Multi-Factor Authentication (MFA) and Single Sign-On (SSO) help increase the efficiency of medical staff and simplify and speed up logging on shared computers.
Hospital Jihlava, a contributory organization, is a medical facility in Jihlava, the largest hospital in the Vysočina Region. It provides health care, including outpatient and inpatient basic and specialized diagnostic and medical care, necessary preventive care, and pharmacy activities. The hospital's capacity is 712 beds, and it has 56 medical branches and 1,500 employees. Around 25,000 patients are hospitalized here every year, and 400,000 outpatient treatments are performed here. Every year, 7,500 surgeries are done, a third of which are acute.
In 2020, we started looking for a solution to simplify the logging process onto computers. The hospital environment is very specific. Dozens of users share a large number of computers. The Imprivata project started as a PoC and immediately became an essential operation part. The Imprivata significantly simplifies logging into applications - using the employee's ID card - and helps us meet the Cyber Act requirements for multifactor authentication. The advantage of the new solution became remarkably apparent during the COVID-19 pandemic when compliance with hygiene rules became an even more pressing issue. When paramedics spend most of their working time in protective suits, signing up with a card is impractical. That's why the supplier came up with an improvement: the cards were replaced with contactless bracelets.
Mgr. David Zažímal
Deputy for Informatics and Cyber Security
Initial situation and project goals
During daily activities, doctors and nurses use many applications and systems, which they access from various computers inwards, examination rooms, and inspection rooms in different parts of the hospital. At the same time, users have to access the company's e-mail or Intranet almost daily. To ensure high security and protection of medical records, Hospital Jihlava was forced to gradually move from group accounts (such as "Nurses1") to personal accounts (Surname, First Name) to ensure a unique user identity under the requirements of the Cyber Security Act. That brought two fundamental problems: the first - was the number of applications and web services that you had to log in to all the time. The second is a large number of so-called shared computers - these are, for example, in examination rooms or nurse's rooms, where the staff often take turns during their working hours and where re-logging in and out takes much time.
This way of working has become unsustainable in the long run. Users resorted to not logging out. Therefore, more users could work under the identity of someone else.
This is why Hospital Jihlava has decided to purchase a solution to allow existing employee ID cards (used for their access to buildings, to the car park, for meal ordering) for authentication to the entire application environment. The goal was to ensure a high level of security in accessing applications while significantly speeding up login and logout.
- Secure access to medical records,
- saving users time when working on PC,
- facilitate and speed up logins to computers and applications,
- reducing the number of forgotten password reset requests,
- eliminating the need to remember several passwords for different applications,
- two-factor authentication, which arises as an effect of implementing the solution.
Description of the solution
User devices - computers, laptops - are equipped with a contactless reader for NXP MIFARE cards. The Imprivata Agent component is installed on the end devices, which provides multifactor login by tapping a card and entering an optional PIN. The user can perform the initial card and PIN enrollment independently, using the self-service wizard. The user can enroll one or more authentication devices to log in, such as a card and a contactless bracelet.
Logging in and out takes a few seconds: tapping the card on the reader will "switch" from the existing to the new user. At the same time, the SSO (Single Sign-On) the module performs automatic logging into applications (FONS Enterprise, PACS, JIVEX, Lekis, LIMS, Operis, and others) without the need to enter a login name and password manually. The end-user devices are in the so-called "hybrid Azure AD joined" mode, which means that they are members of the local Active Directory and Azure AD simultaneously. That allows seamless (SSO) login to applications running on Microsoft Azure, e.g., Office 365 (Word, Excel, OneDrive, Outlook, Teams, etc.).
Pilot deployment to the Surgery department and immediate positive feedback from medical staff raised a wave of interest in other wards. That helped to speed up the rollout in other parts of the hospital.
In the next stage, a Self-Service Password Reset was introduced. The users can change the forgotten password or PIN themselves without contacting the Helpdesk. The high availability of the solution has also been successfully increased: the third Imprivata OneSign server is now running in the MS Azure cloud. That makes the solution resistant to failures of the entire data center.
The plan for the following stages includes the deployment of Imprivata Mobile Device Access (MDA) to access patient records from Android mobile devices. In addition, the Imprivata solution is gradually being expanded for specific areas of use, such as tablets in operating rooms.
- Imprivata OneSign®
- Imprivata Contactless Readers for Mifare® cards