Mayo Single Sign On and Patient Context MSL- CCOW

1. Mayo Single Sign On and Patient Context (MSL- CCOW) MN HIMSS Technical Overview May 17th, 2006 Mr. Behrens, Mr. Neumann and Mr. Magnuson

2. MSL – CCOW – What are we covering SSO – what is it in general SSO – things about Vendor’s SSO – drawbacks MSL – the basics MSL – the benefits Biometrics – the basics CCOW – what is it CCOW – the benefits CCOW – how does it work

3. SSO – In general SSO is a Security Application 3 tenants of SSO Something you have Something you know Something you have access to.. 2 types of SSO Application (usually toolbar or web page) Could have a Biometric front end Strong (Desktop orientated) Mayo Single Logon (MSL) is a Desktop ... the user need to really use one set of credentials to log on.... and Desktop Security and User Access is monitored and is assisted by the Operating System (Authorization and Policy) Privacy Curtain, CA, etc are Application.. the user logs once to the LAN and then has to log again to get a tool bar or explorer window (portal) that has applications attached to it. The credentials that are passed are what was used to log on the application.

4. SSO -- Vendor Single Sign-on (General) A lot of vendors have one…. Have HIPAA centralized logging User and Account Administration Sometimes Biometric support They use a Authentication server They manage the users passwords for them Password management is limited.. Uses active wizards and brokers changes

5. SSO -- Vendor Single Sign-on (Drawbacks) Limited OS flexibility, and Application Interfaces Bad vendor experience (Buy outs, Bankruptcy’s) Changes take time..not responsive Reluctant to make changes for one customer If Authentication server is down ?? Now what ?? Limited support for server types and configurations. (Support, Management and Growth become issues) Password Management ????? Biometric support (types of devices ???)

6. MSL -- Basics Basic single logon capabilities Single point of user account management Secondary security after LAN authentication Desktop security to meet HIPAA requirements Secured screensaver with current user logoff capability Auto logoff after a preset time of screen inactivity Centralize logging of desktop access

7. MSL -- Basics (continued) Support for account suspension Support for account revocation Support for password expiration at a defined time period Ability to support customizable settings for preloaded applications

8. MSL -- Basics (continued) Created a set of Application Interfaces so applications can get user credentials and information securely. Support for a variety of ways applications can communicate with MSL (DDE, RPC, Screen Scraping, ActiveX control, web service, CCOW, etc)

9. MSL -- Benefits Eliminates multiple logons Supports existing policies and desktops Account control (revoked, suspended) Disabled "Shutdown" button for software distribution process, keeps machine from being in a unusable state Reduces time to activate and use the application Secures the workstation with automatic secured screen saver and inactivity logoff (definable by workstation) Secures the electronic record with automatic secured screen saver and inactivity logoff

10. MSL -- Benefits (continued) Central point of logging for workstation activity Runs on multiple software platforms (NT, W2K, XP) Runs on multiple hardware platforms (Citrix, TS, Wireless) Works with standard infrastructure tools (i.e., LANdesk, Remote32, Siteminder, etc) Allows use of future biometric devices Fingerprint, voice, etc Smartcard, building access cards Application that allows user to customize auto-start applications

11. MSL -- Biometrics When talking Authentication Methods (2 types) Biometrics - Fingerprint, Iris, Face, Palm, Voice Access Keys – Key Plugs, Smart Cards, Pin Cards Need a second validation point .. usually PIN..because they can be stolen Typing username and password is usually faster Biometric Authentication is slow (unless templates are cached locally) .... 1 - 2 minutes for IRIS, Voice... 2-5 minutes for Fingerprint... the time length really depends on the search and comparisons of all the graphic images stored. This can be time consuming... if a pin (index) is added (Fingerprint scan and pin number) the database search can be speeded up, but this requires manually touching the keyboard.

12. MSL -- Biometrics (continued) The real true difference between the vendors is the mathematical algorithms used to create the digital image (template) and how its stored,encrypted/decrypted and transferred If you are going to do Biometrics...due 2 types.. as with Healthcare... one will never cover all the people, either due to the jobs they do or they have a biometric that easily fails If using Biometrics, you need to first determine what you False Acceptance Rate (FAR) and you False Rejection Rate (FRR) will be, before choosing... as each form of biometrics has its own rate. Basically what tolerance of user pain can you handle and how do you handle a false positive..

13. MSL -- Biometrics (continued) Applications need to be wrote to accept the ticket generated from the authentication... if applications use Databases on the back end, they need to be modified to use this and also have the Biometric Agent handle password expiration and resetting.. this part is tricky because if the Biometric server falls over people might not know there password. again a password management strategy is needed to help facilitate the backup process. If applications do not handle tickets then an intermediary needs to be used that will take the ticket and unlock a vault with the username passwords stored in it..again a password management strategy is needed to help facilitate the backup process. When planning.. Test enrollment on real people at your site, not vendors engineers or do not trust their benchmarks...

14. MSL -- CCOW – What is it ?? CCOW is a vendor independent standard developed by the HL7 organization to allow clinical applications to share information at the point of care. Using a technique called “context management”, CCOW allows information in separate healthcare applications to be unified so that each individual application is referring to the same patient, encounter or user. CCOW works for both client-server and web-based applications.

15. MSL -- CCOW – What is it ?? This means that when a clinician signs onto one application within a CCOW environment, and selects a patient, that same sign-on is simultaneously executed on all other applications within the same environment, and the same patient is selected in all the applications, saving clinicians time and improving efficiency. The advent of CCOW reflects a growing need in healthcare to offer clinicians secure, unified access to disparate clinical data at the point of the care. Other technologies improving point of care access include wireless hardware, clinical web portals and “single sign-on” solutions. The acronym CCOW stands for “clinical Context Object Workgroup”, a reference to the standards committee within the HL7 group that developed the standard.

16. MSL – CCOW -- Benefits Greater flexibility of choice for health providers when purchasing healthcare applications because CCOW offers widespread interoperability between software from different vendors Rapid, unified access for clinicians to patient data when they need it

17. MSL – CCOW -- Benefits CCOW’s single sign-on management capabilities improve user efficiency (Fewer time-consuming sign-ons to applications) Context oriented workflow – clinical users can find and compare patient information they need quickly and easily, supporting better clinical decision-making Leverages existing investment – By CCOW – enabling existing IT resources, healthcare providers can realize the benefits of a single sign-on and patient centric IT system without major re-investment in new technologies.

18. MSL -- CCOW – How does it work ?? The CCOW standard provides a mechanism for applications to share information so that they appear to behave as a sing system. This shared information is known as the context. An example of information stored in the context is the name and various identifying numbers of a patient. Application s on a CCOW-enabled desktop sharing a ‘Patient’ context will all display information about the same patient. Other standard contexts include ‘User’ and ‘Encounter’.

19. MSL -- CCOW – How does it work ?? CCOW specifies that a Context Manager component is responsible for maintaining the context. Applications are Context Participants that synchronize by querying the context manager to determine the current context and when they wish to update the context. CCOW also supports Mapping Agents, which map equivalent identifiers when the context is updated so that applications can interoperate without sharing the same identification information for patients or users.

20. MSL -- CCOW – How does it work ?? CCOW specifies security protocols that must be obeyed when the context includes ‘secure subjects’ such as user information. This prevents malicious users gaining access to application or parts of application by faking context information. CCOW provides two options for communication between components – a Web (HTTP) mapping, and an ActiveX mapping. This allows interoperation to occur even between applications employing different technologies.

22. Questions ???? Terry Behrens (507) 284-1897 tlbehrens@mayo.edu Troy Neumann (507) 255-6353 Neumann.Troy@mayo.edu Dale Magnuson (507) 255-5233 Magnuson.Dale@mayo.edu