Experts said this week that as patient information is likely to change hands more frequently between health trusts, both in a local area and across the country as a whole, the potential for reputation-damaging data losses must be recognised.

 

“Will the responsibility lie with GPs should something go wrong?”

David Hobson, managing director of IT firm, Global Secure Systems (GSS), said: “The White Paper published last week shifted more of the responsibility to GPs and while they do a great job at being a GP, they do not study IT systems and security in the same way they do not do accounting. It is easy to get a manager to run the business side for them, but it is not as easy to bring in someone who understands data security sufficiently.

 

“In other industries, the Information Commissioner’s Office has fined businesses which do not properly protect public data. This has included the directors of companies being fined up to £500,000 individually, and in the future will this be a risk for GPs as the key commissioners? Will the responsibility lie with them should something go wrong?”

 

At a time when the NHS is trying to put more emphasis on well-being and tackling health problems before they become serious, there will undoubtedly be a need to collect more information on patients’ lifestyles, illness prevalence and outcomes. There will also be growing pressure to share this information with a wealth of third sector and private organisations which are increasingly being commissioned to deliver patient health services on behalf of trusts. But this too brings issues concerning IT security as many of these groups are small charities which have little in-house IT expertise.

 

“Encryption of data is critical, but so far trusts have been quite slow in adopting solutions”

Hobson said: “The challenge is to drive this from the bottom up, rather than the top down. Encryption of data is critical, but so far trusts have been quite slow in adopting solutions. We need to find something that is more usable because, if any form of security becomes obstructive to those using it, they will find ways to get around it.

 

“An important approach, particularly where third sector organisations are concerned, is to introduce some form of audit process. The NHS trust will need to carry out an audit of any outside suppliers to ensure their security is up to the standards required. As long as trusts recognise that data security is an important issue, then the challenge moving forward is just one of education. It is about people recognising the potential for problems. It is going to be a problem if they just send data out without worrying about what it is and whether it is secure and ignorance will not be a good enough defence.”

 

Omar Hussain, chief executive of access management provider, Imprivata, said technologies such as single sign-on will also be key tools to ensure the only people with access to data are those who need it for their jobs.

 

“The NHS trust will need to carry out an audit of any outside suppliers to ensure their security is up to the standards required”

He told HES: “The biggest priorities we are seeing in the NHS is protecting patient data and improving the ability for people to access that data when they need to. Solutions such as authentication, monitoring systems, data protection and encryption are already prevalent in many other industries, but the health service needs to become more aware.

 

“Healthcare is unique in that the number one priority is the patient and providing an effective service. In order to do that with an increasing and ageing population, we will have to lever technology to improve our ability to provide that service. However, with high-profile information leaks, patients are more and more concerned about who can see their records and we are reaching the stage when the healthcare industry, particularly in the UK, needs to do much more.

“When we look at patient data we have to focus on who is accessing it. It is easy enough to do this on-site, but when you consider those working in the field, you need to ensure when they go off the premises, the information they access is just as secure.”

 

 

East Kent Hospitals University NHS Foundation Trust is one of the largest hospital trusts in England, with five hospitals and several outpatient facilities across east Kent and Medway.

The trust provides a wide range of services within both hospital and community settings and employs more than 7,500 staff, who all require access to a variety of healthcare applications and support systems.

 

The trust’s staff required access to more than 86 applications. However, the organisation’s password security policy required staff to utilise separate log-in credentials for each application. As a result, users forgot their credentials and could not access core systems. Users instead resorted to writing down passwords or sharing accounts with other users; actions which compromised the trust’s strict security requirements.

Nicola Ellingham, project manager for East Kent Hospitals University NHS Foundation Trust, is responsible for the implementation and support of access management technologies and knows the importance of finding the balance between security and employee productivity.

She said: “Obviously, keeping our patients’ data secure is of paramount importance. However, with so many disparate logins, the productivity of clinical staff was being affected, which could have led to an impact on patient care. For any NHS trust, that would be completely unacceptable service.”

To ensure security as new applications were implemented, users were asked to remember complex password credentials which reset at irregular intervals, causing them to be locked out, unproductive and frustrated.

“We noticed that almost 25% of our helpdesk calls were related to password or access issues,” Ellingham said. “This equates to more than 8,000 calls each year and was a huge drain on our resources. Additionally, IT found that despite having only 7,500 users, more than 20,000 accounts existed on the e-directory. This was due to the lack of an integrated IT access management policy across the network which made user ID verification a difficult task.

 

With these challenges in mind, Ellingham and the IT team looked at possible routes to managing user access that would address the security needs of the organisation while reducing the complexity of the log-on process for employees.

One of the options immediately identified was single sign-on (SSO), which involves linking all access rights to one strong network log-in. This, in turn, authenticates users into all applications they are authorised to access without having to repeat the login process each time.

Ellingham discussed the trust’s requirements with BMS, Imprivata reseller and an NHS IT security specialist. After identifying that the trust had similar access management challenges to other NHS organisations, BMS recommended Imprivata OneSign, an identity and access management appliance that can deliver SSO easily, quickly and affordably.

“Having the peace of mind that other trusts within the NHS had used Imprivata OneSign was extremely important, especially as we have quite a complex IT infrastructure spread across multiple sites,” said Ellingham.

“One of the key reasons behind choosing Imprivata technology was that it could be integrated with our existing network without changes to our LAN/WAN or huge hardware investment. Imprivata OneSign also supports the NHS smartcard which is an important part of our IT plans.”

Following consultation with employees around how IT systems were being used and how user workflows would be impacted, the trust started the rollout of Imprivata OneSign in early 2009 working closely with BMS.

“We were surprised at how quick and non-disruptive the implementation was,” said Ellingham. “Users from clinical and support roles were using SSO extremely quickly without impacting their day-to-day tasks.

 

Since the implementation, more than 7,500 users have been successfully enrolled with SSO, and the trust has experienced a 25% reduction in helpdesk calls, equating to a savings of £80,000 per year.

“Access issues are an incredible drain on IT resources and Imprivata technology has helped us eradicate these calls so that support staff can focus on other more strategic areas of IT across the business”

“Imprivata OneSign has been hugely successful in helping clinical staff access IT systems quicker and more efficiently which, in turn, means more time for patient care and less time calling the helpdesk for having passwords reset,” explained Ellingham.

“Access issues are an incredible drain on IT resources and Imprivata technology has helped us eradicate these calls so that support staff can focus on other more strategic areas of IT across the business. With Imprivata OneSign, we are confident in our ability to achieve our organisational goals for effectiveness and efficiency.”

Cambridge University Hospitals NHS Foundation Trust is the organisation behind Addenbrooke’s Hospital, one of the leading teaching hospitals in the UK.

The trust undertakes world-class research, working in partnership with Cambridge University and the Medical Research Council, as well as providing a high level of patient care and excellence in service delivery.

Addenbrooke’s serves the needs of around 500,000 citizens in the local area and the trust employs more than 7,000 staff, with an estimated 5,000 workers requiring access to IT resources.

For these thousands of employees, logging into applications used to require a user name and password for each individual system, and each user had an average of between eight and 10 different access and security credentials to remember.

The trust’s security policy on access required that strong passwords were used, rather than dictionary words; that different passwords were used for each application; and that they were changed every 90 days.

While this approach ensured application access remained secure, it was difficult for users to remember all their credentials and they would therefore have to call the IT helpdesk for password resets.

This was becoming a significant issue for the team to support, with around 30% of all helpdesk calls specifically related to password reset requests. It was also leading to user frustration, as clinical staff would be locked out of their applications while any reset process was completed.

Dianne Nixon, head of IT programme management at the trust, is responsible for the delivery of IT services to the organisation and she decided to look at approaches that would remove this problem from the helpdesk and improve user satisfaction.

 

In order to solve the password management problems, Nixon chose to look at single sign-on (SSO) where, instead of disparate passwords, users have all their access rights linked to one single network credential. When they open up a new application for access, the user’s log-in details are automatically entered on their behalf.

“We were aware of single sign-on as a technology, but previously it had always been too expensive to implement and required a large amount of support”

“We were aware of single sign-on as a technology, but previously it had always been too expensive to implement and required a large amount of support,” she said. “However, one of our IT partners suggested that we look at Imprivata OneSign as a new way to implement SSO, and so we decided to resurrect our interest in this technology.”

Imprivata OneSign is an identity and access management appliance, designed to make SSO and strong authentication management easy, smart and affordable to implement. Using its Application Profile Generator, users can enroll their applications for SSO using a simple drag-and-drop menu system that eliminates any requirement for scripting expertise.

The OneSign appliance is shipped in pairs to provide resilience and business continuity, so that if an appliance fails then service automatically fails-over without affecting end users.

Nixon decided to trial the OneSign appliance in a proof-of-concept pilot programme with 200 of the most-intensive users of IT within the trust. This would determine whether the appliance could deliver the results that Nixon and her team were expecting, as well as how SSO could be linked to other technologies.

Following the installation, applications were enrolled for SSO and users had their workstations updated with the OneSign Agent. This would automatically capture their log-in credentials, and then present them to the application the next time they opened up that application screen.

Alongside SSO, clinical staff at the trust were also given the National Programme for IT smartcard, which would provide them with secure access into centrally-provided applications such as the NHS Spine.

Imprivata OneSign provides support for this card, along with many other strong authentication options, allowing it to be used as a factor for strong authentication into the trust’s local applications as well, if required.

 

Following the pilot, Nixon and her team saw that they had substantially reduced the volume of password reset requests that the pilot group were making, as well as improving the efficiency of the clinical staff that were included.

“We saw an immediate reduction in calls, and the number of times that the clinical staff had to enter their passwords was also brought down dramatically,” she said. “In speaking to the clinical staff involved, they also saw the benefits of the project – clinicians have previously expressed on numerous occasions the frustration of having to actively manage numerous usernames and passwords, as it was not unusual for them to enter the required credentials in excess of 200 times a day. “Using OneSign ensures all access is secure and that we can put together a complete audit trail.”

“We saw an immediate reduction in calls, and the number of times that the clinical staff had to enter their passwords was also brought down dramatically”

“OneSign provides us with single sign-on and strong authentication for our clinical and non-clinical staff, making their everyday lives easier and ensuring they are not locked out of applications. This overall approach has improved staff efficiency, providing the trust with a significant return on investment.”

With this success, Nixon has overseen the roll-out of OneSign across the rest of the trust to a mixture of clinical and non-clinical staff. One of her overall aims for the programme was to create a more-flexible, efficient system of accessing applications and patient data for clinicians. In order to achieve this, and increase the value delivered by its identity management platform, she also decided to implement a clinical context management strategy, based on Fusion from Carefx.

“Clinical context management involves creating links between applications and automating workflows based on what activities the clinician is carrying out, and the type of data they are accessing. As a user opens up patient data screens, further information that is relevant to those inquiries is brought up from the other applications, allowing it to be accessed in future,” explained Nixon. “By taking this approach, we can reduce the number of steps that are required to complete tasks. Our workflow was reduced from requiring 29 steps to be completed to just nine, automating around two-thirds of the process. This makes them more efficient, and improves the quality of care that our clinical staff can offer by letting them concentrate on the patient, not on using IT.”

The Fusion from Carefx implementation relies on the Imprivata OneSign SSO system in order to support employees being delivered the right information, as well as ensuring their access privileges are at the right level. Fusion aggregates applications to synchronise the patient, user and individual encounter with a patient record. The user’s credentials are entered into the relevant application screens in the background. As the clinical user moves from application to application, all the data and other applications are switched automatically to ensure the necessary information is to hand immediately, rather than requiring users to go through multiple screens to access the data they require. When the user is finished with that patient, all the relevant screens on that patient are also closed in the background.

“We chose Carefx for a number of reasons” Nixon said. “Its solutions are based on an open and scalable architecture, enabling seamless interoperability with our existing IT investments, while the level of success and satisfaction reported by Carefx clients that we spoke to was impressive. With our OneSign appliance in place, we have a complete identity management platform to support our clinical context deployment successfully. Our clinicians are seeing additional performance enhancements due to the clinical context system on top of the benefits from single sign-on and strong authentication. Overall, we have a strategy in place now to improve security and clinician efficiency for the foreseeable future.”