When lives are at stake, no doctor or nurse wants to be locked out of a system because he or she cannot remember a password. Getting the job done and helping the patient will always override any concerns of information security.
But security is still important in the medical world, and patient privacy has to be protected. Any security measures therefore have to be as transparent as possible – and certainly should not prevent legitimate users from doing their jobs.
A need for single sign-on software
Until recently, the 8,000 members of staff at East Kent Hospitals University Foundation NHS Trust had no password management and were drowning in a sea of different passwords that they needed to remember to access various parts of the network.
"Users had multiple applications with usernames and passwords," said Nicola Ellingham, a project manager at the trust. "It was the usual story – usernames and passwords kept on the back of smart cards or ID badges, or kept in books by computers, or even written on the computers."
In addition, one user would often tailgate another without logging in with his or her own credentials, just to save time. "There was always a danger that something could happen to a patient, an entry would be put into the patient administration system, and we would not know who did it," said Ellingham.
She was brought in to find an alternative system that would strike the balance between security and ease of use for the staff who cover a large area of East Kent, including three major hospitals and about 20 smaller centres.
At the time, there was no co-ordinated policy on passwords. Responsibility for application passwords lay with the individual application managers and so, as she said, "it could be quite arbitrary. It was a local decision, and not mandated by the head of IT."
Email and network passwords could be reset by a help desk service provided by an outside body, the Health Informatics Service. But that would run from only 9 to 5, Monday to Friday, and so anyone needing help with a password reset would have to wait – or share someone else's credentials.
But that is now in the process of changing. Since August, the trust has been implementing a single sign-on (SSO) software product, the OneSign appliance-based system from Imprivata, Inc.
Before choosing OneSign, Ellingham said she looked at several possible products, all of which did a similar job - allowing users to authenticate themselves just once to gain access to all their authorised applications. But the choice was complicated by the fact that East Kent, unlike most other trusts, still uses Novell Netware, from Novell Inc., to run its networks and Novell eDirectory for its user accounts.
She was anxious to choose a single sign-on system that would not destabilise their complex infrastructure. "We wanted something that would not interfere with our user directory. We didn't want anything that would sit on it or change the schema in it," she said. "Our eDirectory is very large, and had not been well managed. It had a lot of redundant accounts, and we were reluctant to do anything that would de-stabilise that schema. We wanted a solution that would provide a black box between the user and the schema. That's what attracted us to an appliance-based solution."
The Imprivata system was also able to link to multiple types of directories, which was another requirement, because East Kent needs to connect to other NHS bodies that run Active Directory.
The single sign-on software rollout
East Kent has installed three OneSign appliances, one at each of its principal hospitals, mainly to provide redundancy in case of a failure.
The first phase of the project has been to get the single sign-on system to learn how each application handles logins, so that it recognises a login screen, a successful login screen, a login error screen, and so on.
Ellingham said that most of this has now been done, with 68 separate applications profiled so far on the system. "Profiling is quite easy," she said. "Imprivata has some ingenious tools for getting around the idiosyncrasies of some applications that behave in strange ways. Most of the time it all works beautifully."
The aim of single sign-on (SSO), of course, is to make it easy for people to log in, but that means the initial authentication has to be more rigorous – relying on a single username and password would be wildly insecure.
The solution for this is the NHS smart card – a chip-based card that is being issued gradually to all NHS staff. Current models fit into a reader, but a new generation will be proximity cards, which will allow busy clinical staff just to step up to a terminal, enter their PIN, and gain immediate access.
So far, East Kent has registered about 500 users, with the rate of progress governed by people having been issued with smart cards. "Our biggest problem has been to get the single sign-on software and the identity agent software provided by Connecting for Health [the governing body for IT in the NHS] for connecting to smart cards, out on to the desktops," said Ellingham.
As she said, if they were using Active Directory and SMS (Microsoft Systems Management Server), it would have been fairly easy to distribute the software to targeted groups, but they have been forced to write special scripts for the job or do manual installation.
Single sign-on user enrollment
The first time users log in with their smart card on the new system, OneSign recognises it is as a new certificate and initiates an association process with the user directory, so that the card is associated with the user account.
Users then log on to their applications in the normal way, entering their usernames and passwords (hopefully for the last time), and these are recorded by the single sign-on system.
The next time they log in, they merely insert their smart card, enter a single passcode, and single sign-on takes care of all logins. If they forget their smart card, the system will allow them to authenticate themselves by answering a series of pre-registered security questions (for instance, mother's maiden name), but that facility will be used sparingly.
Finally, as part of the rollout, a member of each department has been trained up as an single sign-on champion, so that they can answer any queries and help their colleagues with any problems.
It is early days, but Ellingham hopes it will not only cut down on helpdesk calls, but more importantly, that password policies can now be properly operated right across the trust, without the help of sticky notes stuck to computer screens.