Healthcare Cloud Brings Access Control Concerns

N.Y. nurses service finds single sign-on enables its mobile workforce to use its multiple, disparate cloud apps.
6 Top-Notch E-Prescribing Options
(click image for larger view)
Slideshow: 6 Top-Notch E-Prescribing Options
The shift to cloud computing has exposed a series of worrisome dichotomies in healthcare, an industry that handles sensitive data and thus has unique privacy requirements.

Consider the Visiting Nurse Service of New York (VNSNY), which supports a largely mobile workforce of more than 14,000 healthcare providers. The cloud allowed the organization to make decisions on technology for business services without having to get the IT department fully involved, according to chief information security officer Larry Whiteside Jr. But that also meant different areas of the enterprise chose different cloud hosts.

Similarly, cloud technology helped mobilize data for thousands of field workers, but having to log into multiple systems was a chore. "The cloud was bringing economics of scale and cost savings in one area, but was bringing complexity in other areas," Whiteside told InformationWeek Healthcare. "We forgot that we had done so much work to get to a single ID, and now we're going away from it," he added.

About a year ago, the IT department was brought to the table after Whiteside learned that disparate business units were making IT decisions without consulting one another. "There needed to be an identity standard ... that could be extended to the cloud," Whiteside said.

[ Doctors are using tablets, smartphones, and mobile EHRs in their medical practices, but are slow to adopt cloud computing and telemedicine. Learn why. ]

VNSNY, which serves 140,000 patients in the New York City area, contracted for access management, identity management, and single sign-on services from Symplified, a Boulder, Colo.-based vendor specializing in cloud security.

In the first quarter of 2011, the VNSNY implemented Symplified technology, which itself runs in the Amazon cloud, Whiteside said. Then the IT department started building connectors to each remotely hosted application. Connectors pass security credentials to the cloud-based apps behind the organizational firewall.

"Symplified actually stores nothing," other than the URLs to access each application, Whiteside said, adding that there is no industrywide standard for user authentication. "So there's a lot of hand-holding [with] these third-party applications," he noted. Likewise, users do not need to install software on their workstations or mobile devices.

With the connectors in place, remote workers and other VNSNY employees who don't want to remember multiple user names and passwords simply apply to the IT department for single-sign-on access. The system allows the organization, not the vendor, to retain control over provisioning the proper level of access to each user, even though apps reside in the cloud. "The users are happy and the technology people are happy," Whiteside reports.

The setup is secure enough for VNSNY to support electronic prescribing of controlled substances just by adding the necessary second authentication factor, should demand arise, Whiteside said.

One problem the Symplified technology has not yet addressed is the "bring-your-own-device" phenomenon sweeping across healthcare (and other industries). The Visiting Nurse Service assigns mobile devices to thousands of workers based on job function, but plenty want to use their own smartphones and tablets on the organizational networks.

"We say we're not supporting it, but that doesn't stop them from trying it," Whiteside said. "Where there's a way to get around it, people are going to try."

As healthcare providers of all shapes and sizes start implementing electronic medical records systems, security must be a top priority. Here's what you need to be thinking about to ensure your system is locked down. Download the report here (registration required).

Editor's Choice
John Edwards, Technology Journalist & Author
Samuel Greengard, Contributing Reporter
James M. Connolly, Contributing Editor and Writer
Carrie Pallardy, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek