Healthcare Cloud Brings Access Control Concerns - InformationWeek
Cloud // Software as a Service
11:51 AM

Healthcare Cloud Brings Access Control Concerns

N.Y. nurses service finds single sign-on enables its mobile workforce to use its multiple, disparate cloud apps.

6 Top-Notch E-Prescribing Options
(click image for larger view)
Slideshow: 6 Top-Notch E-Prescribing Options
The shift to cloud computing has exposed a series of worrisome dichotomies in healthcare, an industry that handles sensitive data and thus has unique privacy requirements.

Consider the Visiting Nurse Service of New York (VNSNY), which supports a largely mobile workforce of more than 14,000 healthcare providers. The cloud allowed the organization to make decisions on technology for business services without having to get the IT department fully involved, according to chief information security officer Larry Whiteside Jr. But that also meant different areas of the enterprise chose different cloud hosts.

Similarly, cloud technology helped mobilize data for thousands of field workers, but having to log into multiple systems was a chore. "The cloud was bringing economics of scale and cost savings in one area, but was bringing complexity in other areas," Whiteside told InformationWeek Healthcare. "We forgot that we had done so much work to get to a single ID, and now we're going away from it," he added.

About a year ago, the IT department was brought to the table after Whiteside learned that disparate business units were making IT decisions without consulting one another. "There needed to be an identity standard ... that could be extended to the cloud," Whiteside said.

[ Doctors are using tablets, smartphones, and mobile EHRs in their medical practices, but are slow to adopt cloud computing and telemedicine. Learn why. ]

VNSNY, which serves 140,000 patients in the New York City area, contracted for access management, identity management, and single sign-on services from Symplified, a Boulder, Colo.-based vendor specializing in cloud security.

In the first quarter of 2011, the VNSNY implemented Symplified technology, which itself runs in the Amazon cloud, Whiteside said. Then the IT department started building connectors to each remotely hosted application. Connectors pass security credentials to the cloud-based apps behind the organizational firewall.

"Symplified actually stores nothing," other than the URLs to access each application, Whiteside said, adding that there is no industrywide standard for user authentication. "So there's a lot of hand-holding [with] these third-party applications," he noted. Likewise, users do not need to install software on their workstations or mobile devices.

With the connectors in place, remote workers and other VNSNY employees who don't want to remember multiple user names and passwords simply apply to the IT department for single-sign-on access. The system allows the organization, not the vendor, to retain control over provisioning the proper level of access to each user, even though apps reside in the cloud. "The users are happy and the technology people are happy," Whiteside reports.

The setup is secure enough for VNSNY to support electronic prescribing of controlled substances just by adding the necessary second authentication factor, should demand arise, Whiteside said.

One problem the Symplified technology has not yet addressed is the "bring-your-own-device" phenomenon sweeping across healthcare (and other industries). The Visiting Nurse Service assigns mobile devices to thousands of workers based on job function, but plenty want to use their own smartphones and tablets on the organizational networks.

"We say we're not supporting it, but that doesn't stop them from trying it," Whiteside said. "Where there's a way to get around it, people are going to try."

As healthcare providers of all shapes and sizes start implementing electronic medical records systems, security must be a top priority. Here's what you need to be thinking about to ensure your system is locked down. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2011 | 9:16:38 PM
re: Healthcare Cloud Brings Access Control Concerns
We agree that the increase in mobile workers, particularly in vertical markets like healthcare, is creating more scrutiny on how to manage identity and access risk in the cloud while demonstrating compliance with regulations such as HIPAA and HITECH. Employees are using company-issued or personal mobile devices to access sensitive and confidential patient data from all kinds of entry points behind and outside of the corporate firewall. While these alternatives for accessing data are considered necessary for the productivity of todayG«÷s workforce, enterprises are becoming less confident about how to ensure that secure and appropriate access is in place as a recent survey we conducted revealed. Thirty-three percent of enterprises we surveyed did not have a policy in place that governs mobile device access to cloud applications. As organizations move mission-critical applications and data onto mobile devices and make more use of cloud-based platforms they must apply the same level of identity and access management requirements as they do for internal applications. Companies need to understand who is responsible for managing identities, how to ensure the right access is available for the right people, and what the proper mix of preventative and detective controls is to best secure both their on-premise and mobile environments.

Dave Fowler, Courion (
Lisa Henderson
Lisa Henderson,
User Rank: Apprentice
12/6/2011 | 1:39:06 AM
re: Healthcare Cloud Brings Access Control Concerns
I would more than agree that the phenomenon of people wanting to use their own smartphones and tablets is only going to increase. I wonder what the near future will hold in regard to that?

Lisa Henderson, InformationWeek Healthcare, contributing editor
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll