Using a username and password to log on to applications and systems is a common method of authentication. Various laws and regulations in the healthcare industry require that access security is tightened and that passwords meet certain complexity requirements, such as minimum length, use of special characters and use of an uppercase letter, for example.
In addition, a frequent requirement set in place by facilities with sensitive personal information, such hospitals and ambulatory practices, is for passwords to be changed after a certain period of time has elapsed to protect the integrity of the information being protected.
With the introduction of complex passwords requirements – given the requirements of symbols and digits – often it is difficult for employees to remember their Active Directory password, especially after a vacation or time away from the office. Forgotten passwords and the need for resets by the help desk lead to a significant increase in the amount of time internal IT resources are needed to focus on secondary tasks and are unable to concentrate on more pressing matters of the organization.
On average, in any given organization, more than 25 percent of the calls to a help desk are password related, such as resetting forgotten passwords. The IT staff is often burdened with resolving these calls, resulting in an increased administrative load for the IT department. At the same moment, the end user loses valuable work time because he or she is locked out of the network temporarily and unable to work.
IT departments can be less burdened, though, and handle fewer calls for password administration to focus on more critical calls.
Improvement of password management
South County Hospital, a 100-bed, 1,200-employee acute care hospital in Wakefield, R.I., sought solutions to reduce an overabundance of password reset calls to the IT help desk each month. The hospital’s help desk averaged between 20 and 25 password resets a month, each requiring about 30 minutes to resolve because of the laborious process of receiving the call, placing a work order, resetting the password and then contacting the users, most of whom are busy clinicians.
With a focus on lean management, and an effort to make all internal processes as efficient as possible, the hospital’s leaders began to seek ways to improve password management and reduce the number of support calls to the help desk. By improving this process, hospital leadership also wanted to enhance the user’s experience so employees did not have to wait for completion of the process and could easily reset their own passwords to get on with their work.
When seeking a vendor with a solution to the hospital’s password management issues, Tools4ever was considered a front-runner because South County had previous experience using another of the company’s products, RealLastLogon. Tools4ever’s Self Service Reset Password Manager (SSRPM) resolved all of the password reset issues in the hospital and integrated with its Outlook Web access page, a top priority at the hospital. SSRPM also was capable of integrating with Meditech, the hospital’s information system, to synchronize the password resets.
Self-service password reset
With SSRPM, users can reset their password and no longer need to depend on IT staff for support or have to worry about working within the operating hours of the service or help desk.
Before resetting a password, it is critical that users identify themselves by answering a few personal challenge questions. According to hospital leadership, this is safer than its previous method, where it was possible for a user to call the help desk and claim to be someone else other than the account owner.
On the Windows log-in screen, a new button is added (“Forgot My Password”) that the end user can click if the password is forgotten. By answering a challenge question, such as “What is my mother’s maiden name?” the user can identify himself or herself and securely reset his password.
If a call is required, the help desk also can directly ask personal questions to identify a caller. The help desk employee does not see the full answers to the questions, but (for example) only the second and last character of the answer to positively identify the caller.
When entering the new password, the end user is required to comply with the password complexity requirements of the organization. While entering the password, the complexity rules that are met are flagged with a green check. For example: “Minimum password length of 10 characters: OK.” The cryptic error messages are removed, allowing for users to more easily understand the requirements of them.
Besides the possibility of identifying the user by answering personal questions, advanced authentication is also possible via enhanced authentication, including email and SMS authentication. This means that, in addition to the regular questions that need to be answered, there can be an extra security question that needs answering. For example, “What is the PIN code you just received on your cell phone?” This form of authentication is referred to as two-factor authentication and relies on something you know (answers), and something you have access to (a mobile phone).
Easily customize and integrate with systems
South County implemented SSRPM in its environment and was able to integrate the solution with all of the applications at the hospital. SSRPM is set up to work with three different technologies at the hospital: Outlook Web Access for email, the standard Windows credential provider when logging on to to the computer and Web access for people working outside the network. The hospital also was able to modify the security questions that users are asked when resetting their passwords.
“The ability to choose questions that have an answer that only the user would know, yet are easy to remember, is important,” says Ken Hedglen, information technology manager at South County Hospital.
With SSRPM, South County’s users no longer need to spend time contacting the help desk and waiting for a reply to their password reset request. They are now able to answer a series of security questions and quickly reset their own password. Hospital officials liked that they did not need to provide any training on the product because it is self-explanatory, says Hedglen.
“Any system that we implement that we don’t hear anything about after the fact is good, because no news is good news when it comes to systems,” says Hedglen.
SSRPM has also been beneficial to the help desk, because its employees can handle other types of work orders. “The help desk can now focus on more important issues rather than simple password resets, and [they] are much more productive,” says Hedglen.
About the author
Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, RBAC, password management, SSO and access management, serving more than 5 million user accounts worldwide. Learn more at www.tools4ever.com.
