Mike Davis

In 2006, participants in the HIMSS Leadership Survey predicted that single sign-on (SSO) would become the most prominent technology that providers would look to adopt in the next two years.

That forecast proved to be quite accurate.

Paul Pitcher

According to data collected by Chicago-based HIMSS Analytics, roughly 29 percent of hospitals are currently automated with SSO and another 4 percent are under contract to implement the technology. The adoption numbers are up about 11 percent from two years ago, but there is still a large chunk of facilities that aren't actively pursuing SSO. In some cases, it's because facilities have installed a suite of applications with a consistent architecture and therefore don't need the technology, says Mike Davis, executive vice president at HIMSS Analytics. But for others, there are burning questions that exist about SSO, like what features are most important when selecting a vendor, what to expect with implementation, what type of facilities and environments are best suited to the technology, where context management fits in, and whether SSO truly is a “must-have” solution rather than something that would be “nice to have.”

Michael Krouse

Researchers at KLAS (Orem, Utah) sought to address these issues in a report released in February called “Single Sign-On Context Management,” which provides a database of information about the technologies based on comments from users. “We hope that through this publication, others will start to focus on where there are opportunities for improvements within clinical workflow,” says Paul Pitcher, KLAS research director and author of the report.

“Identity, access management, security and privacy are hot topics, and providers are looking for answers,” he says, adding that while SSO doesn't solve all of those issues, it is a crucial component.

Davis agrees, noting that the facilities most likely to seek out — and benefit from — SSO technologies are those that have disparate systems, such as the 800-bed, three-hospital network Lehigh Valley Hospital and Health Network (LVHHN) in Allentown, Pa.

“We're best of breed here, which really pushes the need for SSO,” says Gregg Zahour, director of IT services at LVHHN, who chose to install Fusion by Carefx (Scottsdale, Ariz.), which is integrated with Islandia, N.Y.-based CA's eTrust SSO solution. “Doctors want to have a one-stop shop,” Zahour says. “They want to go to one or two screens and get all the information, and it's our job to deliver that.”

Getting it started

Once the decision has been made to deploy SSO, a facility needs to identify what specific tasks the technology will be relied upon to address.

Michael Krouse, CIO at Columbus-based OhioHealth, had three primary objectives in mind when Dublin Methodist Hospital (Dublin, Ohio) opted to implement the OneSign platform from Lexington, Mass.-based Imprivata. The first issue was productivity, which he felt was significantly compromised by the fact that clinicians had to remember so many user names and passwords when bouncing between as many as five systems. The second factor was patient safety. “When you have a complex environment, it leads to shortcuts,” he says. “And when you have shortcuts, you begin to compromise your security and privacy policies.”

The third issue deals with authentication, a topic that is particularly relevant in states such as Ohio, which have adopted stringent policies to help more effectively govern the distribution of prescription medications. The Ohio State Board of Pharmacy requires that anyone involved in the administration of medications provide positive identification both before and during the processes of dispensing the medication. Three states have passed similar laws and 10 more are in the process of adopting legislation, according to Krouse, who expects the initiative to roll out nationwide in the near future. As a result, he says, the industry could see a significant spike in SSO deployment.

A push to implement SSO wouldn't surprise Davis. “You don't implement SSO because of ROI. You implement it because of regulatory requirements and risk mitigation,” he says. “What you're trying to do is make sure you don't violate HIPAA laws or security relative to exposing patient information. That's probably the biggest thing.” (See sidebar for more information.)

At Dublin — an all-digital facility that opened its doors in January — the SSO implementation was a relatively smooth one. Not only were there no hard-wired applications, which made it easier to physically move devices, but the biometric readers and fingerprint scanners are built directly into the notebook computers carried around by physicians. “It's certainly made life a lot easier and it's why we were able to do some of this pilot stuff at a brand new facility,” says Krouse.

Sandy Bakich

At some of Ohio Health's other hospitals (there are 16 in total), the process has been much more challenging. “We've had to go back and retroactively fit the other facilities with an SSO,” says Krouse. “We have to be careful because every device has to be touched and introduced with biometrics. It's a very systematic roll-out process.”

According to Krouse, there are two primary strategies for implementing SSO. “You either do a ‘big bang’ where everyone is up at once, which can be difficult, or you do it in a staged and rolled out fashion,” he says. The former requires that administrators scan, authenticate fingerprints, and touch and reconfigure desktops for all users at once, an undertaking that isn't always practical or even possible.

With the latter method — what Krouse refers to as “rolling out in large chunks” — he recommends starting with one unit, such as ER physicians, then moving on to another group once they are all up and running. “It can get frustrating,” Krouse says. “You have to be very careful about how you roll it out. You do it in stages,” he says, no matter how great the temptation to move to the next unit before the first is complete.

Once the implementation issues have been ironed out, facilities can fully capitalize on some of the technology's benefits, such as compatibility with other systems.

Sandy Bakich, director of information management at Delano Regional Medical Center in Delano, Calif., chose to deploy Andover, Mass.-based Sentillion Vergence because of the seamlessness it offers in enabling providers to link between different applications, including the laboratory system, voice dictation and the facility's Web-based PACS management system.

At Delano, says Bakich, the implementation of SSO created somewhat of a snowball effect in terms of interoperability. Since going live in the fall of 2007, “We've built three or four additional bridges to other applications that we had not seen a need for until the physicians started using things. Every time we turn around, we find another bridge we can build,” explains Bakich.

The SSO solution also enabled Delano, a small community hospital, to more effectively compete with bigger health systems in the area by giving it a technological advantage. “Doctors will refer patients out if they don't find it easy to do business with us,” Bakich says.

Complimentary technologies

But while SSO has been shown to provide significant benefits to its users, context management can in turn benefit SSO by adding another synergistic dimension to the technology.

According to Pitcher, “For those sites that added context management, there was almost an exponential benefit because it not only signed them on, but it really pulled all of their applications together into a seamless, interoperable manner.”

Although Sentillion is currently the only vendor to offer SSO and context management as complementary technologies — according to the KLAS report — with its Identity and Access Management suite, many expect this capability to become more widely available in the near future as demand continues to grow. A number of vendors are partnering with SSO developers like Novell (Waltham, Mass.) to offer context management, which provides a viable option for facilities like LVHHN that already have an SSO in place and don't want to purchase a new suite of applications.

The context management component enables LVHHN's users to gain secure access to patient data that is aggregated from diverse applications including solutions from Santa Clara, Calif.-based Citrix and terminal emulated applications. However, although the “navigational application facilitator” that it has added to the system is crucial, the deployment of both SSO and context management was not all about IT gains, says Zahour.

“The biggest thing for us was patient safety,” says Zahour. SSO and context management can help clinicians navigate between applications and streamline the work process, “But we're really looking at it more from patient safety; that you're always on the right patient when you're navigating through applications,” he adds.

The final piece to the deployment puzzle, according to Krouse, is support. Without the presence of a strong support infrastructure, the benefits of SSO cannot fully be realized.

“If something happens, we can't afford to have a physician say that they can't get access to the systems for an hour,” Krouse says. “That just doesn't work. We have to have resources that can respond in seconds to ensure that our physicians have access.”

There are certainly several considerations that must be taken into account with adopting and implementing SSO and context management. However, the end goal of a solution that can improve workflow and clinician satisfaction, help to utilize resources more efficiently, and provide clinicians with a confidence that their information is secure seems to be worth all the trials and tribulations, says Krouse.

According to Pitcher, things look exceedingly positive. “Based on the feedback we got from the providers, this is one of the great wins because it's an example of where the IT department puts in a layer of technology and it solidifies the clinicians' workflow,” he says. “It makes that layer of technology almost invisible and brings together the tools in a way that helps them to accomplish their clinical tasks.”

Sidebar

The Role of SSO in the CMS Audits

David Ting

In January, the Centers for Medicare and Medicaid Services announced that it would start conducting onsite reviews of hospitals to make sure that they are in compliance with the security rules mandated by HIPAA. CMS has said that it will audit 10 to 20 hospitals by the fall.

In situations like this, says David Ting, CTO and co-founder of Imprivata in Lexington, Mass., having the right authentication policies becomes critical.

“There are very specific penalties and very specific regulations around maintaining separation of accounts, maintaining unique IDs for users so they can't share information, and having some degree of tracking and auditability of user access records,” says Ting.

The surprise visits, which are creating quite a stir in the industry, may serve as a wake-up call to some, says Mike Davis, executive vice president at HIMSS Analytics. “It's going to make things interesting. This is when you start to put something like SSO a little higher up on the priority scale.”

For information on what can be expected during a visit, download this checklist from the Office of E-Health Standards and Services: http://www.cms.hhs.gov/Enforcement/Downloads/InformationRequestforComplianceReviews.pdf

To stay informed on this key issue, check back with Reece Hirsch's blog, which can be found at: http://www.healthcare-informatics.com/Blogs