Jason Hart jason.hart@protocom.cc Bob Bentley bbentley@novell.com Healthcare Solutions Using Novell SecureLogin and Novell Modular Authentication Service Jason Hart jason.hart@protocom.cc Bob Bentley bbentley@novell.com

Abstract Healthcare organizations face many technology challenges today, including everything from tight IT budgets to HIPAA regulations. In this session, learn how healthcare organizations around the world have addressed these challenges using Novell SecureLogin (NSL) single sign-on and Novell Modular Authentication Services (NMAS).

Agenda Novell SecureLogin and NMAS in Healthcare Business challenges—password pandemonium Healthcare Specific challenges SecureLogin and NMAS in Healthcare Typical Project, timeline, costs and things to watch out for. Demonstration Integrated Smartcard and Back-office environment Roaming Nurse using Shared PC.

Authentication & Password Management Challenges

Password Administration Challenge Simplify & Secure the helpdesks environment. Many analysts report that the top reported issue to most corporate helpdesks is the need to reset a users password across one or multiple systems. Systems that are not controlled centrally, requiring complex interaction between helpdesks e.g. internal and external helpdesks of different systems such as external B2B providers, mainframe helpdesk verse Unix helpdesk Help desk frustration Repeatitive work Normally Insecure when dealt with through a call center. Poor security compliance Industry estimates indicate that the average password reset has an associated combined administrator/user cost of 10 minutes per event. By introducing a mechanism that improves the likelihood of users remembering their passwords, an annual administrative saving can be realized. Using an annual average salary of $20 per hour, annual administrative savings can be figured by : Yearly corporate resets x .167 hours/event x $20/hour

Password Management Problems: Help Desk & Administration Costs Did you know… HIPPA, Title II requires “Administrative Simplification” and Positive User Identification. Each time an end-user calls the Help Desk, it costs the organization $25 to $50 (Giga) Annually, organizations spend $200-$300 per user on password management (Hurwitz Group) (IDC) Annual Help Desk time spent managing passwords for an average 5,000 user organization with… 4-8 apps: 4,150 hours over 20 apps: 10,700 hours

User Productivity Challenge How do you turn password pandemonium into password bliss ? End users use the same passwords across multple systems. They use password systems that may not change for years and are the same inside and outside your company. We all forget passwords Simplify & Secure the users environment. Many analysts report that the top reported issue to most corporate helpdesks is the need to reset a users password across one or multiple systems. A typical user spends 44 hours a year just logging into applications Systems that are not controlled centrally, requiring complex interaction between helpdesks Post-it note security - Poor security compliance productivity challenges - annual productivity savings can be computed by: (. 25 hours/week) x (48 business weeks/year) x ($20/hour salary) x (# of staff)

Password Management Problem: End-User Productivity Did you know… The average user scenario: 44 hours per year performing multiple login tasks to access 4 applications (Hurwitz Group) A 5,000 user organization loses 1,479 hours of productive time per month getting help with passwords (IDC) Over 70% of users have password problems at least monthly (IDC) Streamlined access is a competitive advantage

Password Management Problem What about data security? The cost of litigation private and government The cost of lost customer confidence The cost of being offline The cost of lost profits

HIPPA and Privacy Legislation Health Insurance Portability and Accountability Act of 1996, Title II includes a section requiring “Administrative Simplification.” Security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.

Portions of “A HIPAA CHECKLIST - Information Security” Ensure that users of electronic health information have unique access codes which can positively and reliably identify the user. Ensure that each user’s access is restricted to the information needed to do his or her job Ensure that system managers, network managers and programmers do not have unlimited and unrecorded access to patient information

Healthcare Unique Authentication Challenges Hospital Environments are one of the most diverse environments with unique requirements for Each Discipline and Business Area Admissions streamline registration process for previous client. Back Office Administration Surgery - sterile, masks, gloves, high pressure ER - gloves, high pressure Wards - shared computers, gloves, much data entry Lab - gloves, data entry Radiology - EM filtered equipment

Healthcare Unique Challenges Mobile Medical Staff regional and temporary clinics Technology Challenges Limited Budgets and resources Citrix, Terminal Server Physical Space on Desktops Mobile Devices IT often viewed as ‘second class citizen’. Need for life/death Emergency “Break the Glass” IT systems

What is Novell SecureLogin and NMAS ? Industry Leading Authentication & Password Management Solution World’s best Single Sign-on #1 market share leader (IDC) Industry Leading Advanced Authentication Infrastructure Over 30 NMAS hardware providers Open and secure framework. Key Part of Secure Access Suite SecureLogin & NMAS PLUS Web Portal Single Sign-on - iChain Password Redirection - NDS/AS It includes multiple methods to solving customers Password management problems. Every customer is different and their password management needs are different. The Secure Access suite enables a customer to choose one of more password management solutions that suit their business needs without having to re-engineer business processes to suite a specific password management solution.

NSL/NMAS for Healthcare Exceeds HIPPA Security requirements for User Authentication. Enable consistent password policy compliance across all systems. Eliminate security weakness’s with shared passwords with internal and external systems. Significantly Increase security by eliminating password sniffing. Eliminate helpdesk password management. Flexible -works in all disciplines of Healthcare.

NSL/NMAS for Healthcare Built-in support for Healthcare Applications. Graded Access to the network filesystem. Graded Access to Windows, Mainframe, Internet and Unix Applications. Graded Transaction Access on the mainframe available. Promotes a common security architecture around the directory. Built to work with all major Healthcare Applications. Supports unique Healthcare Environmental Challenges

Holistic Approach Novell Secure Access suite is a holistic approach to all major Authentication & Password Management requirements. With SecureAccess which includes SecureLogin you are not locked into one specific password management methodology or technology. Because SecureAccess includes 5 different password management technolgies :- Single Sign-on Advanced Authentication Password Synchronization Portal Single Sign-on Passsword Redirection It provides an open and flexible approach to solving all major password management issues while providing the highest return on investment of any other solution. This is why Novell is the recognised leader in Password Management.

How it Works: Login Experience – Before NSL Application Server 4) Application Starts Login ID: Password: frank ******* 2) Credential Challenge 1) Launch Application 3) Provide Credentials Client Workstation

How it Works: Login Experience – With NSL/NMAS Application Server Novell eDirectory 5) NSL Receives Secret from eDirectory, Supplies it to the Application 3) Credential Challenge 1) Authenticate to eDirectory with biometric, password, token etc. 4) NSL Requests Secret from eDirectory 2) Launch Application Login ID: Password: Client Workstation

Do I need SecureLogin? The problem for Healthcare Increasing help desk support costs Help desk overload - Concerns about protecting information Increased User Authentication and Security Requirements with HIPPA The problem for end users: Too many IDs and Passwords Too much employee downtime because of password problems Fast access to information The typical target audience for SecureLogin consists of medium to large organizations with a significant IT infrastructure. The easiest sale is to companies where NDS is already installed. The question “How many passwords do you have?” gets a universal response—too many. End user customers are frustrated by the proliferation of passwords and the requirement put on them to set hard-to-guess passwords, and then remember them without recording them somewhere. Similarly, ask any IT professional about how his users handle passwords, and you’ll inevitably hear some amazing war stories about people sharing passwords, taping a password cheat sheet on their monitor, etc. IT professionals are tired of dealing with users forgetting their passwords and having to reset them. They’re weary of the effort and the cost. Look for good SecureLogin prospects among government, financial, health care, utility and academic accounts. Most organizations have not implemented single sign-on technology.

Overview of typical implementation

Regional Hospital Main hospital with remote doctors offices across varying speed links. 15 NetWare fileservers 3 UNIX machines running HIS. Windows 95 and W2K corporate desktop. Client/server HIS Reflection for Unix v5 primary emulator Citrix based applications for remote offices.

High level requirements Wanted to increase level of user authentication for legislative requirements. Diverse environment with different requirements between different disciplines within the hospital in addition to external users. Had a shared PC environment and medical staff typically did not logout and shared their ID’s. Needed to increase security for mobile medical staff. Wanted to use productivity and helpdesk savings resulting from single sign-on to fund initial project and ongoing support.

Case Study - Client with 2000 Users Costs Software $140,000 Project Management & Consulting $150,000 Ongoing consulting and training $30,000 Ongoing maintenance $21,000 Return on Investment (yearly) Helpdesk Savings ($90pu) $180,000 User Productivity ($110pu) $220,000 ----------- Annual Saving $400,000 Ongoing Services $(51,000) 1st Year Savings $89,000 2nd Year Savings $349,000

Typical Project Project management Making single sign-on work is about 10% technology and 90% project management Project management Prepare business case with ROI Analyze business and user requirements and document system constraints User Groups including Unions. Which applications Current application limitations How users access the system - wards, surgery, back office etc. What the business expects from the system (what the project performance will be measured against) System architecture and Design documentation based on requirements

Typical Project Consulting Determine requirements for each application login rules, change password, invalid password processing etc. Review disaster recovery plan Tape backup strategy Develop software release process Establish test environment Develop performance guidelines and milestones Develop return on investment milestones Implementation plan Test cutdown plan with pilot 2 users at each business unit one application per business unit big bang ?

Typical Project Consulting /cont Training Software distribution process changes system maintenance most businesses evolve, so does the infrastructure and the need to periodically review the system measuring the ROI Security Review of applications and infrastructure generic accounts - RCONSOLE, routers, physical security systems etc. Test and Pilot system Training end-users helpdesk system designers in-house application developers security and auditing staff Software distribution Post implementation on-going helpdesk training

How long should it take ? It will be different for each organization but work on at least 1-24 months (depending upon the complexity, number of systems, size of organization and management acceptance).

Implementation Time Guides 1-1000 users 1 - 4 months 1000-2000 users 6 months 2000+ users 6-24 months

Generic Time line Requirements Training/Implementation Changes Project Definition Design/Eval/Plan Support

Things to avoid Not every application is suitable/cost effective for single signon. Not every part of the organization will be able to use Advanced Authentication in every scenario - ‘emergency break the glass” Duplication of systems and data. Big Bang is simply not a good option - roll out apps in sets. Over extending your infrastructure - the system must be reliable. Don’t be Locked in - all organizations environments change, you need flexibility.

Things to DO Make sure you have high level organizational support. You have a backout strategy as the #1 design goal. Funding for ongoing support of new product updates and new corporate applications. Partner with one or more SSO specialist companies - it will save you time and frustration. Essential to have the helpdesk and applications areas fully trained and using the product every day.

Implementation/Ongoing Challenges Training large group of users. Determining requirements and expectations for each application upfront. Application consistency. Disaster Recovery Strategy - ‘break glass scenario’ Constantly changing environment. Staff and helpdesk changes. Coping with user momentum for SSO to other applications

Summary Vastly reduce help desk costs due to password management resets. Improve network security and meet legislative authentication requirements, absolutely and consistently. Significantly enhance end-user productivity and satisfaction. Improve Competitiveness and technological advantage. Massive Return on Investment Helpdesk Staff Savings Quality Satisfaction Gains Increased Security with reduced load on user. User Satisfaction Helpdesk performance Infrastructure simplified External Compliance External Audits by Bank Supervision HIPPA Government Regulations Establishing appropriate evidence to Prosecute internal hackers. Fewer Security Breaches Internal Hacking Redundant Staff Improved Security Policy Compliance Eliminate weak passwords No Written down passwords No Duplicate passwords across multiple internal and external systems.

Demonstration

Demonstration DEMO1 - Back office User logging onto eDirectory Smartcard and Password - very strong user identification. No more passwords to internet, mainframe and other HIS applications. DEMO2 - Nurse in Shared PC environment. Nurse inserts smartcard with PIN and is taken to their healthcare applications with no further passwords. Nurse removes smartcard and desktop is closed. Nurse moves to next PC and re-inserts card and is taken back to their applications.