In an effort to simplify the task of signing in to its hospital network for its clinicians, Fletcher Allen Health Care, a 562-bed academic medical center in Burlington, Vt., is in the process of rolling out a single sign-on system that speeds up access, while providing more flexibility as well as security. John McConnell, the health system’s enterprise architect, said the hospital system is in production deployment of the system, (OneSign, supplied by Imprivata, Lexington, Mass.), in both its ambulatory and inpatient facilities, which he expects to be completed on just under 5,000 devices in the next three to six months.
In explaining the reasons for the decision to revamp its sign-on process during an interview at the 2014 Health Information and Management Systems Society (HIMSS) annual conference held in Orlando, Fla. last month, McConnell said that the log-in process on the hospital’s then Windows-based desktops had been unsatisfactory. Its Epic electronic health record (EHR) was running on top of Citrix XenApp, so clicking on the Epic icon required XenApp to start up, he explained. The bottom line was that the log-in process took too long—well over a minute—and was a source to frustration for its clinicians accessing the patient record, he said.
Additionally, he noted that the single sign-on implementation was in line with the philosophy of Fletcher Allen’s CIO, Chuck Podesta, who has had a longstanding strategic vision that the hospital should be providing a common desktop experience to its providers, regardless of where they are or what device they are using. “Whether they are on a Windows PC in their office or on an iPad at home, they should have the same access wherever they are,” McConnell said.
McConnell said the decision to implement single sign-on was part of a three-part strategy:
- Accelerated rollout of the Windows 7 operating system as a replacement of Windows XP.
- Implementation of thin clients in most of its exam rooms. Imprivata authentication software is baked into firmware, making it easy to switch it over for single sign on.
- Deployment of the sign-on system to 4,600 devices—a mixture of think clients and PCs—throughout Fletcher Allen’s facilities. The hospital system has licensed all 7,000 employees for the single sign-on technology.
As a result, McConnell said, Fletcher Allen has significantly reduced its minute-and-a-half to two-minute log-on task: users now can sign on in seconds by tapping their badge and type in their four-digit PIN, providing multi-factor authentication, and they are assigned all the way into the patient authentication record automatically. He said the sign-on system has proven to be popular with clinicians so far.
McConnell noted that the system provides timeouts when idle, McConnell said. Epic has its own timeout; in addition, depending on the clinical environment where the clinician is working, the Imprivata application will fade the screen as a visual cue that the screen will lock until action is taken by the user. “It is really the best of both worlds; we are obscuring data from eyes that shouldn’t see it, but we are being more flexible in terms of getting the clinician back into the system without having to sign back on,” McConnell said.
He pointed out another useful feature in session roaming. The sign-on system, used in conjunction with VMware virtual desktops, allows a clinician to bring up a patient’s chart in one exam room, and then bring up the chart again in a second location with the tap of a badge, without logging in again. He said the feature speeds access to the patients’ records while maintaining a secure environment.
Those features helped allay McConnell’s concerns about security of kiosk PCs, nursing stations on the floors, that where, are signed into Windows with low-privileged accounts, he said.
McConnell said that Fletcher Allen has successfully integrated more than 20 clinical and business applications (including time-keeping and human resource functions) on single sign-on system. “It’s handled everything we’ve thrown at it. We’ve done Citrix, hosted apps, regular Windows applications, and we’ve done Web applications; they have all worked,” he said.
After first witnessing a demonstration of the single sign-on solution about two years ago, McConnell began to test the product in the health system. Following successful trial runs, he made a presentation to his my management after the first year, recommending it, and received board approval to go ahead with the implementation about eight months ago, he said. He personally ran a 400-user pilot program, before transitioning the system to the health system’s normal operational teams, where a single security engineer is managing the technology. “It’s very lightweight in terms of administrative overhead,” he said.
