Knowing This Buzzword Is Worth $$$
You “roll the dice” when you post a password.Single Sign-On, is a method central user verification. It is the basis for an even easier-to implement variant called Social Sign-On, where the mechanism of authentication is an independently maintained service.
As it turns out, SSO and its “social” variant can also lend to a more secure overall ecosystem that Providers navigate daily.
Let’s take just a moment to talk about value in terms of dollars saved or spent.
HIPAA enforcement is a sound investment.
Have you ever posted a user name and password on a sticky note next to your screen? Sure you have. Everyone does it.
Do you realize that your password sticky note is a flagrant violation of HIPAA law, punishable by up to $50,000 a year, per incident? Avoiding that sticky note will save you a lot of money.
But, what’s the big deal? Why?
Were a hacker to use that note to compromise your patient data or gain access to hospital systems connected to that workstation, that one incident may result in hundreds or thousands of records accessed – each one a violation of the law. You could well be spending up to $1.5 million this year for that one misstep. Oh, and that is assuming you can prove you did it unknowingly.
Compliance can also be convenient.
There is some good news, though: fixing this problem will very likely make your business run smoother and boost time you can spend on patient care. Studies like the 2012 ONC/SAMHSA-sponsored pilot systems, showcase SSO as one way to reduce Prescription Drug Abuse. Having only one identity to manage makes it easier to focus on the tasks at hand, and that consistently produced tangible improvements in attaining the goal.
SSO is just one necessary aspect of Healthcare Information Exchange (HIE)
More data exchange means more risk points and a greater need for secure, central management..
This will impact Independent Providers and small Provider groups the most.
Dis-incorporated agencies pose a much greater risk as information exchanges hands. Think about all of the many un-connected or loosely connected systems you may use throughout the workday.
User authentication is an ongoing challenge because we must track each username and password. With growing regulatory requirements for password length, complexity, storage and access, the process becomes more than burdensome with each added system.
We know what happens then: passwords are forgotten, easy-to-remember ones reused, and yellow sticky notes start appearing on computer screens. Not good.
Solution Choices: Lesser of Evils
SSO products have continued to trickle forth for at least five years now — most of them achieving modest adoption relative to the need. Here’s what is holding the technology up:
- Traditional SSO: Cost, because components are complex and require enterprise planning
- Cloud Services: Implementation costs defrayed, but really just deferred as the system evolves
- Social “Piggy Back”: Much smaller solution scope, missing pieces and widely untrusted
1. Traditional SSO is expensive, complicated and business-risky
Traditional Single Sign-On solutions require a common “platform”, a dedicated “channel” and some sort of sophisticated authentication process. Connecting internal systems from two independent businesses is not only expensive, it opens potential security vulnerabilities.
Also, the scope of traditional SSO goes well beyond user verification. It can include a full range of user attributes (titles, roles, addresses, etc), Access Control Lists (resources to which the user has access), and some sort of Directory function that allows an org-chart like structuring and programmatic access to ALL of the above.
For small businesses, doing such connections is both expensive and risky. SSO is simply out of budgetary reach.
Enter “Cloud” Sign-On…
2. Cloud alternatives need broad adoption before success
A handful of independent services, like Janrain’s OpenID, have definitely lowered the cost of entry by moving the process outside your firewall, into the “cloud”. The mechanism works much the same way as traditional SSO, but the guts of it are protected and maintained somewhere else. To implement, you must create and maintain a new user, and each potential system must adopt this central mechanism in order to take advantage. Despite generally lower cost, adoption is still a challenge.
Enter “Social” Sign-On…
3. “Social Sign-On” may be just enough solution for the cost, but no one trusts it
Since around 2009, email providers and social sites like Facebook have evangelized a simplified Cloud mechanism called “Social” Sign-On. This allows users to verify just their identity and optionally permit the use of a small subset of personal information.
Are they usable? Will they satisfy regulatory requirements? Are there concerns of intermingling personal and professional accounts?