Compliance is a complex issue in many industries and organizations know all too well that there are major fines and potential punishments for not meeting the laws and regulations.
Some major compliance regulations in the United States including The Health Insurance Portability and Accountability Act (HIPPA), The Control Objectives for Information and Related Technology (COBIT) and Sarbanes Oxley Act (SOX) require businesses to ensure certain standards within their organizations, including protection of data and full disclosure.
Several important HIPAA requirements include workstation security, access controls, audit controls and person or entity authentication. HIPAA protects the use and disclosure of patient data and ensures that healthcare organizations have the correct security measures in place. COBIT, which is published by the IT Governance Institute also provides "a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit control and security practitioners." In addition, SOX is a set of auditing accountability standards for all publicly traded companies in the United States.
Address the Organizations' Needs
When looking at compliance needs there are several areas which organizations focus on and often have trouble complying with. Some of the issues that organizations face in meeting compliance needs are:
· How to ensure that passwords aren't easily stolen.
· How to easily generate audit trails
· Ensuring that compliance needs are met and within the budget of the organization
· Being able to easily track what each employee did on the company's network
· How to protect confidential company and customer data
· How to implement a solution which won't disrupt the organization's processes
Attempting to meet all of these requirements can be daunting, and implementing several solutions to help can become expensive. The following are five different ways implementing nothing more than a single sign-on (SSO) solution can help your organization easily meet compliance needs. Organizations should look for these features in an SSO solution to receive the best results for their money.
Eliminate shared user accounts
Often in many organizations, especially in hospitals and in healthcare settings, employees have a shared account with other employees. This is done out of convenience for the employees. This means that they all login with the same credentials to access the systems and applications they need to perform their jobs. However, many organizations are doing away with shared accounts though as a result of not being able to tell which employee did what while they were logged in. For compliance reasons, health system leaders need to be able to document what each employee is doing on the hospital's network. To meet HIPAA compliance, they also need to be able to document who the user is and their role in the organization. This forbids any shared accounts or concurrent logons.
In addition, SOX compliance requires there to be "segregation of duties." Simply eliminating shared accounts, though, can cause issues since employees will then have to remember several new sets of credentials for each system or application. A single sign-on solution can mitigate this issue, and make the change from shared accounts to single accounts easier on the hospital and the employees. With an SSO solution, employees will still only be required to remember a single set of credentials, which is unique for each employee. This allows the organization to eliminate the shared account for compliance needs without drastically disrupting business procedures.
Creating Strong Authentication
Ensuring that the data from your hospital and for your patients is protected is another important part of compliance. Many data protection laws require organizations to have strong access controls in place. The "Person or Entity Authentication" section of the HIPAA standard requires that organizations provide strong authentication to ensure that the person logging in is who they claim to be.
A single sign-on solution allows companies to implement strong authentication with two-factor authentication. This ensures security by requiring the users to enter both a PIN code and a smart card to access the system or application. This means that the employee needs something that they have -- their smart card -- and something that is known -- the PIN code. Organizations can also add enhanced functionality for more security, such as requiring the application to automatically be closed as soon as the smart card is removed. This is a feature that organizations should look for in an SSO solution to ensure the security of their sensitive data.
Easy Audit Trails
HIPAA requires a complete audit trail of all users within an organization. Organizations should implement an SSO solution where all end‐user activities are logged in the central SSO database, as well as a copy of every user name and password is encrypted and stored in the central database. It should also report exactly which user accounts have access to what applications along with the dates and times access actually occurred. This allows organizations to go back later and easily retrieve the information for audits. The SSO solution should confirm that all confidential information is exchanged via secure methodologies.
Security of Passwords
Ensuring that only the correct people have access to critical systems and data is a major part of complying with SOX and HIPAA. Often, systems become non‐secure when employees need to remember several passwords and resort to writing them down, which is very typical. This opens the possibility for those who are not authorized to gain access and for a security breach to occur.
To mitigate this issue, single sign-on allows employees to eliminate their numerous sets of credentials and only need to remember a single user name and password. This, in turn, eliminates the need to write down their passwords to remember them. The solution can also be integrated with password reset software to allow for password changes to be made periodically for applications that require it for additional security. When an application requests the entry of a new password after a period of time, the SSO software itself can generate and store a new password, without the employee having to do anything. Or, if desired, the SSO software can also prompt the end‐user to create a new password manually.
Properly Delegate and Revoke Access
Often when an employee is sick or on vacation, another employee temporarily takes over his or her duties. To do this, they are sometimes given their credentials, which makes the network non‐secure since they can then continue to login whenever they like unless the absent employee remembers to change their password upon return. If they do take the steps to securely delegate access, access rights are often not revoked.
With an SSO solution, an employee can be given temporary user access rights for a set period of time, without being given the users credentials. After that specific period of time passes the access is automatically revoked. In addition, part of the HIPPA compliance states that upon termination of an employee, the health system must have processes in place to revoke access to systems and applications. Revoking access for employees sounds simple, but this task is often overlooked and employees are left active, especially if processes are not automated.
An SSO solution also can integrate with an account provisioning solution, which allows system admins to easily disable employees with one click. This ensures that the former employee no longer has access to the organizations systems and applications
Ensuring that your organization meets audit needs, within your budget, can be a difficult task. With the correct SSO solution, organizations can greatly improve their security while at the same time meeting compliance needs and staying within their budget. SSO solutions allow organizations the ability to eliminate some of the many hours that the IT staff spend on ensuring the security of systems, letting employees focus on other more important tasks.
For example, employee productivity alone is reduced when they must deal with password maintenance issues. Every day in a typical healthcare setting, 91 minutes are wasted because of inefficient systems and workflows. On average, healthcare providers login to workstations and applications 70 times per day and spend an average of only 46 percent of their time on direct patient care. While the data accessed may differ from department to department and facility to facility, what remains the same is the fact that, if multiple passwords and login credentials are in-play, there is a high probability that productivity is being negatively impacted. Providing direct access to systems, through and SSO, when and where it's needed is key.
Compliance, of course, is not the only benefit of SSO. SSO also can offer additional benefits to your organization. It also provides these benefits for those employees who are working remotely and are working outside the organization's network.
Dean Wiech is managing director of Tools4ever US, a division of the global supplier of identity and access governance solutions including single sign on, role-based access control.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations.