Healthcare Cloud Brings Access Control Concerns - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
11:51 AM

Healthcare Cloud Brings Access Control Concerns

N.Y. nurses service finds single sign-on enables its mobile workforce to use its multiple, disparate cloud apps.

6 Top-Notch E-Prescribing Options
(click image for larger view)
Slideshow: 6 Top-Notch E-Prescribing Options
The shift to cloud computing has exposed a series of worrisome dichotomies in healthcare, an industry that handles sensitive data and thus has unique privacy requirements.

Consider the Visiting Nurse Service of New York (VNSNY), which supports a largely mobile workforce of more than 14,000 healthcare providers. The cloud allowed the organization to make decisions on technology for business services without having to get the IT department fully involved, according to chief information security officer Larry Whiteside Jr. But that also meant different areas of the enterprise chose different cloud hosts.

Similarly, cloud technology helped mobilize data for thousands of field workers, but having to log into multiple systems was a chore. "The cloud was bringing economics of scale and cost savings in one area, but was bringing complexity in other areas," Whiteside told InformationWeek Healthcare. "We forgot that we had done so much work to get to a single ID, and now we're going away from it," he added.

About a year ago, the IT department was brought to the table after Whiteside learned that disparate business units were making IT decisions without consulting one another. "There needed to be an identity standard ... that could be extended to the cloud," Whiteside said.

[ Doctors are using tablets, smartphones, and mobile EHRs in their medical practices, but are slow to adopt cloud computing and telemedicine. Learn why. ]

VNSNY, which serves 140,000 patients in the New York City area, contracted for access management, identity management, and single sign-on services from Symplified, a Boulder, Colo.-based vendor specializing in cloud security.

In the first quarter of 2011, the VNSNY implemented Symplified technology, which itself runs in the Amazon cloud, Whiteside said. Then the IT department started building connectors to each remotely hosted application. Connectors pass security credentials to the cloud-based apps behind the organizational firewall.

"Symplified actually stores nothing," other than the URLs to access each application, Whiteside said, adding that there is no industrywide standard for user authentication. "So there's a lot of hand-holding [with] these third-party applications," he noted. Likewise, users do not need to install software on their workstations or mobile devices.

With the connectors in place, remote workers and other VNSNY employees who don't want to remember multiple user names and passwords simply apply to the IT department for single-sign-on access. The system allows the organization, not the vendor, to retain control over provisioning the proper level of access to each user, even though apps reside in the cloud. "The users are happy and the technology people are happy," Whiteside reports.

The setup is secure enough for VNSNY to support electronic prescribing of controlled substances just by adding the necessary second authentication factor, should demand arise, Whiteside said.

One problem the Symplified technology has not yet addressed is the "bring-your-own-device" phenomenon sweeping across healthcare (and other industries). The Visiting Nurse Service assigns mobile devices to thousands of workers based on job function, but plenty want to use their own smartphones and tablets on the organizational networks.

"We say we're not supporting it, but that doesn't stop them from trying it," Whiteside said. "Where there's a way to get around it, people are going to try."

As healthcare providers of all shapes and sizes start implementing electronic medical records systems, security must be a top priority. Here's what you need to be thinking about to ensure your system is locked down. Download the report here (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2011 | 9:16:38 PM
re: Healthcare Cloud Brings Access Control Concerns
We agree that the increase in mobile workers, particularly in vertical markets like healthcare, is creating more scrutiny on how to manage identity and access risk in the cloud while demonstrating compliance with regulations such as HIPAA and HITECH. Employees are using company-issued or personal mobile devices to access sensitive and confidential patient data from all kinds of entry points behind and outside of the corporate firewall. While these alternatives for accessing data are considered necessary for the productivity of todayG«÷s workforce, enterprises are becoming less confident about how to ensure that secure and appropriate access is in place as a recent survey we conducted revealed. Thirty-three percent of enterprises we surveyed did not have a policy in place that governs mobile device access to cloud applications. As organizations move mission-critical applications and data onto mobile devices and make more use of cloud-based platforms they must apply the same level of identity and access management requirements as they do for internal applications. Companies need to understand who is responsible for managing identities, how to ensure the right access is available for the right people, and what the proper mix of preventative and detective controls is to best secure both their on-premise and mobile environments.

Dave Fowler, Courion (
Lisa Henderson
Lisa Henderson,
User Rank: Apprentice
12/6/2011 | 1:39:06 AM
re: Healthcare Cloud Brings Access Control Concerns
I would more than agree that the phenomenon of people wanting to use their own smartphones and tablets is only going to increase. I wonder what the near future will hold in regard to that?

Lisa Henderson, InformationWeek Healthcare, contributing editor
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll