Implementation of a single sign-on system between practice, research and learning systems

 

 Permissions and Reprints

Summary

Background: Multiple specialized electronic medical systems are utilized in the health enterprise. Each of these systems has their own user management, authentication and authorization process, which makes it a complex web for navigation and use without a coherent process workflow. Users often have to remember multiple passwords, login/logout between systems that disrupt their clinical workflow. Challenges exist in managing permissions for various cadres of health care providers. Objectives: This case report describes our experience of implementing a single sign-on system, used between an electronic medical records system and a learning management system at a large academic institution with an informatics department responsible for student education and a medical school affiliated with a hospital system caring for patients and conducting research.

Methods: At our institution, we use OpenMRS for research registry tracking of interventional radiology patients as well as to provide access to medical records to students studying health informatics. To provide authentication across different users of the system with different permissions, we developed a Central Authentication Service (CAS) module for OpenMRS, released under the Mozilla Public License and deployed it for single sign-on across the academic enterprise. The module has been in implementation since August 2015 to present, and we assessed usability of the registry and education system before and after implementation of the CAS module. 54 students and 3 researchers were interviewed.

Results: The module authenticates users with appropriate privileges in the medical records system, providing secure access with minimal disruption to their workflow. No passwords requests were sent and users reported ease of use, with streamlined workflow.

Conclusions: The project demonstrates that enterprise-wide single sign-on systems should be used in healthcare to reduce complexity like “password hell”, improve usability and user navigation. We plan to extend this to work with other systems used in the health care enterprise.

• References

• 1 Meaningful Use Regulations | Policy Researchers & Implementers | HealthIT.gov [Internet].. [cited 2016 Dec 20]. Available from: https://www.healthit.gov/policy-researchers-implementers/meaningful-use-regulations
  PubMedGoogle Scholar
• 2 Niazkhani Z, Pirnejad H, Berg M, Aarts J. The impact of computerized provider order entry systems on in-patient clinical workflow: a literature review. J Am Med Inform Assoc JAMIA 2009; 16 (Suppl. 04) 539-549.
  CrossrefPubMedGoogle Scholar
• 3 Mazlan EM, Bath PA. Impact of health informatics implementation on clinical workflow: A review.. In: Proceedings of the World Congress on Engineering and Computer Science. 2012
  PubMedGoogle Scholar
• 4 Zheng K, Haftel HM, Hirschl RB, O’Reilly M, Hanauer DA. Quantifying the impact of health IT implementations on clinical workflow: a new methodological perspective. J Am Med Inform Assoc JAMIA 2010; 17 (Suppl. 04) 454-461.
  CrossrefPubMedGoogle Scholar
• 5 Jha AK, DesRoches CM, Campbell EG, Donelan K, Rao SR, Ferris TG, Shields A, Rosenbaum S, Blumenthal D. Use of Electronic Health Records in U.S. Hospitals. N Engl J Med 2009; 360 (Suppl. 16) 1628-1638.
  PubMedGoogle Scholar
• 6 D’Costa-Alphonso M-M, Lane M. The Adoption of Single Sign-On and Multifactor Authentication in Organisations - A Critical Evaluation Using TOE Framework. Issues Informing Sci Inf Technol 2010; 7: 161.
  PubMedGoogle Scholar
• 7 Furnell S. Authenticating ourselves: will we ever escape the password?. Netw Secur 2005; 2005 (Suppl. 03) 8-13.
  PubMedGoogle Scholar
• 8 Borycki E, Kushniruk A, Armstrong B, Joe R, Otto T. Integrating Electronic Health Records Into Health Professional and Health Informatics Education: A Continuum of Approaches. Acta Inform Medica 2010; 18 (Suppl. 01) 20.
  PubMedGoogle Scholar
• 9 Koppel R, Smith S, Blythe J, Kothari V. Workarounds to computer access in healthcare organizations: you want my password or a dead patient?. Stud Health Technol Inform 2015; 208: 215-220.
  PubMedGoogle Scholar
• 10 HL7 Standards Product Brief – HL7 Context Management Specification (CCOW). Version 1.6. [cited 2016 Dec 20]. Available from: http://www.hl7.org/implement/standards/product_brief.cfm?product_id=1
  PubMedGoogle Scholar
• 11 Oreku GS, Li J. End User Authentication (EUA) Model and Password for Security. J Organ End User Comput 2009; 21 (Suppl. 02) 28-43.
  CrossrefPubMedGoogle Scholar
• 12 Mykkänen J, Porrasmaa J, Rannanheimo J, Korpela M. A process for specifying integration for multi-tier applications in healthcare. Int J Med Inf 2003; 70 2-3 173-182.
  CrossrefPubMedGoogle Scholar
• 13 Maliki TE, Seigneur JM. A Survey of User-centric Identity Management Technologies.. In: The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).. 2007 p. 12-7.
  PubMedGoogle Scholar
• 14 Sun S-T, Beznosov K. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems.. In ACM 2012 p. 378-390.
  PubMedGoogle Scholar
• 15 Halling TD, Douglas C. Hahn. Bringing interlibrary loan services under a single sign on umbrella. Libr Hi Tech 2013; 31 (Suppl. 01) 76-86.
  CrossrefPubMedGoogle Scholar
• 16 Birk P, Chao C-Y, Chung H, Mason C, Reddy K, Venkataramappa V, Riddlemoser D. System and method for secure network state management and single sign-on.. US20050154887 A1, 2005 [cited 2016 Oct 14]. Available from: http://www.google.com/patents/US20050154887
  PubMedGoogle Scholar
• 17 Dhamija R, Dusseault L. The seven flaws of identity management: Usability and security challenges. IEEE Secur Priv 2008; 6 (Suppl. 02) 24-29.
  PubMedGoogle Scholar
• 18 Hardt D. The OAuth 2.0 authorization framework.. 2012 [cited 2016 Dec 20]; Available from: http://tools.ietf.org/html/rfc6749%3E
  PubMedGoogle Scholar
• 19 Recordon D, Reed D. OpenID 2.0: A Platform for User-centric Identity Management.. In: Proceedings of the Second ACM Workshop on Digital Identity Management.. New York, NY, USA: ACM; 2006. [cited 2016 Dec 20]. p. 11-16. (DIM ’06). Available from: http://doi.acm.org/10.1145/1179529.1179532
  Google Scholar
• 20 Chinitz J. Single sign-on: Is it really possible?. Inf Syst Secur 2000; 9 (Suppl. 03) 1-14.
  PubMedGoogle Scholar
• 21 Manadhata PK, Wing JM. An Attack Surface Metric. IEEE Trans Softw Eng 2011; 37 (Suppl. 03) 371-386.
  CrossrefPubMedGoogle Scholar
• 22 OpenMRS Releases 2015 Annual Report | OpenMRS.. [cited 2016 Aug 18]. Available from: http://openmrs.org/2016/02/openmrs-releases-2015-annual-report
  PubMedGoogle Scholar
• 23 A Business Case for Single Sign On. Healthcare IT News.. 2011 [cited 2016 Dec 20]. Available from: http://www.healthcareitnews.com/blog/business-case-single-sign
  PubMedGoogle Scholar
• 24 Sun S-T, Pospisil E, Muslukhov I, Dindar N, Hawkey K, Beznosov K. Investigating Users’ Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model. ACM Trans Internet Technol 2013; 13 (Suppl. 01) 2:1-2:35.
  PubMedGoogle Scholar
• 25 Li Z, He W, Akhawe D, Song D. The emperor’s new password manager: Security analysis of web-based password managers.. In: 23rd USENIX Security Symposium (USENIX Security 14).. 2014 p. 465-479.
  PubMedGoogle Scholar
• 26 Hope P, Zhang X. Examining user satisfaction with single sign-on and computer application roaming within emergency departments. Health Informatics J 2015; 21 (Suppl. 02) 107-119.
  CrossrefPubMedGoogle Scholar

• Supplementary Material