Security

ID cards and access control: addressing the problem of digital identities in the NHS

Identity and access management (IAM) is essential in today’s healthcare environment. Bound by ever-tighter compliance, NHS trusts recognise that sharing information electronically is inherently insecure. It's not just the nature of the data in question but also who is accessing it, who is changing it, who is using it, and for what purpose, and in which way.

Governance, including that of patient information, directly influences star ratings and the ability to attract budget. Heads of governance and service improvement directors have to take note of the ever-increasing challenge of proper control, audit, and accountability of user activity.

A typical NHS trust will have many applications that their employees and partners need access to, and many databases storing confidential details about their patients alongside other sensitive data. It is critical that those who are allowed access to information have it at the appropriate level to their authority, and in a timely manner. Without proper handling of access to this sensitive data, the security of patient records and proprietary trust information could be seriously compromised.

The NHS is a good example of how the proliferation of IT applications, both local and national, and their associated passwords has resulted in a complex environment within its hospitals, where many users have multiple login identities and passwords.

IT departments, therefore, need to address a multitude of information access and identity issues. These come hand in hand with the problems associated with multi-password environments, multi-directory environments, password policy management and their associated costs. However, many still fail to recognise that these problems are interlinked, and that they can be solved through a simple and integrated approach.

Integrating access and identity

NHS employees often have a large number of physical and logical identities: a code to enter the building, an ID badge, and more than likely, several usernames and passwords to gain access to applications or data. New technologies can integrate these multiple identities so that NHS trusts can automatically link processes and achieve a faster, more dynamic method of working.

By introducing single sign on (SSO) technology, identity and access management (IAM) solution providers can converge these disparate identities and eliminate the need for employees to memorise numerous passwords.

The technology can be extended to control physical access to buildings as well as logical access to information, by swiping a smartcard or scanning a fingerprint using biometric technology. Trusts can benefit from the control provided by such a system.

For example, an employee can only gain network access or access to special zones if they have signed into the building using their swipe card or fingerprint. Similarly, if an employee has signed into the building it will not be possible for anyone to remotely access the network using their username.

An integrated approach to identity management also automates the employee lifecycle (joiner/mover/leaver) and their associated access to NHS resources. For example, the moment an employee is removed from the payroll, they no longer have access to the building or network with their username.

The excessive number of identities and passwords that many hospital staff have to remember on a day-to-day basis causes two major security vulnerabilities. First, staff writing their passwords down, and second, staff leaving their workstations unlocked so that other staff can quickly gain access to the system.

In the event of malpractice these actions have serious implications for accountability, and may result in an innocent employee being punished for the inappropriate actions of a colleague using their digital identity. These vulnerabilities can be avoided through the implementation of an appropriate single sign on solution.

The benefits of an effective IAM strategy are immediate and substantial. IT management, support and infrastructure costs can be hugely reduced, freeing up resources to address critical issues, and employees can perform their jobs quicker and more securely because of innovations in working practices and improved end-user efficiencies.

Operational costs are also lowered because of the reduced frequency of password-related helpdesk calls, as well as the period of inactivity whilst waiting for a password to be reset. Effective IAM can improve clinical efficiency and increase patient throughput, whilst providing secure and compliant access to patient information.

Case study: Addenbrooke’s Hospital, Cambridge

The implementation of single sign on as an element of an IAM strategy at Addenbrooke’s Hospital in Cambridge has significantly tightened security, simplified the password process and given users faster access to patient information.

It has delivered substantial efficiency savings as internal help desk calls for password resets have been reduced. In addition, users can access their local and national applications and also gain entry to secure doors and car park facilities using one smartcard.

Addenbrooke’s Technical Manager David Hughes describes how clinical staff struggled to manage lists of passwords to over 30 applications, not to mention the burden this placed on IT support staff. “It was an impossible situation,” he said. “Thirty per cent of help-desk calls were password related. We had two full-time-equivalent staff just resetting passwords,” explained Hughes.

“Staff had to remember complex passwords to gain access when accessing local applications. In the event of a forgotten password, clinicians were being locked out of their systems and this led to a lot of user frustration, not to mention the impact it had on time spent treating patients. By using a single sign-on solution from Enline, we not only eliminated our local password issues but also made signing in far more efficient and easy for staff,” Hughes continued.

A well implemented identity and access solution together with smartcard or biometric technology could finally alleviate hospitals’ difficult conflict between security, staff efficiency and best practice.

Paul Edmondson, Enline plc.