Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/10/2008
11:45 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

InformationWeek 500: Secure Authentication is Good Medcine For Cincinnnati Children's Hospital Medical

Fingerprint readers and pass code generators save caregivers time while complying with state laws.

In 2007, Cincinnati Children's Hospital Medical Center began a large-scale migration from paper forms to an application suite from Epic Systems, which makes software for managing patients' health data, prescription processing, billing, and other such tasks. The goals of the project are to streamline patient care management, increase the accuracy and accountability of caregivers treating patients, and support the clinical informatics group. The hospital estimates it's about 18% through the Epic deployment and says it's on track to complete the rollout by 2011.

A critical part of the project is called Secure Authentication, which is the authentication and authoriz- ation component that regulates who can prescribe medication and creates an audit trail of who administers the medication. The hospital estimates it has spent approximately $120,000 on Secure Authentication to date--in line with its expectations--to meet authentication and authorization requirements driven by Ohio State Board of Pharmacy regulations. The board is responsible for enforcing the legal distribution of drugs, and its regulations call for positive identification of a user though some means other than a password.

On the continuum of authentication strength, user name and password methods are relatively weak and subject to any number of social engineering attacks. In contrast, biometrics and hardware tokens, which require a personal identification number and a number generated by the token, are stronger. Tying the sensitivity of the transaction to an authentication method provides greater assurance that the transaction was carried out by an authorized person.

InformationWeek Reports

In complying with the regulations, Cincinnati Children's design went beyond the board's strict security requirements, allowing the hospital to gain approval for its authentication plan on the first try. It was the only hospital in the state to receive immediate approval, according to Cincinnati Children's.

"Secure Authentication added an additional level of validation of the identity of the system user," says Tony Johnston, assistant VP and CTO of Cincinnati Children's. "We have always had secure access to all of our systems, both clinical and financial--the guiding principle being that users have the security level to access all of the information and functions they need to be able to do their jobs in compliance with all licensing and regulatory requirements."

Rolling out a game-changing system, where processes move from a paper world to an electronic one, can be a difficult proposition. To ensure that employees felt they had a stake in the decision, project leaders at Cincinnati Children's involved more than 300 people from all levels of the organization during the Epic selection process, getting user feedback and defining requirements according to departmental needs. Actively involving staff helped ensure that the project would be successful and minimized disruptions during rollout.

Once the Epic system was selected, it was up to the hospital's IT department to implement the application suite. The project staff incorporated initial training on the biometric and token authentication system into the training on the Epic platform. This integrated training allowed staffers to familiarize themselves with the new authentication process while learning the software.

DIG DEEPER
MORE DATA AND ANALYSIS
For the complete data from our InformationWeek 500 research, download this
InformationWeek Analytics
Report
,
free for a limited time.

Communications were also essential. Like any large organization, Cincinnati Children's has built a robust internal communications strategy to keep employees informed of changes to hospital procedures. Cincinnati Children's generated newsletters and updates specifically aimed at the Epic rollout, as well as providing demonstrations of the Secure Authentication products under investigation. The project team solicited input and responses. All of that data was folded into the decision-making process, ensuring that no facet of Secure Authentication was overlooked.

Requiring multiple authentication methods to authorize transactions is not new or unique to Epic Systems, Ohio Board of Pharmacy, or Cincinnati Children's. Tiered authentication has been used in many vertical markets to authenticate individuals engaging in high-value or highly sensitive transactions.

In tiered authentication, the authentication method becomes an authorization factor in the process. A user name or password can be easily shared or stolen without the user's knowledge. However, systems based on biometrics or hardware tokens are harder to crack. Users will quickly notice if tokens are missing, and they can report them as lost. These reports alert administrators to disable lost tokens so they can no longer be used.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20663
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and ea...
CVE-2021-20664
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlie...
CVE-2021-20665
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and ear...
CVE-2021-28031
PUBLISHED: 2021-03-05
An issue was discovered in the scratchpad crate before 1.3.1 for Rust. The move_elements function can have a double-free upon a panic in a user-provided f function.
CVE-2021-28032
PUBLISHED: 2021-03-05
An issue was discovered in the nano_arena crate before 0.5.2 for Rust. There is an aliasing violation in split_at because two mutable references can exist for the same element, if Borrow<Idx> behaves in certain ways. This can have a resultant out-of-bounds write or use-after-free.