Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx...

Single Sign-on for Healthcare

Catherine Waldron, Novell Field Sales ExecutiveGabriel Waters, Carefx Channel Director

© March 9, 2004 Novell Inc.2

The Healthcare Security Problem

A Multitude of Applications and Access PointsICU, Labs, Pharmacy, X-Ray, Billing, Scheduling…Kiosks in hospitals and clinics, personal workstations in offices and homes

Patient SafetyAdministration of user ids, passwords, and access across so many applications with such a complex user population is a challenge.

Users Need Easy and Quick AccessPhysicians particularly will not use computerized systems otherwise. Multiple user ids and passwords create security problems and cost time.

HIPAA RegulationsAs many as 150 people including doctors, nurses, x-ray technicians and billing clerks have access to a patient’s medical record. Access must be secure and audited.


Secure Identity ManagementUser Complexity – Multiple ID’s and passwords


The Business Case

“Password management products provide a high, easily demonstrated return on investment (ROI) and meet various business goals, including user convenience, system security and reduced IT or help desk overhead.” (Giga, May 2002)

• A quantifiable ROI can be achieved with Secure Identity Management and CCOW.

• Addresses the HIPAA requirements and minimizes the regulatory impact.


Solution Set

User Management• Users• Roles• Security Policies• Centralized admin

Healthcare Security – Identity Management

Auditing• Patient Record Access• User management

Application Management• Web model where possible• Desktop mgmt (ZenWorks)

Single Sign-On• API-Integrated (Carefx)• Automated (Novell) • Firewall issues (iChain)


Achieving single sign-on

CCOW enabled applications provide the single sign-on and context management, but require the application to be CCOW-enabled, which may not make sense for all applications

Single sign-on products provide single sign-on to legacy applications, but aren’t CCOW aware

Until now …


The Novell® & Carefx solution – Providing single sign-on to health care

By bringing together enterprise single sign-on and the context management, organizations can have single sign-on to all their applications.


Novell and Carefx solution featuresUser logs in once

• User gets single sign-on to all CCOW and non-CCOW applications

• Fusion User Channel sets user context for CCOW applications

• Novell SecureLogin sets user context for non-CCOW applications

CCOW user authentication application• Obtains user id from Novell Client™ for Windows

(configurable)• Or can obtain user id from Microsoft Windows™ login • Leverages familiar Windows and Novell login


How we enable single sign-on

Novell SecureLogin for enterprise applications• Web• Windows• Terminal server/Citrix• Host/Terminal Emulator-base• Java applications and applets based on Swing

and AWT

Carefx Fusion User Channel• CCOW enabled applications


How it works:Login experience – before NSL

ApplicationServer

ClientWorkstation

CredentialChallenge

2

LaunchApplication

1

1

2

ProvideCredentials

3

Log-in

3

ApplicationStarts

4

4


How it works:Login experience – with NSL

DirectoryApplicationServer

ClientWorkstation

Authenticateto eDirectory

1

1

SecureLogin retrieves credentials from directory

2

2

Launch application

3

3

Credential challenge

4

NSL presents credentials to application

5

54


Does this mean I have one userid and password for all the applications that a user may access?•No, Novell SecureLogin manages a unique set of credentials for each application the user accesses•Passwords are not synchronized, allowing the enforcement of a password policy specific to each application•One userid and password is used to authenticate to the directory and the user’s credential store

Management of unique credentials


Defends against the rogue administrator

• When a user’s eDirectory password is reset, access to

the application secrets are locked• The user must provide a pass phrase answer to gain

access to the secrets, or• SecretStore administrator can unlock passwords

• If an administrator were to try to copy a users secret to another user object, the secrets are locked

• Credentials are encrypted with 168-bit 3DES encryption with a unique key for each credential

How does Novell SecureLogin defend against the rogue administrator?


How does Novell SecureLogin prevent inappropriate access to applications?

Protects access to the applications

• When used with NMAS™, the AAVerify capability enables NSL to challenge for another authentication before SecureLogin will pass the credentials to the application

• Supports any combination of Novell Modular Authentication Service partners biometric, smart card, token, digital certificate, proximity card, or password for authentication

• Provides password policy enforcement


With the Secure Workstation component of SecureLogin...

Secure Workstation

• Administrators can setup policy in the directory to secure the workstation

• Automatically locking the workstation based on a trigger such as• Inactivity• Proximity card removal• Smart card removal• Single click

• Automatically shut down applications, logout user, and present new login dialog for next user


With the Quick Login/Logout GUI, users can...

Quick login/logout

• Login or out with a single event• Proximity card removal• Smart card removal• Single click• Have applications automatically closed and the user

logged out


Clinical Context Object Workgroup(API-Integrated Single Sign-On)Health Level 7 (HL7) Standard (ISO Organization)Context Management ArchitectureSynchronize participating applications at the point of use by establishing a common clinical context

• The user accessing the applications• The patient whose data the user is accessing• A particular encounter the user is accessing• Other relevant clinical ‘subjects’

The application must be ‘CCOW-enabled’


Carefx Context Manager

Carefx provides a context manager implementing the HL7 CCOW standard that

• Synchronizes diverse applications around a common clinical desktop context

• Enables users to control the context creating a patient-centered, user-driven clinical workspace

• Coordinates fat client, Citrix/WTS, and web-based applications on the same desktop

• Provides single sign-on and common patient selection to CCOW-enabled applications


2. Kevin starts NorthMed-Labs. Kevin’s user id is already set.

Kevin’s Windowsdesktop appears.

Fusion User Channel user experience


Fusion User Channel client setup

Fusion User Channel(Fuser) shortcut is installed in Startup Folder for All Users.

At Windows login time, Fusion User Channel starts,locates the context

manager,joins the context and sets

theuser to the Novell login id.

Fusion User Channel is installed on each client desktop.


Setup

Login script edited to start Fusion User Channel Sync (FuserSync) when a Novell login occurs. This program will notify Fusion User Channel of the login event.

ConsoleOne is usedto set up the Novelllogin script for

users.


API-Integrated Single Sign-On With Carefx’s Context Manager (CCOW Standard)

Context Manager

Login to 1 app, no login prompt for other apps

No script necessary

Applications must be CCOW enabled (to talk to Context Manager)

Applications can switch to new user on the fly

HL7 Standards based (Clinical Context Object Workgroup)

ClientWorkstation

Launch application

1

Application obtains user id from context manager

2

A new user logs in, all applications switch to new user.

3

2


Automated Single Sign-On WithNovell Secure Login (NSL)

Must create single sign-on script for each application

Suitable for legacy applications that will not be upgraded

DirectoryClientWorkstation

Launch application

1

Credential challenge

2

NSL retrieves credentials from directory

3

NSL fills in credentials

4

24


Mixed Single Sign-on Solution

DirectoryClientWorkstation

Mixed environment of automated and API-integrated single sign-on apps

Combines Novell and Carefx technologies

Context Manager

User logs in to Directory and user id is sent to Context Manager

1

User launches a automated single sign-on app, NSL fills in credentials

2a

User launches an api-integrated single sign-on app, app fetches user id from Context Manager

2b

1

25

Novell iChainNovell SecureLogin

Novell Modular Authentication Service

Novell/Carefx architecture

Browser-based apps

Carefx User Channel

CCOW app

Carefx Context Manager

Novell Nsure Resources/DirX

ML

Authentication

Applications & Context Management

Provisioning

Non-CCOW Web, Win32, Citrix/TS, and

host-Based apps

26

Fusion Architecture With Novell SSO

NovelleDirectory

™(LDAP)

CM-ProxyCM-

Director

Fusion User Channel

CCOW I/F

Fusion Context Server(CCOW Context Manager)

COMHttpNDS/LDAP

Fusion User Channel Sync

Novell

I/F

Obtains the Novell login through system calls. Sets the user context.

Executes when Novell login occurs and notifies Fusion User Channel.

Web AppWin32 AppCCOW

I/F

CCOW I/F

Client Box


Directory Server

Corporate ScriptsPassword Policies

User ScriptsUser Credentials

SecureLogin Client

MainModule

TLaunch

Notes

Script Engine

WinSSO

WebSSO

Fusion User Channel

Local cache

Novell Single Sign-on Architecture

iChain®

Proxy

Browser

Web Server 1

Web Server 2

Web Server 3

Context Manager

User and Patient Context

Fusion CM Director


Why Carefx and Novell?Experience

Domain Knowledge• Healthcare Information Systems• Over 100+ collective years of experience in the health

care industry

Understanding of Clinical Environment • A common goal of designing solutions that help

clinicians navigate more easily and securely to their applications and data

• Market focused solution

Breadth of Solutions• Secure Access Solution to network and applications• Portal Infrastructure --- Real-time access to specific

patient information• Partners with the leading HIT and access vendors


Why Carefx and Novell?Experience

Implementation Success• Carefx and Novell will work with you to ensure a

successful implementation• Carefx assigns project managers whose sole

responsibility it is to see that the project is a success

• Strong client references

Partnerships • Strong partnerships with key vendors


Why Carefx and Novell?Features

Improved End-User Experience• Graceful logoff allows automated or single event-trigger

logout of a user from all applications leveraging that applications native mechanism

Application Support • Novell’s maturity as a single sign-on vendor results in

application support that surpasses the competitions‐ Supports more terminal emulators, Java applications,

Win32, and web applications

‐ Has provided single sign-on to more applications than the competition

‐ Supports complex application characteristics such as combo boxes, drop down lists, radio buttons, and menu items

‐ Supports recognition of multiple and/or subsequent events within an application


Why Carefx and Novell?Architecture

Directory integration• The competition requires a separate identity store separate

from your existing directory infrastructure ‐ All the directory design must be recreate for a proprietary

directory that is far inferior to the leading directories on the market‐ Multi-master replicas‐ Partitioning

• Carefx and Novell use your existing LDAP directory‐ Allows your organization to leverage best of breed directory

Citrix/Netilla/Terminal Server • For those environments where a workstation can’t have

client software and must provide access to the Citrix/Terminal Server environment

‐ The competition requires software on the client‐ Carefx and Novell can provide full functionality in the Citrix

environment without software on the client‐ Roaming sessions

Hardware• Carefx and Novell are flexible with hardware requirements

and support most server class hardware configurations



Context Management Performance• The competitions architecture requires that all

communication with the context manager go through the primary server‐ This has proven to be a bottle neck for customers‐ Creates a single point of failure

• The Carefx architecture allows clients to communicate with any available context manager

Scalability• The competitions architecture only supports vertical scaling

‐ Adding bigger servers• The Carefx and Novell architecture supports vertical AND

horizontal scaling‐ Adding bigger and more servers

Fault Tolerance• If one of the competitors server goes down, a standby/hot

swap server must be manually booted • If a Carefx or Novell server goes down, clients will

automatically be redirected to other servers online



Administration• The competitions architecture requires the

administrator to connect to the client device to configure

• Carefx and Novell can provide automatic upgrades to client workstations and will work with the leading application delivery vendors

Client Impact• The competition requires that their client and GINA

be installed on the desktop in order to provide single sign-on to non-CCOW applications. ‐ No support for third party advanced authentication

vendors‐ All GINA-based services dependent on a standard

client fail

Question and Answer


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx...

Documents

Transcript of Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx...