Single sign-on system removes password chaos at East Kent NHS Trust

By Ron Condon, U.K. Bureau Chief 25 Nov 2009 | SearchSecurity.co.UK

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

But security is still important in the medical world, and patient privacy has to be protected. Any security measures therefore have to be as transparent as possible – and certainly should not prevent legitimate users from doing their jobs.

Until recently, the 8,000 members of staff at East Kent Hospitals University Foundation NHS Trust were drowning in a sea of different passwords that they needed to remember to access various parts of the network.

"Users had multiple applications with usernames and passwords," said Nicola Ellingham, a project manager at the trust. "It was the usual story – usernames and passwords kept on the back of smart cards or ID badges, or kept in books by computers, or even written on the computers."

In addition, one user would often tailgate another without logging in with his or her own credentials, just to save time. "There was always a danger that something could happen to a patient, an entry would be put into the patient administration system, and we would not know who did it," said Ellingham.

She was brought in to find an alternative system that would strike the balance between security and ease of use for the staff who cover a large area of East Kent, including three major hospitals and about 20 smaller centres.

Another SSO success story A single sign-on product came to the rescue and saved a rail supplier's company from "password hell."

At the time, there was no co-ordinated policy on passwords. Responsibility for application passwords lay with the individual application managers and so, as she said, "it could be quite arbitrary. It was a local decision, and not mandated by the head of IT."

Email and network passwords could be reset by a help desk service provided by an outside body, the Health Informatics Service. But that would run from only 9 to 5, Monday to Friday, and so anyone needing help with a password reset would have to wait – or share someone else's credentials.

But that is now in the process of changing. Since August, the trust has been implementing a single sign-on (SSO) product, the OneSign appliance-based system from Imprivata, Inc.

Before choosing OneSign, Ellingham said she looked at several possible products, all of which did a similar job - allowing users to authenticate themselves just once to gain access to all their authorised applications. But the choice was complicated by the fact that East Kent, unlike most other trusts, still uses Novell Netware, from Novell Inc., to run its networks and Novell eDirectory for its user accounts.

She was anxious to choose a single sign-on system that would not destabilise their complex infrastructure. "We wanted something that would not interfere with our user directory. We didn't want anything that would sit on it or change the schema in it," she said. "Our eDirectory is very large, and had not been well managed. It had a lot of redundant accounts, and we were reluctant to do anything that would de-stabilise that schema. We wanted a solution that would provide a black box between the user and the schema. That's what attracted us to an appliance-based solution."

The Imprivata system was also able to link to multiple types of directories, which was another requirement, because East Kent needs to connect to other NHS bodies that run Active Directory.

The rollout
East Kent has installed three OneSign appliances, one at each of its principal hospitals, mainly to provide redundancy in case of a failure.

The first phase of the project has been to get the single sign-on system to learn how each application handles logins, so that it recognises a login screen, a successful login screen, a login error screen, and so on.

Ellingham said that most of this has now been done, with 68 separate applications profiled so far on the system. "Profiling is quite easy," she said. "Imprivata has some ingenious tools for getting around the idiosyncrasies of some applications that behave in strange ways. Most of the time it all works beautifully."

The aim of SSO, of course, is to make it easy for people to log in, but that means the initial authentication has to be more rigorous – relying on a single username and password would be wildly insecure.

The solution for this is the NHS smart card – a chip-based card that is being issued gradually to all NHS staff. Current models fit into a reader, but a new generation will be proximity cards, which will allow busy clinical staff just to step up to a terminal, enter their PIN, and gain immediate access.

So far, East Kent has registered about 500 users, with the rate of progress governed by people having been issued with smart cards. "Our biggest problem has been to get the SSO software and the identity agent software provided by Connecting for Health [the governing body for IT in the NHS] for connecting to smart cards, out on to the desktops," said Ellingham.

As she said, if they were using Active Directory and SMS (Microsoft Systems Management Server), it would have been fairly easy to distribute the software to targeted groups, but they have been forced to write special scripts for the job or do manual installation.

User enrolment
The first time users log in with their smart card on the new system, OneSign recognises it is as a new certificate and initiates an association process with the user directory, so that the card is associated with the user account.

Users then log on to their applications in the normal way, entering their usernames and passwords (hopefully for the last time), and these are recorded by the single sign-on system.

The next time they log in, they merely insert their smart card, enter a single passcode, and the SSO takes care of all logins. If they forget their smart card, the system will allow them to authenticate themselves by answering a series of pre-registered security questions (for instance, mother's maiden name), but that facility will be used sparingly.

Finally, as part of the rollout, a member of each department has been trained up as an SSO champion, so that they can answer any queries and help their colleagues with any problems.

It is early days, but Ellingham hopes it will not only cut down on helpdesk calls, but more importantly, that password policies can now be properly operated right across the trust, without the help of sticky notes stuck to computer screens.

Tags: Biometrics, Smart Cards, Tokens,  Secure User Authentication and Authorization,  User Password Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Biometrics, Smart Cards, Tokens Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Chip and PIN adoption serves lesson for U.S. payment industry Visa probes tokens, encryption for PCI card data protection Strong authentication methods, voice recognition systems make comeback Security on a budget: How to make the most of authentication tools Creating a secure platform for smart card programmers Portable security storage device could replace OTP devices Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Poor privileged account management practices leave security gap User Password Security Microsoft, security firms warn of password meltdown Brute force attacks target Yahoo email accounts The consequences of poor Microsoft SharePoint security permissions policies Unpatched vulnerability discovered in Microsoft SQL Server Supplier's problems with passwords solved by single sign-on technology Social networks and spear phishing attacks How effective are password hack tools? How to protect employees' personal information and passwords Gartner: How to succeed at identity and access management Windows password security: System tools and policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) NO2ID  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary