Identity Management Takes Hold

To become HIPAA-compliant, Hartford Hospital needs an additional level of security--a second form of user authentication--and Kubica says that will most likely be a USB token that employees use on the PC onto which they're logging. When utilizing a USB token, users will need something they know, such as a user name and password, as well as something they have, the token, to be able to access systems. The higher level of security is good protection against someone's account being compromised as a result of a guessed or stolen password.

Sumner Regional Health Center doesn't like to mess with passwords. In July, Sumner Regional, a 145-bed medical facility in Gallatin, Tenn., decided it needed to provide a secure, easy, and HIPAA-compliant way for doctors and nurses to access medical systems. Vickie Carter, director of IT security for the medical center, explains that passwords alone would have been cumbersome, forcing medical personnel to remember complicated passwords that, to be HIPAA-compliant, would have had to include a combination of letters, numbers, and upper- and lowercase characters, she says. That would have meant plenty of forgotten passwords, and an inevitable boost in help-desk password-reset calls. Sumner searched for a better way, including biometric and other authentication technologies. But Carter and her team feared biometrics might not function adequately in the emergency room.

In the end, Carter and her team decided to go with proximity badges from Ensure Technologies Inc. The resulting system, called Xyloc, consists of location-aware badges that hold the logon credentials of their wearers and a radio transceiver on the PCs. When medical personnel with the appropriate badges approach, they're logged on to the system. The proximity badges also do something passwords, smart cards, and biometrics can't--shut down an application when the user walks away from the terminal. "It knows you're gone. It's flexible and can be based on how close or far away you want people logged in to and off of the system," Carter says. The system logs medical personnel on to Sumner's NT network as well as its emergency-department management system.

Xyloc took some getting used to for employees. "It was an entirely new type of system for the staff to get used to," Carter says. For instance, if several nurses approached a PC at the same time, which nurse gets logged and controls the system first?

Also, Carter had to have the system tweaked when it became apparent that some employees were removing their badges and leaving them near the system, so they could stay logged on. Carter fixed that unwanted loophole by having users logged off automatically if their badges remain still for too long.

Overall, the deployment has been a success. "We've not had one complaint," Carter says. The system is deployed in Sumner's emergency room, with about 100 users. But Sumner has grander goals in mind. Says Carter, "We've had our HIPAA consultants conduct our gap and risk analysis, and they're expressing great satisfaction with the system. We'd like to deploy it throughout the entire hospital."

Return to the stories: A New View Of Data and Wireless To The Rescue

Continue to: Analytics Move To The Clinic