- Finding the right balance between security and convenience is often tricky for healthcare providers, especially as technology continues to quickly evolve. Implementing stronger access controls and healthcare authentication options can help ensure that only authorized individuals can access, use, and transport sensitive data.
Proper employee training will also help users understand how to work new access control measures into their regular workflow, and not set up more hurdles for users in the process.
Seattle Cancer Care Alliance (SCCA) wanted to have secure remote access to its systems and data, but did not want to burden users with additional authentication steps. SCCA Information Security Architecture Manager Chad Hoggard told HealthITSecurity.com about the treatment and research center and why it opted for adaptive authentication through SecureAuth.
Hoggard has been with SCCA for a little over one and a half years, and had previous experience as a security manager.
SCCA is an alliance of the University of Washington, Fred Hutch, Cancer Research Center, and Seattle Children's, he explained. SCCA is focused on cancer treatment and is involved in research.
“We're the clinical implementation of a lot of the cancer research performed at Fred Hutch, but our providers are not really with us,” Hoggard said. “They’re providers at either Seattle Children's, University of Washington Medicine, or Fred Hutch and they'll practice here and have patients that they see only through the SCCA.”
Hoggard explained that he oversees the whole information security program from the strategy to the delivery.
“I work with the business, work with our other leaders, and come up with where we need to go based on where we are now and what we need to work on,” he said. “I’ll choose different projects, technologies, and things that we need to focus on to improve ourselves and address the increasing risks for the business related to information security.”
While SCCA has been around for 16 years, it has really come into its own over the last eight or nine years, explained Hoggard, especially from an IT perspective of self-management.
SCCA is also part of the Alliance of Dedicated Cancer Centers (ADCC), he added.
Remote access needs fueled search for new authentication option
Hoggard noted that SCCA had not been particularly mature in the security space, and there had been issues with individuals falling for potential phishing attacks. It was determined before Hoggard joined SCCA that a two-factor authentication solution would be a good option, he said.
“They had waited to launch it until I came on board,” he said. “I had had previous experiences with deploying a two-factor solution. As soon as I began, I started to come up with what those business strategies were, and it really came down to remote access.”
Remote access was the primary driver for why SCCA wanted to go down that path, he added, and why it was concerned about scams to gain usernames and passwords. SCCA didn't want that to turn into a loss of patient information.
Hoggard mentioned that because SCCA shares some of its systems with partner organizations, that it was also important to potentially cut down on the number of different usernames and passwords that employees must remember. If there could be tools to effectively federate some of that, he said, everyone can benefit.
With Fred Hutch for example, Hoggard explained that SCCA is utilizing a draft platform that is an identity provider for the same authentication.
Patient data security, physician workflow not hindered with change
Hoggard said that the new authentication option has been great so far, especially with how it addressed the potential risk with remote access.
“We're still addressing user security awareness to have them not click on the wrong things,” he stated. “There's certainly a peace of mind in knowing that a lost username and password doesn't have quite the high level of risk that it used to, as far as access into the system.”
Overall, it's improved SCCA in that it is more confident in its ability to keep hackers out, and in that it really hasn't changed the workflow, Hoggard explained. SCCA has also tried to minimize the impact on employees with the change in authentication workflow.
“The system is configured to differentiate between someone coming in from home where we want to possibly step up the type of authentication – that factor – to if they're within our facility or a partner facility,” he said. “They may not have to provide another factor when they log in. It will be the same experience.”
When SCCA looked at other solutions, such as the classic key fob or a mobile app one-time password, Hoggard said they knew that those aren't often well-received if they are required all the time.
“The ability we have to do system fingerprinting and have a high-degree of confidence that it's still the right person coming in and making it easier on their authentication has certainly been well-received,” he stressed. “Users really liked that. When they come in a second time and now they're just asked for a username and password.”
Hoggard noted that there are many long-term benefits from implementing the new authentication option.
“As far as a platform, we are really starting to utilize it as this central place for authentication,” he said. “We're looking at the various benefits of what the different multi-factor methods might be, and some of the step up type options for when we think that there is increased risk based on where someone is coming from, or what they're doing, or what time of the day it might be.”
SCCA is looking at some of those features as well to enhance security. Furthermore, while still in the early stages, SCCA has already taken advantage of the self-service password reset functionality, Hoggard said. That was really done for folks who were remote and who have already onboarded themselves within the multi-factor system.
Now, if they need to reset their password for whatever reason, they can do that through other mechanisms. For someone who's sitting at one of SCCA’s computers, that won't help them because they still have to have logged in to get to the portal.
He added that SCCA is also looking at a Microsoft login modification, so users can do that during their login prompt. Hopefully, it will cut down on service desk calls for more password resets, Hoggard explained, even though there has already been a benefit of having the self-service password reset portal.
Considerations when looking for an authentication option
Finding a platform that presents numerous options is one thing that healthcare organizations looking for multi-factor authentication solutions should consider, Hoggard said.
“The more options you have for your users, the better experience they'll have,” he explained. “They'll find their preferred method, and having the newer adaptive qualities, they can cut down on the qualities typically seen as leading to a negative user experience.”
An ideal point to get to with data security and user experience is one without passwords, and to go beyond two-factor authentication and have “many, many factors,” according to Hoggard. Instead, user behavior will dictate authentication.
For example, how users move their mouse, where they’re located, are all parts that make up a user’s true identity.
“Then we can really enhance our level of security while still making it easier on the person, rather than remembering 20 different usernames and passwords that you have for all these different applications,” Hoggard said. “Looking at someone who's really forward looking at these adaptive authentication options can really cut down on issues of user acceptance, as well as keep a high degree of security and confidence that you're not letting the wrong people in.”