Upstate Medical University and OhioHealth find PhoneFactor's phone-based authentication solution to be just the right prescription.
One of the chief concerns of widespread implementation of electronic medical records (EMRs) is how to secure those records. With the volume of electronic data growing exponentially and access points expanding outside the hospital walls, securing access to hospital networks and the protected health records they contain requires strong, two-factor authentication. However, solutions like security tokens are costly to implement and a pain for IT departments and end users.
Increasingly, healthcare organizations are swapping out their security tokens for an innovative authentication solution that leverages a device users already have — their phone — to enable strong security that is both user friendly and cost effective. The Upstate Medical University in Syracuse, N.Y., recently implemented phone-based authentication from PhoneFactor to secure their growing base of remote users. The result: increased remote usage with less hassle for both the end users and the IT staff, which enables healthcare practitioners to focus on their number one priority — patient care.
Upstate Medical University, the region's only Level 1 trauma center, hosts more than 80 specialty clinics and serves more than 300,000 patients every year at the hospital and its ambulatory sites with a network of 400 physicians and 300 residents.
Upstate had been using security tokens to provide an important second factor of authentication for remote access via SSL VPN from home and other remote locations. Over time, the system proved to be expensive and cumbersome for IT to manage. Security tokens had to be provisioned by IT and carried by each user. Adoption among staff and clinicians was low. Upstate began looking for an alternative that provided strong security for access to patient data without the hassles experienced with tokens.
After evaluating several different two-factor security solutions, Upstate chose to do a pilot program with PhoneFactor's phone-based authentication platform. By utilizing each user's existing phone, the solution could be rapidly enabled with virtually no effort by IT. When logging in, the user simply gets an automated call to confirm identity. Upstate piloted the solution with their pharmacy department and select physicians, and the initial feedback was very positive as users indicated they were highly satisfied with the ease of use offered by PhoneFactor.
We decided to switch to PhoneFactor's two-factor solution from tokens because it's a 'one and done' solution.”
“We wanted to provide a secure solution without having to manage another process that required us to hand out something like a token to our providers. PhoneFactor is easy to use and provision. Everyone understands what it means when their phone rings and knows to answer it,” says R.J. Dollard, manager of IT customer support services. Mark Zeman, associate administrator for integrated technical and materials support, adds, “If the users do not accept the security process, they won't use it. A very small percentage of our users utilized tokens to access the network. When we offered PhoneFactor as an option, we saw a significant increase in the number of remote connections; more than double what we had with tokens.”
OhioHealth, a nationally recognized, not-for-profit healthcare organization based in Columbus, Ohio, also faced a number of challenges using security tokens to secure the records of patients in its 17 hospitals and numerous health and surgery centers, home-health providers, medical equipment and health service suppliers. Unlike Upstate Medical University, whose token deployment was limited, OhioHealth was managing more than 4,300 tokens used by physicians and other healthcare practitioners (most of whom were not hospital employees) to authenticate access to critical patient information. Each of the issues Upstate faced in deploying tokens and supporting users was amplified by the large number of tokens in use at OhioHealth.
The internal IT resources required by OhioHealth to support security tokens really added up. Tokens were lost by physicians who did not access the system on a regular basis and had to be reprovisioned by IT. Some physicians had multiple tokens from different healthcare systems, which made it difficult to keep track. They also discovered that a few physicians were leaving the security tokens next to their computer, which defeated the purpose.
Just like Upstate, OhioHealth decided to switch from security tokens to phone-based two-factor authentication because it required less overhead and provided a much better user experience at a drastically reduced cost. The solution, provided by PhoneFactor, resulted in a significant savings over the organization's token-based authentication system. OhioHealth was also able to reduce internal costs because the new system required less end-user support and credential management.
“We decided to switch to PhoneFactor's two-factor solution from tokens because it's a 'one and done' solution. It's simple to use and simple for the help desk to add a new member or adjust the information for a lost cell phone. PhoneFactor requires fewer resources, reduced management overhead and overall improved customer satisfaction,” says Jim Lowder, vice president, technology for OhioHealth.
In addition to being viewed as an industry best practice, two-factor authentication is a recommended method to meet HIPAA requirements. Many state pharmacy boards are following suit, requiring two-factor authentication for verification of electronic medical prescriptions. The Ohio State Pharmacy Board is one such entity, requiring two-factor authentication to secure access to ePrescribing systems.
“We need to ensure that the person who is accessing a patient's records or prescribing treatment is the person who is authorized to be logging into the system and not someone across the world,” Lowder says. “While a log-in and password can be stolen, people are very protective of their phones and would quickly realize if it was lost or stolen. With PhoneFactor, the phone is that second factor that ensures privacy of patient records.”
Upstate rolled out PhoneFactor's two-factor authentication platform in February 2009. Installation of the service was simple and straightforward, and the IT department did not need to change anything on their systems to make it compatible. They were able to use one of the pre-configured settings, and the PhoneFactor security platform was up and running right out of the box. The IT department was able to start testing successfully within an hour of installation.
Setting up new users is just as easy. PhoneFactor integrates with a company's existing LDAP server, so new users are added automatically, and a simple training e-mail is sent out to teach users how to get started. If they need to make any changes, users can securely do so using a self-help menu.
In addition to simplicity of use and installation, the system also offers built-in fraud protection since the user receives a phone call any time someone tries to use their credentials to log into the system. If a user's phone rings and they are not trying to log into the system, they have the option to alert administrators and have the access temporarily disabled for those user credentials.
Mike Tubbs, a network engineer at Upstate who installed and deployed the PhoneFactor solution for the hospital, offers his perspective, “If the solution is simple enough, it will discourage users from circumventing the system by putting patient records on a jump drive and walking away with confidential information.”
Securely authenticating users will become more important as electronic medical records become more prevalent and IT security threats continue to evolve. However, as demands on our healthcare providers continue to increase and budgets continue to tighten, making this both easy and cost effective is critical to success. Both Upstate Medical University and OhioHealth found PhoneFactor's simple, strong authentication solution to be just the right prescription.
For more information on PhoneFactor solutions: http://www.phonefactor.com