How to Create Single Sign-On Solutions for Healthcare to Improve Efficiency

What Is SSO and Why Should Healthcare Organizations Implement It?

Single sign-on, or SSO, allows users to sign in securely just once within a defined period that typically lasts the length of a user’s shift. SSO uses a single credential to enable access to all of a user’s authorized applications without them having to keep track of multiple passwords. Once this “single sign-on” is complete, all subsequent authentications can be done simply with the tap of the user’s badge.

It’s critical that healthcare technology serves clinical users, allowing them to spend more time with their patients and less time fussing with technology, says Mark McArdle, chief products and design officer at Imprivata.

“SSO is a major driver of clinical efficiency and cybersecurity by replacing multiple manual logins with a single secure login. With SSO, clinicians can simply tap a badge to log on to devices and workstations throughout their shift, maximize their time with patients and eliminate the frustration of continual password prompts,” he adds.

SSO solutions can streamline access while improving security and user productivity, and when integrated with strong authentication methods, they can help avoid passwords altogether.

“This is particularly important in healthcare, where a typical clinician interacts with a large number of clinical applications, each requiring a username and password,” says McArdle. “There are many secondary authentications that can re-prompt for a password for things like drug administration and witnessing workflows.”

READ MORE: Learn what healthcare organizations need to know about single sign-on.

Increasing protection of their IT environments is a major reason for healthcare IT teams to consider implementing SSO solutions. Healthcare as an industry is a primary target for cyberattacks due to the large volume of valuable protected health information (PHI) involved, attributes about a patient that uniquely identify them and can be used by cyberattackers to commit extortion, fraud or identity theft.

“Lucrative patient records on the dark web, initiatives to expose legacy applications to a remote workforce without proper security controls and outdated authentication standards sitting in front of applications where PHI is stored contribute to a higher breach risk profile for every healthcare organization,” says Adam Crown, group product marketing manager for healthcare solutions at Okta.

In addition to the elevated cybersecurity threat looming in healthcare, organizations also must contend with the impacts of complex legacy IT environments; remote work creating new access requirements; and the unplanned, rapid deployment of technology solutions early in the pandemic perpetuating an environment of many usernames and passwords. Mergers and acquisitions also put pressure on CIOs to integrate legacy and modern business systems quickly and securely.

How to Determine if a Healthcare Organization Would Benefit from SSO

“All healthcare organizations can benefit from SSO, because it dramatically improves clinical workflows by simplifying the user experience for clinicians,” says McArdle.

Remote work and traveling clinicians can bring new risks to a healthcare organization. As cyberattacks increase and impact patient care and trust, organizations that embrace SSO can improve their cybersecurity risk while delivering productivity and workflow improvements. 

“A CIO or CMIO could evaluate the number of authentications a typical clinician experiences during a shift and derive the effective ‘lost patient care time.’ The average care provider saves an average of 45 minutes per shift when using an SSO-enabled system. And the benefits for SSO on clinician quality of life are real, particularly as they dealt with the enormous challenge of COVID-19,” McArdle explains. “Entering a password 60 times a shift is a burden, and it leads to bad cybersecurity hygiene that opens the organization up to real risks.”

Identify and Access Management and Multifactor Authentication

The best password is no password, according to Crown. He says the industry is shifting toward being ‘passwordless’ by leveraging phishing-resistant standards including WebAuthn.

Once a user has successfully provided his or her credentials, depending on the security access policy for that application, a second factor of authentication may be required, such as a push notification sent to an app on the user’s phone or a biometric factor (like a face or fingerprint) validated on the device.

“This is an important protection layer in the event a user’s password has been compromised. While the attacker may have a username and password, it is unlikely they have the second factor,” says Crown. “Once that user has proven their identity, SSO ensures whether they should have access to the application, enforcing the concept of least-privilege access.”

Health IT professionals can enhance SSO with multifactor authentication (MFA) to reduce the risk around ransomware and data breaches. MFA ensures users are who they claim to be before granting them access to sensitive information such as protected health information (PHI). For this reason, it has become a prerequisite for qualifying for cyber insurance.

LEARN MORE: Find out how single sign-on solutions help achieve efficient clinician workflows.

“Securing every application in the healthcare environment with modern security standards — no matter whether it’s on-premises or in the cloud, and no matter where users are accessing from — is a foundational approach to enabling productive work while protecting PHI,” says Crown. “SSO helps to do two things: It verifies the identity of the user and then determines what applications that user can access. Combined with MFA, SSO helps stop bad actors from moving laterally in the network.”

Technology that integrates with on-premises clinical applications, electronic health records and cloud applications, as well as support for private or shared workstations, enable healthcare organizations to deliver SSO from any device and any location, says McArdle.

“Two-factor authentication modalities that enhance SSO include fingerprint and facial biometrics, soft token notification and hands-free authentication,” he says. “By combining the two, you can effectively make security invisible to the end user.”

SSO is powered by identity and access management (IAM) platforms, which enable more than just SSO.

Click the banner below to discover more content focused on nurses’ vital role in health IT.

“Consolidating IAM provides healthcare organizations numerous benefits as they shift to the cloud, adopt more business applications and grow through M&A,” adds Crown. “IAM enables organizations to modernize, automate and secure their environments.”

In healthcare, on-premises applications must be accessible from outside of the network perimeter to enable physicians, IT administrators or other staff working remotely to access apps from a home network.

“From intranet sites to on-premises applications like Oracle EBS for payroll and McKesson PACS systems for radiologists to read a CT, exposing legacy applications can be a challenge when these apps do not support modern SSO standards. That often translates to yet another username and password,” says Crown. “Modern IAM platforms extend cloud SSO and MFA to traditional on-premises applications, applying consistent security policies across all systems — all managed from a single pane of glass.”

These platforms also provide one place to view, manage and secure users’ access, whether they are providers, employees or external partners, automatically identifying and blocking malicious login attempts. The platform extends password reset self-service to users, helps IT teams onboard new apps faster, and ensures day-one access for organizations that undergo mergers and acquisitions.

Tips and Best Practices for Successful SSO Deployment in Healthcare

Many healthcare organizations are still using on-premises and legacy systems, and they need to make sure their SSO solutions are built to easily integrate with those, says McArdle. However, as these organizations move more services to the cloud, it’s equally as important to have an SSO option that seamlessly integrates into both.

Another important point for healthcare IT teams to know is that standards enable SSO to work behind the scenes. Legacy standards such as Kerberos, Lightweight Directory Access Protocol, Web Services Federation Protocol, RADIUS or header-based authentication typically are found in legacy applications. There are also modern authentication standards such as Security Assertion Markup Language 2.0 and OpenID Connect.

“The central IAM platform manages the handshake between all of these legacy and modern standards, so users don’t know that it’s even happening,” says Crown. “They just know that it’s one username and password to get into all of these apps via SSO, no matter where they are located.”

It’s important for healthcare organizations to identify a solution that solves its specific needs. McArdle recommends that the primary focus be on the clinical user because those workflows directly impact patient care. 

“Finding a partner that understands the clinical workflow environment and can develop an implementation plan that ensures a smooth deployment that enables better clinical outcomes is very important,” he adds. “Solid deployment, education and optimization are crucial parts of a technology adoption lifecycle, reducing the risks that can come with new technologies. Having a partner that can help you generate significant efficiencies for care providers means you’re not just deploying a new system but implementing a productivity enhancing solution throughout your organization.”

Health IT teams need to understand which of the applications connecting to the IAM platform will be needed for SSO.

“There is a difference in time to connect on-premises applications versus cloud applications. Cloud applications support modern authentication standards and can be integrated in minutes with predefined connectors into the IAM platform,” says Crown. “On-premises apps, on the other hand, might be placed behind a secure web gateway or require a reverse proxy to communicate a specific token. That may involve pulling in the vendor to determine the best step to integrate into the IAM platform. Moreover, it helps prioritize what is day-one critical versus able to be integrated in a later phase.”

He also recommends determining which applications require provisioning and what those underlying applications support.

“Automated provisioning is a key benefit of a central IAM platform,” says Crown. “Modern applications support modern provisioning standards like SCIM 2.0. Connecting into them is a simple configuration.”

Older applications might not support modern provisioning standards. However, many organizations already have defined point-to-point integrations with existing Identity Governance and Administration (IGA) platforms like SailPoint or Saviynt into these legacy applications, he says. IAM platforms can connect into these IGA solutions, which serve as a bridge to harder-to-reach applications.

RELATED: Discover best practices for clinical communication and collaboration device management.

“Approach this initiative with the highest value first for a subset of users, then expand into additional use cases. The ‘crawl’ phase of the project usually consists of connecting all your systems of record into the IAM platform, integrating into the highest value applications for your target users, and securing those apps through configurable policy with risk-based authentication and MFA,” says Crown.

The next phase is automating provisioning as well as onboarding and offboarding. By leveraging prebuilt provisioning connections with third-party apps such Office 365, Crown says administrators can automatically turn on access the moment a user joins the organization, update access when the user moves to another role or shut off access the moment the user leaves.

This may be followed by integrating IAM access logs into a security information and event management partner, providing detailed access logs to a central reporting database and layering in zero trust.