As your organization gets ready to design a SSO solution, the following are important factors to consider:
Target Audience
Application Types
Application Access and Privilege
Deployment Mode
Account Management
As you develop your requirements for SSO, consider the following questions to address with vendors you may be evaluating:
- How does the product handle individual password resets?
- What is the pricing model offered for the product?
- Which specific customers are using the product? Identify any specific modules or related modules that may be used by these customers.
- What are the specific requirements for server(s) that may be required for the product?
- How can disaster recovery requirements be addressed so if the primary server is down the users are not impacted?
- If there is a requirement for strong authentication then which specific products would the vendor recommend be used with their solution?
- What is the audit capability of the product to detail each occurrence of patient information access across all applications?
Call for a customized proposal to address your challenges for implementing single sign-on in your environment. The HIPAA Academy will conduct a comprehensive assessment of your identity and access management requirements and provide you with a road-map for implementation of a solution that would be valued by clinicians.
On-Site HIPAA Training. Get HIPAA Academy to Your Site! Save Time and Money
HIPAA Academy, the industry’s leading provider of HIPAA training, certification and consulting, has delivered content and exams for HIPAA Academy’s Certified HIPAA Professional (CHP) and the Certified Security Compliance Specialist™ (CSCS™) to organizations at their site. We can customize the content to meet your requirements. 2007 clients include many hospitals, long term care organizations, BCBS, several business associates and leading firms such as IBM, HP, E&Y, Kaiser Permanente and others.
For more information visit www.aha-solutions.org, contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net
Single Sign-On (SSO)
Compliance requirements such as those defined in the HIPAA Security Rule identifies Person or Entity Authentication as a Standard within the legislation (§ 164.312(d))that requires covered entities to implement procedures to verify that a person or entity seeking access to electronic protected health information (EPHI) is the one claimed. There are two additional requirements in the HIPAA Security Rule that closely relate to this Standard. They are:
- Unique Identifiers (part of Access Control Standard, § 164.312(a)(1))
- Password Management (part of Security Awareness and Training Standard, § 164.308(a)(5))
These requirements for unique usernames and password controls across systems and applications are leading healthcare organizations to closely examine the area of single sign-on (SSO) as an effective mechanism to minimize the number of passwords that end users such as clinicians and others need to remember and reduce administrative burden for both compliance with federal regulations as well as costs associated with password management – resets, forgotten passwords, terminations and others.
With the number of passwords users have to remember these days, it may be best for organizations to seriously review support for Single Sign-On (SSO) capability.
By deploying SSO solutions, healthcare organizations can:
- Strengthen security controls and better safeguard critical business information and corporate identities
- Assist with compliance requirements related to authentication, termination procedures, access control and audit control
- Improve the user experience and productivity
- Reduce help desk and other administrative costs
For a complimentary quick reference card on ISO 17799:2005 – (ISO 27002) the international security standard,
please email technologysolutions@aha.org
