|
When the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) of 1996, among the law's many provisions was the establishment of formal regulations designed to protect the confidentiality and security of patient information. Congress set a series of deadlines for healthcare institutions to comply with the new regulations, including an April 2005 deadline for the security requirements.
In addition to mandating new policies and procedures, the HIPAA security regulations require mechanisms for controlling access to patient data on healthcare providers' information technology (IT) systems. As the April 2005 deadline draws closer, meeting these IT security and access management requirements is proving to be a challenge for many institutions, for a number of reasons, including:
- Complex IT environments: Most hospitals' IT environments include a diverse assortment of legacy, PC and Web applications, both internal and external. Any access control methods they employ must address all applications and platforms in their environments.
- Complex legacy applications: Many healthcare institutions still rely heavily on legacy systems for which the software code has grown increasingly complex over time. In many cases, institutions lack the resources to modify application code written years or decades earlier.
- Unchartered Territory: While the government body responsible for enforcing the HIPAA regulations, the Office of Civil Rights in the U.S. Department of Health and Human Services, has published the requirements for HIPAA compliance, it has left it to the discretion of healthcare providers to determine how best to meet those requirements.
- Overburdened IT departments and help desks: As the number of internal and external applications grows, so does the number of passwords that employees must remember. Every time an employee forgets a password, IT departments and help desks, already strained from budget cuts and reduced staffing, must devote time and resources to resolving the problem. At the same time, user frustration intensifies, and productivity drops.
- Cost: Many healthcare IT organizations lack the funding to undertake any HIPAA-related projects that would require large capital outlays.
- Time: Development and deployment of enterprise-wide access control mechanisms can often require months or years of effort, thus precluding the possibility of organizations meeting the April 2005 compliance deadline.
- User cooperation: Many access control methods, such as strong password policies, can put much of the burden of compliance on application users by requiring them to memorize multiple complex passwords and change them frequently. Institutions are likely to encounter increased help desk calls regarding forgotten passwords, as well as resistance from physicians and hospital staff if the user requirements of HIPAA compliance are perceived as too onerous.
The Value of Enterprise SSO to HIPPA Compliance
To compound these challenges, a number of vendors have made false or exaggerated claims that their software solutions are "HIPAA-compliant" or "government-certified." In fact, there is no government certification program for HIPAA compliance and each healthcare organization must establish its own certification process.
In response to these challenges, a growing number of healthcare institutions are turning to Enterprise Single Sign On (ESSO) solutions to help them comply with HIPAA's security requirements. ESSO solutions require a user to remember and provide just one set of credentials?user name and password?to access the full portfolio of applications, data, and services for which that user is authorized.
Ways in Which the Right ESSO Solution Satisfies HIPAA Security Requirements
To achieve HIPAA compliance, organizations need to adopt and enforce a range of policies, processes and procedures. ESSO solutions can help ensure the success of these initiatives. However, the technologies, capabilities, costs and requirements of ESSO solutions vary greatly. In order to select the right ESSO solution, healthcare providers should look for products that address key aspects of HIPAA security requirements.
Other Advantages ESSO Should Deliver to Healthcare Providers
The proper ESSO solution should also support the unique requirements of healthcare environments with the following capabilities:
- Shared workstation support: Multiple users should be able to sign on to a shared workstation without logging out of the desktop. One button lock/unlock and Single sign-on/off should also be also supported.
- User accountability: The ESSO solution needs to record user access events and log files providing detailed reports on application access by user and by application.
|
