if tokens are missing, and they can report them as lost. These reports alert administrators to disable lost tokens so they can no longer be used.

The next step was choosing an actual physical authentication method that would aid Cincinnati Children's in its drive to reduce paperwork, work with the Epic software, satisfy the Ohio Board of Pharmacy and Epic technical requirements, and increase the accuracy and efficiency in handling prescription medications, all without hampering practitioners' ability to prescribe and dispense medications.

The only way to make absolutely sure the biometric/token authentication system was workable was to conduct a pilot test with clinicians in a live setting. Cincinnati Children's documented its evaluation using an annotated matrix, in which IT scored each product based on usability, technical implementation, support, and security. The organization chose RSA's Secure ID tokens and Sentillion Identix fingerprint readers for its Secure Authentication program.

LESSONS LEARNED DOUBLE UP  Business processes should drive tech deployments. For Cincinnati Children's, that meant two authentication systems were needed to let clinicians handle medications regardless of their location. KEEP MOVING  It's more efficient to address the spirit than the letter of a regulation. At Cincinnati Children's, other authentication options would have stalled plans to streamline processes. THE RIGHT FIT   One authentication method doesn't fit all. Some fingerprints won't work with the readers, some users have a hard time reading their pass codes, and some just prefer one method over the other.

Either authentication method can be used within Epic to authorize the prescription or dispensing of medicines. Cincinnati Children's chose to support both because fingerprint biometrics, although efficient for practitioners, requires fingerprint readers at every workstation that might be used to enter prescriptions into Epic. This isn't always possible: Authorized users might be in an office or clinic within the hospital that doesn't have fingerprint readers, but they still must be able to prescribe medications or document that medications were administered. Tokens like RSA SecureID are a simple-to-use, portable authentication method that satisfy regulations and aren't tied to specific workstations.

In addition, fingerprint readers won't work when the clinician is wearing gloves or, in rare cases, when an employee simply doesn't have clear enough fingerprints to be usable. Cincinnati Children's selected RSA's SecureID tokens as an alternative so practitioners who can't (or won't) use a fingerprint reader can still authorize medications.



Ditching paper forms for electronic records? See what's taking so long.

Download this free
InformationWeek Report

>> See all our Reports <<

Epic Software provides native support for both RSA's Ace Server, used to authenticate the SecureID tokens, and Identix fingerprint readers. During the configuration and rollout of Epic at Cincinnati Children's, IT administrators simply add the required authentication methods into the Epic transaction system, defining which transactions require token or fingerprint authentication.

Illustration by Brian Stauffer

Return to the 2008 InformationWeek 500 homepage

About the Author(s)

Mike Fratto

Former Network Computing Editor

Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics and executive editor for Secure Enterprise. He has spoken at several conferences including Interop, MISTI, the Internet Security Conference, as well as to local groups. He served as the chair for Interop's datacenter and storage tracks. He also teaches a network security graduate course at Syracuse University. Prior to Network Computing, Mike was an independent consultant.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights