Guest post by Dean Wiech, managing director, Tools4ever.
Passwords are everywhere. Despite the endless headlines about their death and sure destruction in countless publications across the globe, passwords are and will continue to be used in nearly every business setting for the foreseeable future. Whether you’re a physician making the rounds in a hospital, a mechanic at a service garage, a CIO for a major software firm, a bank teller logging into several applications to assist customers or an employee at a manufacturer, chances are better than average that you access these systems with a user name and password.
Organizations of all sizes use credentials for their employees to ensure security of the information in their systems, and to protect against unwanted access to the data in the systems. As with any solution used, once in play there’s bound to be some issues incurred with these passwords. Regardless of how many passwords employees need to remember and how often they need assistance to reset them, passwords remain crucial ingredient to a network’s security protocols.
Passwords: Where We Have Come
The first passwords were created in the 1960s for MIT’s Compatible Time-Sharing System. Passwords were first used because several users needed to access the system as unique entities. Each user created a password, which were then stored on the computer system. However, program leaders soon learned that this method of storage did not work after one user who wanted more time on the computer simply printed out the passwords from the machine and logged in as a different user than himself – since each user was only granted so much time per week under their identity. Thus, program leaders discovered that program needed more secure methods for password usage and storage. This also was likely the first recorded data breach anywhere in the world.
The next phase led to encrypted passwords so that no one could easily go in to steal all of the users’ credentials, as was the case at MIT. Passwords began protecting secure information rather than just taking on a gatekeeper role. As they spread into business and workplaces worldwide, passwords became encryption devices that could not easily be hacked or pilfered.
Finally, millions of organizations began to rely on computers, obviously, for all of their business needs and users needed to enter credentials for each system they needed to access. To easily remember all of these passwords, users began to either user very simple passwords or the same password for each system. Again this became an issue since hackers utilized tools to easily compromise the password and gain access to the systems.
Where We Are Today
Welcome to today. As we know, organizations are overwhelmed by the issue of password breaches. Solution? To mitigate this problem, organizations often require employees to use complex passwords, each unique to the different systems they are using. To say the least, this process has evolved into a difficult mental exercise. According to a recent Tools4ever survey, end users access up to an average of 12 different systems and applications to perform their jobs. Humans are usually only capable of remembering about six complex passwords at the most. The rest get written down or filed on some random Excel sheet on the computer’s desktop. So what are they doing to remember all of their credentials?
Of course this defeats the purpose of the use of complex passwords for security, and often leads to frustration of users who take their anger out on the help desk, which is usually overwhelmed by such problems already. Think customer service is considered quality in these organizations? Usually not when these types of processes are in place.
The problems don’t end there. Employee productivity is cut when they must deal with these types of password maintenance issues. For example, every day in a typical healthcare setting, 91 minutes are wasted because of inefficient systems and workflows. On average, healthcare providers login to workstations and applications 70 times per day and spend an average of only 46 percent of their time on direct patient care.
Think of the great things your teams could do if they didn’t have to worry about logging in and out of workstations as they care for patients. While the data accessed may differ from department to department and facility to facility, what remains the same is the fact that, if multiple passwords and login credentials are in-play, there is a high probability that productivity is being negatively impacted. Providing direct access to systems and tools when and where it’s needed is key.
Password issues can also have a huge effect on your employee’s productivity. Think about how long it takes to resolve an issue when an employee is locked out of their account and needs to get a password reset? They need to contact the helpdesk, start a ticket, request that the helpdesk team resets the password, log in then get back to the work they need to accomplish. All of this is time that is taken away from the project they are working on, or the patient they are supposed to be helping. On the technical side, depending on the size of the organization, password management can require a full-time position at a large organization, since one of the top calls to the helpdesk is for password resets.
Another problem with passwords: all the steps, or “clicks,” and authentication processes some employees need to take just to access their applications. When time is critical, such as in hospitals, or when customer service is a priority, every minute counts and passwords can become a deterrent. If nothing else, they can be a time waster, as the 91 lost minutes suggests.
When these issues start to effect productivity of your employees is when it becomes an issue. So as the password and authentication process has evolved and become increasingly complex, how can organizations easily resolve the issues that have come about?
Guest post by Dean Wiech, managing director, Tools4ever.
Identity and access management (IAM) in healthcare continues to be a growing part of the industry. The management of identities, user accounts and access to both data and applications is a large task for hospitals and healthcare organizations. In the healthcare industry especially, the need to follow strict access and security rules and regulations exists, which makes IAM even more challenging. This need has led to newer solutions to meet the needs of healthcare organizations.
Here are the top four account management issues in healthcare that can be significantly improved:
Onboarding of Employees
The first issue that many healthcare organizations face is efficiently onboarding new clinicians and employees. For example, when a new doctor or nurse begins employment, they need their account created, and the correct access to the systems and applications they require in order to assist patients. The issue is, too often, new employees are waiting idle while all of their access and accounts are created.
By streamlining and automating the account management processes, this issue can be improved. Automating the process allows administrators to easily enter new employee’s information into a source system, such as the HRM system and check off which systems the employee needs access to and accounts in; and the new accounts are automatically created.
Changes to Accounts
Next, there is the issue of movement or changes to an employee account throughout their employment. Often, clinicians need to contact their manager to ask for permission for a change to or additional access, who then in turn needs to contact IT or HR to have the change carried out.
IAM software with workflow management capabilities has evolved to assist with this situation. A web portal with workflow can be set up so that employees can easily request changes to their account and then have it securely carried out.
As an example, a nurse moves to a different unit, or floor, and needs access to a different set of data or applications. A nurse can easily request the access through a portal and the request is automatically sent to the correct people for approval. Once the approval is given, the change automatically is made. If the request needs multiple levels of approval, it will move to the next person in line. In addition, all of these changes are logged so that the healthcare organization knows exactly what changes are made, when they were made and who approved them.
In this series, we are featuring some of the thousands of vendors who will be participating in the HIMSS15 conference and trade show. Through it, we hope to offer readers a closer look at some of the solution providers who will either be in attendance – with a booth showcasing and displaying key products and offerings – or that will have a presence of some kind at the show – key executives in attendance or presenting, for example.
Hopefully this series will give you a bit more useful information about the companies that help make this event, and the industry as a whole, so exciting.
Tools4ever is focused on ensuring secure and compliant user and authorization management, which is often complicated within healthcare institutions because of the relatively high employee turnover and absenteeism. Deploying an automated identity administration solution that integrates with EHR systems will automate the user account lifecycle and help to resolve these problems. In addition, healthcare employees often need quick, but secure access to many different systems and applications. Tools4ever’s password management solution can help reduce many of the password issues clinicians’ experience.
Tools4ever distinguishes itself through a no nonsense approach and a low total cost of ownership. In contrast to comparable identity management solutions, Tools4ever delivers a complete solution in just weeks rather than months or years. Thanks to this approach, Tools4ever is one the largest vendors in IAM with more than 5 million managed user accounts. Tools4ever delivers a variety of software products and integrated consultancy services covering identity management and access management, such as user provisioning, password management, and single sign-on (SSO).
Jacques Vriens established Tools4ever in 1999 and has expanded Tools4ever into a global software company. The initial focus was on tools for system administrators but building upon the knowledge and experience gathered in the early years, he quickly expanded the product portfolio into identity and access management.
Guest post by Dean Wiech, managing director, Tools4ever.
No matter the industry, each time a purchase is made, business leaders always want to know what they are getting in return for their financial investment. Questions frequently asked include: “How is this going to help me?” and “What is my return on investment?” Another phrase, often uttered by “Mr. Wonderful” Kevin O’Leary from the popular show Shark Tank is, “What am I getting for my investment?”
By examining the answers to these questions, business managers and organizational leaders must ensure that their budget is being adhered to and that purchases by the organization are considered, or proven, not to be a “waste” of money.” Often, return on investment (ROI) is a combination of both “hard” and “soft” costs and savings, which can often be difficult to determine. The “hard” cost is easy to define: What am I spending now versus what will I be spending on a different product, solution or system, or by doing nothing? Alternately, how is this solution going to allow me to save money in the long run? In this scenario – “hard” costs and savings — there is a definitive dollar figure that is able to be applied to implementing a solution.
“Soft” savings are a bit more of a complex issue; they are more difficult to determine and to document. For example, time and labor saved, or stress saved by employees completing a task that takes 10 minutes versus 35 minutes are soft savings. Soft savings also might be seen in improvements in customer service or in the customer experience. It is difficult to put a dollar amount on these scenarios and improvements, but they do impact a business, its success and its financial performance.
Time is money, of course, but in the case of healthcare perhaps it’s more fitting to say that “time is life.” This savings equates to valuable potential life-saving time, as we well know, and, in turn, improves patient care. As healthcare organizations seek ways to allow clinicians the ability to focus more on patients rather than on information technology, there are some solutions available — many that that are often overlooked that allow them to reach their goals. Some of these technology solutions provide a direct correlation between a physician’s ability to enter an information system, retrieve or enter information and get back to focusing on patient care. Essentially, with these types of solutions, like access and identity management, physicians can get back to work more quickly and their interaction with the technology is reduced.
In any industry passwords can be a hassle to manage, but perhaps this is no more true than healthcare. Password strategies are put in place to keep data secure, including patient’s information, but they often cause headaches for clinicians. And since every minute matters in the clinical setting, any process that takes longer than necessary can become a major problem when patient outcomes hang in the balance.
Since providers often need to access their own systems, as well as patient data and treatment history quickly, to assist patients, something as simple as getting locked out of systems or forgetting credentials to accounts is time consumer and tedious to overcome. Contacting the helpdesk and waiting to get passwords reset wastes what little time caregivers have to with patients. Simplifying password resets can give critical time back to caregivers and support staff in the care setting.
Easier said than done, of course. Many healthcare organizations resist implementing any type of password solution because they don’t want to bombard clinicians with yet another new technology. One of the major reasons being that they assume the implementation and training time are lengthy and because they’re currently bogged down by a variety of other pressing issues, such as meaningful use and preparing for the transition to ICD-10 in October 2015.
Also, because healthcare organizations must abide by strict rules and regulations, implementing password solutions can sometimes be an issue. In addition, healthcare’s leaders need to ensure that any new technologies implemented follow these regulations.
An Easy Solution to Password Reset Issues
Several leading healthcare organizations have opted to use self-service password reset solutions to easily solve their password reset issues. Just as banking websites allow consumers to reset their passwords, end users can easily reset their passwords after correctly answering security questions that they previously provided answers to. Clinicians simply click the “forgot my password” button and can easily reset their password from anywhere at any time. This allows clinicians to proactively solve the problem without have to contact another department for help.
Guest post by Dean Wiech, managing director, Tools4ever.
Once again, the media abuzz with a massive theft – 1.2 billion email addresses and password – by a hacking group supposedly based out of Russia. In a case like this, it does not matter how secure your password is – lots of characters, number, upper and lower case, etc. — because the hackers accessed the providers and pulled the information. This type of attack is much different than someone breaking into your computer or smart device and stealing the confidential information from there where a thief might be able to directly access all your accounts. In this case, they “might” be able to access your email account and then again, they might not.
There a couple of interesting items left out of all the various stories. First, were the passwords encrypted? It seems that any self-respecting form that is strong passwords in conjunction with a user name would do something as simple as an encryption algorithm and not store them in plain text. If they were encrypted, were they stored using an irreversible hash with a leading edge algorithm? Many techniques are readily available to insure encryption with hashing, salting and obfuscation, cannot be easily broken, if at all.
The other thing that has not been explicitly mentioned is what sites were hacked. We hear that upwards of 500,000 websites could have been hacked, but no one is coming forward to name any specific sites. Were Facebook, Gmail, Hotmail or other major sites compromised? If so, why are they not sending out notifications to change passwords in a similar fashion to what eBay did back in May when they were attacked?
Let’s assume, for a moment, the providers figured no one could ever hack into their systems so the passwords were stored in plain text along with the email addresses. How can we protect ourselves from these diabolical hackers? The answer is quite easy – change your passwords on all of your accounts and do it on a regular basis. If all 1.2 billion users that had their information stolen did this tomorrow, the hacked information would become useless overnight.
Dean Wiech, managing director of Tools4ever, a global provider of identity and access management solutions, has worked in healthcare for more than 25 years. Here, he discusses how IAM enhances the ROI for health systems, and how the solutions make patient care more efficient, how they work in healthcare, and how systems and records can be made more secure — for patients and providers — because of the technology.
Tell me about yourself and your experience in healthcare.
I have been actively selling software solutions in the healthcare market for 25 years. I have sold and/or managed teams in about 50 percent of the country. I have always focused on solutions that provided a definable ROI based on productivity and time savings.
Tell me about Tools4ever. How does the company serve the space? Tell me about your products and how they are used in healthcare.
Tools4ever is a company that focuses on the identity and access governance space. We assist the healthcare market in insuring that the lifecycle of user accounts are managed in a timely and accurate manner. We also have solutions that save care providers time by eliminating repetitive login tasks and avoiding the need to call the help desk for password resets
How is Tools4ever different than some of the competitors in your space?
I believe our primary differentiator is time to implement. We can get the basics up in running in a few days to a few weeks, depending on the solution. The majority of our competitors take months to years to complete an install. The result is the healthcare organization can realize a much quicker benefit from the product and a quicker ROI.
What’s your footprint like in healthcare and who are some of the organizations you work with? How do you help them?
We have numerous hospitals and long-term care providers across the country. One example is South County Hospital in Rhode Island. It utilizes our Self Service Reset Password Management (SSRPM) solution to allow end users to reset forgotten network passwords. We then synchronize that password to several other solutions to allow a reduction in the number of credentials the employee needs to remember.
Another example is a major university hospital in New York City. It uses our user management solution for several tasks. The most recent example is provisioning patients to the network to allow them to view their records on a mobile device provided by the hospital for the duration of their stay. We also implemented a password self-service reset function to allow the patients to reset their passwords without a further burden on the help desk.
Providence Hospital, located in downtown Columbia, South Carolina, is a 247-bed hospital founded in 1938 by the Sisters of Charity of Saint Augustine to minister to the community, in both body and spirit. The facility is best known for the expertise in cardiac care it provides through Providence Heart and Vascular Institute. With a hospital staff of more than 2,000 nurses, doctors and hospital administrators, Providence Hospital needed to standardize setup of user accounts and reduce the amount of time network engineers spent assigning rights in Active Directory.
Tony McNeil, technical manager said, “We have more demands on our department and we are not getting any additional staff because of the economic situation. Therefore, we have to work smarter and we need tools that help us work more efficiently.”
This became a perfect opportunity to put into action a permanent process for user account life cycle management utilizing Tools4ever’s complete User Management Resource Administrator solution.
Providence Hospital decided to implement UMRA to mainstream the provisioning process from the time an employee is hired and entered into the hospital developed, web based security application to the time they are entered into Active Directory. The previous process took nearly 2 days to complete before a user was ultimately provisioned in all systems. Now the process allows for an almost immediate creation of a user account with the correct provisioning. A web form allows for the assignment of group privileges and permissions to individual users. The application also creates the appropriate Exchange mailbox and creates a home folder for the employee on the appropriate share drive.