THE Health Insurance Portability and Accountability Act (HIPAA) hovers like an albatross over the health care industry. The act will eventually mandate privacy and IT security standards to protect the personal data of patients as it is transferred between agencies.
Providers ranging from physicians, hospitals, insurance companies and even employers who offer insurance benefits, must eventually come into compliance with HIPAA. That means, in some cases, expensive technological enhancements.
It also means some internal massaging and pacification of employees concerned more with patient care, than say, changing their passwords every 30 days.
The H. Lee Moffitt Cancer Center & Research Institute in Tampa, Fla., recognized it needed to remove the burden of password management from its users, yet maintain on course for compliance with HIPAA's privacy regulations by the April 2003 deadline. Physicians, nurses, technicians and any other personnel in clinical areas involved with patient care need immediate, simple access to applications and patient data. Password management is not a fixture on their daily agendas.
"It's something our physicians are not happy about doing; it takes time away from patient care," said Rich Rauscher, Manager of Information Technology for the Moffitt Center. "The idea is to authenticate once. This is one part of our strategy to streamline our clinical operations."
Rauscher came to the conclusion that it was time the Moffitt Center dipped its toes in the biometrics waters and brought in Targus fingerprint readers to authenticate users. "We concede that people share passwords, they can't share fingerprints," Rauscher said.
Managing user authentication and access to applications was another matter, and Rauscher's next biggest challenge. He said he wanted management software that would allow for single-sign on and be able to integrate with existing systems and applications.
Cost, often the biggest inhibitor of authentication and access-control implementations, was not a frontline issue here, Rauscher said, because the CEO holding the pursestrings is also a physician and a user.
The selection process, Rauscher said, brought in several vendors, but most were selling vaporware. "When you buy a vaporware product, it can be a bad experience," Rauscher said.
BioNetrix, however, had a product in hand. The BioNetrix Authentication Suite 4.1 won Rauscher over for several reasons.
"When we first looked at it, it was the only solution to integrate with five different fingerprint devices and prox (proximity) cards, facial recognition, iris recognition, voice recognition, the whole spectrum of products," Rauscher said. "They were just so far ahead with their technology."
The suite includes unified authentication management for enterprise applications, a dynamic policy engine that implements authentication policies enterprise wide, centralized management, single sign-on, real-time logging of authentication events, integration with existing security biometrics products (the Targus readers), and smart cards and tokens.
Implementation of the BioNetrix suite will be complete in July, Rauscher said. In two months, the Moffitt Center's 2,000-plus users will have single sign-on capability to access all manner of clinical applications at a cost of $300,000 to the Moffitt Center.
"We discussed the costs with our advisory council and took all alternatives to them," Rauscher said. "They were not concerned about cost. They were satisfied it was going to make clinic operations faster. I looked at the cost and when I told upper management what we were looking at, they didn't blink. It's all about ease-of-use."
Since implementation began, the biggest challenge has been integrating the BioNetrix suite with the Moffitt Center's existing systems and applications.
"I've been surprised with how little a challenge it has been to make it work with what we have here," Rauscher said. "A nice feature is that it integrates well with Citrix (platform for application delivery) so that when users leave their stations to care for a patient, logging out and logging takes up valuable time. With Citrix, users can leave, come back later and resume from the same place without tying up a workstation in the interim."
Then there's HIPAA.
"This product should make life easier for us as far as user authentication issues go," Rauscher said. "This also reduces the challenges we had in getting users to change their passwords with greater frequency."