How Sunnybrook secures patient records

As Veterans Week approaches, a major Toronto veterans’ hospital is rolling out a single sign-on service designed to protect patient information.


Sunnybrook Health Sciences Center, which employs about 1,500 physicians and 5,000 nurses, uses a combination of single sign-on software and radiofrequency identification (RFID) cards to make it easier for health care workers to access the software they need while ensuring only authorized users can access patient information.


The hospital is currently using this at its family practice and its suburban Bayview campus, which was founded in 1948 to treat war veterans and has since expanded to include other services, including a burn unit, regional trauma centre and cancer treatment facility.


Sunnybrook’s IT director, Oliver Tsai, said the organization plans to expand its system to workers at its other locations, including the women and babies’ centre at the former Women’s College Hospital and the Holland Orthopaedic and Arthritic Centre.


“Our intention is to roll this out to all clinical users,” Tsai said.


Health workers use a variety of software at Sunnybrook including EDIS, made by Isoft Group PLC of Banbury, England and Telus Corp.’s Oacis electronic medical record.



To allow users to sign on to multiple applications, Sunnybrook uses Vergence, made by Sentillion Inc. of Andover, Mass.


Vergence includes a desktop software component, Dell server with a Linux operating system and a library of about 500 bridges to third-party applications.


Sunnybrook chose Vergence because it allows different departments to choose their own software, meaning at any given work station, medical staff may require access to more than one application and do not want to lose time logging in more than once.


“A user walks up, taps their ID badge on the RFID reader, types in their password and that logs them in the system and all the applications they’re authorized to use,” Tsai said. “If they leave that PC the sensor identifies they left the PC and automatically logs them out of all applications.”


He added Sunnybrook used fingerprint readers in a trial but decided to authenticate using RFID cards instead because the hospital had problems with the readers when oil built up on them.


Sally Hudson, research director for security products and services at IDC, International Data Group Inc.’s Framingham, Mass. research unit, said biometrics is not ready for widespread adoption.


“There is certainly a percentage of the population whose fingerprints can’t be read for one reason or another,” Hudson said. “It’s not something that should just be used universally, at least not yet.”


James Quin, senior analyst with London, Ont.-based Info-Tech Research Group, said hackers can defeat some of the cheaper biometric devices including fingerprint readers and facial scanners.


“To get ones resistant and resilient to fraudulent access, you end up spending a lot of money,” he said. “You need to invest in infrastructure to use the technology.”


Quin added some fingerprint readers work in three dimensions, which are much harder to hack, but they cost more and employees need to take time to learn how to use them.


“The reality is, biometrics is a really high level security – a paranoid-level security tool.”


Tsai could not provide the total amount Sunnybrook paid for Sentillion’s product.


Sentillion’s vice-president of services, Margaret Thomas, said the vendor has a price list but does not publish it.


Thomas said passive proximetry, where users need to type in a password and tap a card against a reader, is becoming more popular as a strong authentication measure.


She said when proximetry first came out, the intent was that a health care worker would be automatically logged in when they passed within a certain distance of the reader. But in practice, this did not always work well.


“If you think about an emergency room where you have 15 work stations at a nurses’ desk, all with badge readers and 20 people walking around, it does not work well because as someone walks by their badge logs them in,” she said. “Many customers are moving to “tap and go” or passive proximetry. They have to tap (the card) down to log in a tap it down to log out.”


She added active proximetry may be more suitable in a pharmacy that is not as hectic as an nurses’ station.



Pharmacies have other security issues, said David Ting, chief technology officer and founder of Lexington, Mass.-based Imprivata Inc.


If you’re a pharmacist, he said, you could set up your system so employees can only log on when they are physically in the pharmacy after swiping their card on the door lock to gain physical access.


Imprivata’s products are designed to manage and audit passwords and access control.


Ting said IT organizations have become good at “securing the boundaries” but need to focus more on the threat from negligent or malicious employees.


“Today identity management have a far more important role in providing that security to your IT resources,” he said. “There have been too many incidents where it resources have been compromised by insiders with full knowledge.”


Ting referred to two incidents last year in the U.S.


A year ago, the U.S. Federal National Mortgage Association (commonly known as Fannie Mae) fired an IT contractor. Five days later, a Unix engineer discovered a script designed to damage 4,000 servers by erasing all data and overwriting it with zeros. The U.S. government alleged the contractor loaded the script after he was told he was fired but before his access privileges were taken away.


The second incident involved a telecom administrator for the City of San Francisco, who, in July 2008, allegedly reset administrator passwords to routers and refused to disclose them.


Ting said Imprava has a lot of customers in health care and banking that use their system for single sign on and strong authentication


“Pretty much everybody needs that type of software,” Hudson said of multi-factor authentication. “Passwords in themselves are inherently weak.”


Hudson said in the past, secure identification tokens have been used in financial services firms to protect sensitive data. Technology firms and pharmaceutical manufacturers also use them to protect intellectual property, Hudson added.


“But they are usually not rolled out to general population of computer users,” Hudson said. “Some people don’t need that level of authentication.”



Related Download
What is an Application Delivery Controller Sponsor: Softchoice
What is an Application Delivery Controller
Download this white paper to learn the core services ADCs provide and its benefit to both users and application administrators.
Register Now