Hospitals Clamp Down On Security

For many medical organizations, a traditional user ID and password is no longer sufficient to access information systems. So hospitals are adopting smart cards, authentication tokens and other devices to add one more security layer. And that's where VARs and systems integrators are coming to their aid.

Silver Cross Hospital, for example, has been working with Chicago-based consulting firm The Burwood Group during the past year in deploying tokens from CryptoCard for employees who occasionally work from home.

"In the background was HIPAA compliance," says Bill Blackburn, systems integration specialist for the Joliet, Ill., nonprofit hospital. "It's not specifically required by HIPAA, but [the act] was a consideration when we were trying to make the system as secure as possible."

The devices, small enough to attach to a keychain, provide a different personal identification number each time an employee logs on the hospital network. The PIN, which is displayed on the token by pushing a button, must be used along with the worker's user ID and password.

Many hospitals, in fact, have adopted tokens, because they're easy to use--which is especially pivotal for technology adoption in hospitals. Silver Cross, in fact, migrated to a browser for remote access because its other system, a VPN client from Check Point Software, was too difficult for employees to install on their home PCs.

"For some people, we ended up having them bring in their PCs from home, and we installed the client here," Blackburn says. "We never rolled it out [to many people] because it wasn't very user-friendly."

In place of Check Point, Silver Cross chose a security gateway and server from Citrix Systems. The Citrix system communicates with most common Web browsers using SSL, and information moving between the computer and the hospital is encrypted.

Also using Citrix technology to provide doctors with home access to medical records is St. Joseph Health System, a $2.7 billion organization that includes 14 hospitals in California, Texas and New Mexico. The physicians can also approve drugs, sign off on changes to patient records and perform other medical activities. The Orange, Calif.-based health-care provider built the Internet-based system with Perot Systems, Plano, Texas, which has a 10-year contract to operate and maintain St. Joseph's IT system.

Now St. Joseph is considering adding tokens similar to CryptoCard's. "It's really important to consider [the doctors'] workflow, minimize the impact on their work processes and hopefully improve them at the same time," says Bill Lazarus, assistant vice president for information systems architecture and security at St. Joseph.

Integration Opportunities
For VARs, reselling technology like CryptoCard's or Citrix's generates some revenue, but the real money is in integrating security systems for the customer. "That's the service piece that's very important," says Mark Theoharous, president of The Burwood Group.

In addition to token-based security systems, other technologies are also gaining popularity in the health-care industry. One example is a similar system that sends the PIN to a cellular phone, rather than requiring the user to carry a device such as a token.

"Every doctor has a cell phone, and everyone knows his cell-phone number," says John Pescatore, a Gartner analyst. "We believe, over time, that one-time password generators [like CryptoCard's] will be replaced by cell-phone-based authentication." Vendors that play in that space include RSA and StrikeForce Technologies.

Another security device that holds potential is the smart card, which has a built-in microprocessor and memory for storing user IDs and passwords for multiple devices, as well as data for financial transactions.

"What we're trying to do is reduce the complications that a user has in terms of the different kinds of tokens, badges and cards he may use to access buildings, individual wards and IT systems," says Peter Sherr, manager of business development for Siemens Information and Communications Networks, which recently unveiled a multipurpose smart card called HiPath Sicurity clinic card that targets hospitals looking for an all-in-one card. "We're trying to find the balance of having a secure environment while not making it onerous to the user."

A major feature of the HiPath Sicurity clinic card is technology that enables a doctor to log in once to a computer system during his shift, and then swipe the card on any computer after that for immediate access to a clinical information system without logging in again, he adds. "[The smart card] can broaden the portfolio of a wide set of value-added resellers and integrators," Sherr says.

For its part, St. Joseph is looking at "proximity cards" for use within clinics and hospitals, Lazarus says. Worn as badges, the cards are read by sensors as employees approach desktops, which immediately log them into the network.

Before putting them in use, however, St. Joseph must first deploy a sign-on system that enables employees to use a single-user ID and password to access applications on the network, Lazarus says. St. Joseph is considering technology from a handful of vendors, and hopes to have a pilot project for the cards operating sometime this year.

Antone Gonzalez ([email protected]) is a freelance writer based in San Francisco.